GNU social JP
  • FAQ
  • Login
GNU social JPは日本のGNU socialサーバーです。
Usage/ToS/admin/test/Pleroma FE

  • Public

    • Public
    • Network
    • Groups
    • Featured
    • Popular
    • People

Conversation

Notices

  1. Embed this notice
    z428eu (z428eu@loma.ml)'s status on Wednesday, 26-Mar-2025 05:19:27 JST z428eu z428eu

    TIL:

    When following someone on a different server on the Fediverse, the remote server decides whether you are allowed to do so. This enables features like private accounts. Due to an implementation mistake, Pixelfed ignores this and allows anyone to follow even private accounts on other servers. When a legitimate user from a Pixelfed instance follows you on your locked fediverse account, anyone on that Pixelfed instance can read your private posts. You don’t need to be a Pixelfed user to be affected.

    Pixelfed admins should update to v1.12.5 ASAP, but upgrading can be a major hurdle.

    mystical.garden/@fionafokus/11…
    fokus.cool/2025/03/25/pixelfed…

    Leaving my personal history with the project aside for a moment, and also paying respect to the fact that it has been a volunteer-driven community project mainly handled by one single individual (which definitely sets certain boundaries in what's possible): There always has been this stance that "the pixelfed team" can focus on other challenges because "pixelfed is perfect". It isn't. It has never been, and it never will. The difficult nature of the ActivityPub standard adds to this, as does overall complexity of server software in the 2020s, but at the core here, safety, privacy, security is a matter of attitude, professional stance on things and, well, also the will to be humble and open and learning and willing to /see/ ones own limitations, rather than putting a likely-to-be huge load of users at risk. It's bad to see not even staying away from #pixelfed apparently helps here to stay safe. (But yes, at the very core this seems a somewhat unsettling flaw in the very design of the protocol itself.)

    In conversation 8 days ago from loma.ml permalink
    • Embed this notice
      morph (morph@morphnet.de)'s status on Wednesday, 26-Mar-2025 05:19:25 JST morph morph
      in reply to

      @z428eu Ouch!

      In conversation 8 days ago permalink
    • Embed this notice
      morph (morph@morphnet.de)'s status on Wednesday, 26-Mar-2025 05:29:17 JST morph morph
      in reply to

      @z428eu I hope the crowdfunding will help to improve the project. I think many people like it and load up their pictures there in faith of finding something better than Instagram.

      In conversation 8 days ago permalink
    • Embed this notice
      z428eu (z428eu@loma.ml)'s status on Wednesday, 26-Mar-2025 05:29:19 JST z428eu z428eu
      in reply to
      • morph
      @morph Indeed. I mean, apart from dansup pretty much malhandling this ... I am considerably at odd whether or not a protocol should be stricter and more careful at preventing such issues from happening.
      In conversation 8 days ago permalink

Feeds

  • Activity Streams
  • RSS 2.0
  • Atom
  • Help
  • About
  • FAQ
  • TOS
  • Privacy
  • Source
  • Version
  • Contact

GNU social JP is a social network, courtesy of GNU social JP管理人. It runs on GNU social, version 2.0.2-dev, available under the GNU Affero General Public License.

Creative Commons Attribution 3.0 All GNU social JP content and data are available under the Creative Commons Attribution 3.0 license.

Embed this notice