Notices by Erin 💽✨ (erincandescent@akko.erincandescent.net), page 16

The latest Mastodon security vuln (GHSA-jhrq-qvrm-qr36) appears to be an exploit that can be used against instances that host their media on the same domain as the Mastodon instance itself

Reminder: It is best practice to put user uploaded media on a different hostname - ideally, a separate domain name entirely, but if not possible a subdomain will suffice.

(Note: Even if you do this, you still need to upgrade; the exploit is against remote instances0

@eta @puckipedia but everything else is just normal puck things

@puckipedia “54y ago”

you forgot to initialize a time_t didn’t you?

@dangerdyke @eris It only knows your blocks if you make them public

@hexaheximal @ChrisFerguson @snarfed.org@fed.brid.gy if anyone can claim the title of “father of the fediverse”, it’s Evan. He created OStatus - which truly was the genesis of things - and ActivityPub is fundamentally also an adaptation of a (later) protocol that he built

The original draft of ActivityPub is mine but it’s not like I sprung the idea out of thin air

@lispi314 @natty …this is not at home

The server is banished to the floor for being bad (Not really, it just doesn’t have rails yet)

And those cables look so so much messier than they are in real life ;_;

@lanodan I like purple, and they make the OOB network very visibly distinct

It’s 21U 😏

@lanodan @Johann150 No argument that the SocialWG’s joining process sucked, because W3C. Though when it started we tried to invite someone from every one of the big projects of the day

(The response we near-universally got was “we like our protocol and will be sticking with it”)

@lanodan @Johann150 The worst thing about SocialWG was all the factions

The best thing about SocialWG was that it was a closed working group, keeping noise down.

Something like that is really missing (of course, with note that assembling such a thing is hard given the amount of beef that exists between various implementers!)

@michcia @meeper even bot implementers run into stupidities like the maximum message size being undefined

@meeper pretty sure that if you ask implementers they’ll tell you that IRC the wire protocol sucks donkey balls

There are two types of network protocol:

• Ones with a single implementation
• Ones people hate (ActivityPub, DNS, SMTP/email, BGP, …)

This is slightly facetious but non the less broadly true

queer.de, who also didn’t email

If anyone sees any other articles, can you tell me? Because most journalists don’t seem to

Oh and it reached the news desk of Reuters, because of which I now know that the domain was suspended due to a payment dispute between Gandi and the Ministry of Communications and IT (I wonder how much of the dispute is “Pay us!” “We can’t, your’re sanctioned!”), which isn’t too far out of line with my expectations.

This also means the Taliban now know, which is, you know, not the most ideal thing to happen.

The Verge didn’t bother contacting me, but they did at least quote what I said in the 404media article

Heise, have also posted about it, but didn’t bother reaching out or quoting anything, which is mildly disappointing.

@lanodan I guess I should PR a change to stat instead then

Based upon a thing I hit while hurriedly deploying this instance, I suspect I may be the only person crazy enough to deploy Pleroma/a fork thereof on Kubernetes

Either that or people are managing their configs in weird ways

@lanodan (git blame points to you) any idea why this is an lstat and not a stat? symlinks don’t have permissions of their own and consequently in lstat they have all mode bits set, which means they fail this check, which means you can’t point your config file at a k8s volume mount of a ConfigMap