Embed Notice

HTML Code

<blockquote style="position: relative; padding-left: 55px;"><section><a href="https://blob.cat/objects/ed50ade4-7c61-4514-9d28-dcbc38f29a2a">:blobcathug: (jain@blob.cat)'s status on Wednesday, 26-Mar-2025 17:43:56 JST</a><a href="https://blob.cat/users/Jain" title="jain@blob.cat"><img src="https://gnusocial.jp/avatar/4294-48-20220810062846.webp" width="48" height="48" alt=":blobcathug:" style="position: absolute; left: 0; top: 0;">:blobcathug:</a><div><a href="https://chaosfem.tw/@revoluciana/114225617381763280" rel="in-reply-to">in reply to</a><ul><li><li><a href="https://gnusocial.jp/user/115735" title="mzaprildaniels@chaosfem.tw">Mz. April Daniels</a></li><li><a href="https://gnusocial.jp/user/337428" title="eilistraee@chaosfem.tw">Eilistraee</a></li><li><a href="https://gnusocial.jp/user/337431" title="lulu@chaosfem.tw">Lulu</a></li></ul></div></section><article><a href="https://chaosfem.tw/@revoluciana">@revoluciana</a> <a href="https://chaosfem.tw/@MzAprilDaniels">@MzAprilDaniels</a> <a href="https://chaosfem.tw/@Eilistraee">@Eilistraee</a> <a href="https://chaosfem.tw/@lulu">@lulu</a> <br><br>I have opinions on this. In order to present this, I would like to explain my view and summarize the events:<br>An issue is found: A user can follow another User on other Instances immediately without approval even tho the other User has approval enabled, if there is already someone following on the local instance.<br>At this very moment that issue is already fixed &amp; published.<br>So to say, your Statement "Pixelfed is leaking our data, and, it seems, the data of any other instance it federates with on Mastodon." is at this very moment simply wrong as i understand.<br><br>Beside that, i of course agree with your critics "It's clear that this leak is not a priority for Dansup, the sole maintainer of Pixelfed." and thats something that could be handled way better.<br><br>Beside of that, i would like to remind everyone, that you simply dont know what code other instances are running on. There were already malicious instances running in the past, there will be in the future. Everyone in fedi have to assume that other instances works as expected, so tho say: If someone want to be sure that nothing gets in the wrong hand, i strongly recommend to consider the content of every post before posting it, since there is no ultimate security here.<br><br>Which comes now your Statement "... it's a danger for any instance to expect privacy and have it neglected and disrespected to this degree. ". <br>Security problems happens, sadly, all the time and everywhere. I agree that the communication was a disrespect to some point. Altho, to my knowledge, The issues have been fixed.<br><br>"However, there are serious concerns about the fact that Pixelfed is run by someone who is hostile and neglectful to the Mastodon community and has a history of not taking security concerns seriously."<br>I agree with neglectful but can you explain to me how in the world this can be interpreted as hostile and where is there a history of "not taking security concerns seriously"? I mean, it got fixed, it got published, that would have happen without any further communication. Yes sure, one could have not publish the commit that early, one could have declare the issue as critical in the release note. <br><br>"And moreover, Pixelfed doesn't even have federated blocking implemented, so the only thing that can be done is to defederate, and even then, this only affects *new* posts. "<br>I dont know anything about this, and yes if it happens like that, i would count this as the bigger issue than whatever happened now.<br><br>But with all the information I currently have, like your post and the link to that blog post, and also the statistics on how many pixelfed instances are already on 0.12.5 by all the respect, i would count blocking ~150,000 monthly active users for miscommunication of the pixelfed dev as the more hostile and neglectful move.</article><footer><a rel="bookmark" href="https://gnusocial.jp/conversation/4794958#notice-9392603">In conversation</a><time datetime="2025-03-26T17:43:56+09:00" title="Wednesday, 26-Mar-2025 17:43:56 JST">about 12 days ago</time> <span>from <span><a href="https://blob.cat/objects/ed50ade4-7c61-4514-9d28-dcbc38f29a2a" rel="external" title="Sent from blob.cat via ActivityPub">blob.cat</a></span></span><a href="https://blob.cat/objects/ed50ade4-7c61-4514-9d28-dcbc38f29a2a">permalink</a></footer></blockquote>

Corresponding Notice

Embed this notice
:blobcathug: (jain@blob.cat)'s status on Wednesday, 26-Mar-2025 17:43:56 JST:blobcathug:
in reply to
@revoluciana @MzAprilDaniels @Eilistraee @lulu

I have opinions on this. In order to present this, I would like to explain my view and summarize the events:
An issue is found: A user can follow another User on other Instances immediately without approval even tho the other User has approval enabled, if there is already someone following on the local instance.
At this very moment that issue is already fixed & published.
So to say, your Statement "Pixelfed is leaking our data, and, it seems, the data of any other instance it federates with on Mastodon." is at this very moment simply wrong as i understand.

Beside that, i of course agree with your critics "It's clear that this leak is not a priority for Dansup, the sole maintainer of Pixelfed." and thats something that could be handled way better.

Beside of that, i would like to remind everyone, that you simply dont know what code other instances are running on. There were already malicious instances running in the past, there will be in the future. Everyone in fedi have to assume that other instances works as expected, so tho say: If someone want to be sure that nothing gets in the wrong hand, i strongly recommend to consider the content of every post before posting it, since there is no ultimate security here.

Which comes now your Statement "... it's a danger for any instance to expect privacy and have it neglected and disrespected to this degree. ".
Security problems happens, sadly, all the time and everywhere. I agree that the communication was a disrespect to some point. Altho, to my knowledge, The issues have been fixed.

"However, there are serious concerns about the fact that Pixelfed is run by someone who is hostile and neglectful to the Mastodon community and has a history of not taking security concerns seriously."
I agree with neglectful but can you explain to me how in the world this can be interpreted as hostile and where is there a history of "not taking security concerns seriously"? I mean, it got fixed, it got published, that would have happen without any further communication. Yes sure, one could have not publish the commit that early, one could have declare the issue as critical in the release note.

"And moreover, Pixelfed doesn't even have federated blocking implemented, so the only thing that can be done is to defederate, and even then, this only affects *new* posts. "
I dont know anything about this, and yes if it happens like that, i would count this as the bigger issue than whatever happened now.

But with all the information I currently have, like your post and the link to that blog post, and also the statistics on how many pixelfed instances are already on 0.12.5 by all the respect, i would count blocking ~150,000 monthly active users for miscommunication of the pixelfed dev as the more hostile and neglectful move.
In conversationabout 12 days ago from blob.catpermalink

Public

Embed Notice

HTML Code

Corresponding Notice