Conversation
Notices
-
Alex Gleason (alex@gleasonator.com)'s status on Friday, 04-Aug-2023 23:40:38 JST 
Alex Gleason
Pleroma is full of security vulnerabilities because OnlyFans paid people on Upwork to implement a bunch of features nobody wants.
Have you ever tried downloading an emoji pack from a server? No? Well that's the vulnerable code.
Anyway, hopefully everyone is using s3 for uploads by now and has the dedupe filter enabled.
Patch is being merged into Rebased now: https://gitlab.com/soapbox-pub/rebased/-/merge_requests/263
A patch was ready yesterday but I figured I'd wait til after it landed upstream first.
RT: https://pleroma.soykaf.com/objects/c655af15-7632-41e6-86f3-d06ab5bbb84a- GNU social JP管理人, xianc78, cool_boy_mew and Token like this.
-
Alex Gleason (alex@gleasonator.com)'s status on Friday, 04-Aug-2023 23:53:56 JST
Alex Gleason
@Pawlicker @lain You know who's auditing it is Poast... but I don't see them being thanked. Woggy's Zeonic Frolicks likes this. -
PC-9801 Enjoyer (pawlicker@bae.st)'s status on Friday, 04-Aug-2023 23:53:57 JST 
PC-9801 Enjoyer
@alex @lain >Pleroma is full of security vulnerabilities because OnlyFans paid people on Upwork to implement a bunch of features nobody wants.
Also there's nobody auditing it. As jank as Mastodon is, they have processes for dealing with this too and a bug bounty.
https://arstechnica.com/security/2023/07/mastodon-fixes-critical-tootroot-vulnerability-allowing-node-hijacking/
https://docs.joinmastodon.org/dev/disclosure/ -
:niggy: (niggy@poa.st)'s status on Friday, 04-Aug-2023 23:54:02 JST 
:niggy:
@Pawlicker @alex @lain don't worry friend, I am auditing it Woggy's Zeonic Frolicks likes this. -
Party Animal (party_animal@poa.st)'s status on Friday, 04-Aug-2023 23:54:05 JST 
Party Animal
@niggy @Pawlicker @alex @lain Thank you for your service niggy :niggypat: Woggy's Zeonic Frolicks likes this. -
gh0st (gh0st@freespeechextremist.com)'s status on Saturday, 05-Aug-2023 02:22:56 JST 
gh0st
@alex @lain Nigger you flip-flop between begging for Pleroma commit access and calling Pleroma out for not adhering to your wife's blog. No wonder everyone ghosts you. likes this. -
Alex Gleason (alex@gleasonator.com)'s status on Saturday, 05-Aug-2023 08:32:23 JST
Alex Gleason
@feld @lain It's nothing against you. This is about Lain. Lain created Pleroma and attracted a bunch of people to it, then abandoned it and put 2 mentally ill people in charge.
I am frustrated by the constant security vulnerabilities my people are finding while Lain makes public announcements like this intentionally excluding us. I want him to fucking congratulate us every single time we find a security vulnerability. To not do so is to not really take it seriously.
You know what Lain could do? Put poa.st on the homepage of pleroma.social under "Featured Instances". Make it the top one. What is the rationale not to? And next time, tag me, tag graf, and tag niggy.
Lain doesn't write a single line of code on Pleroma anymore. Maybe you should be the one making the Pleroma announcements from now on, feld, since you're the one who actually does the right thing in these scenarios.
This is not something I dwell on. But if every week we find a new security vulnerability and Lain makes a post like this again, I'm going to call it out. Until this either stops or I finish building my new backend, I'm going to expect Lain to step up and justify the situation he created by being the best possible person. I WANT Lain to be good.Token and Woggy's Zeonic Frolicks like this. -
feld (feld@bikeshed.party)'s status on Saturday, 05-Aug-2023 08:32:24 JST 
feld
> to implement a bunch of features nobody wants.
come on man, that's not fair. When federated instance emojis were first happening people wanted an easy way to download entire emoji packs from other servers. Don't rewrite history.
Lots of times users request features that nobody ever uses. That's the problem with having users. They always think they know what they want.Token repeated this.
All 076萌SNS content and data are available under the