Conversation

Notices

1. feld (feld@bikeshed.party)'s status on Wednesday, 17-Apr-2024 01:17:44 JST feld

   • disarray
   @disarray maybe? but it's fallen so far behind Pleroma now so who knows.
   
   earlier this year I put in several weekends of work grinding through static analysis on Pleroma to fix things, remove unused functions, making sure the correct types for data were being used everywhere, no dangling code that could never be reached, etc. This covers like 80% of security concerns. The remaining 20% are going to be simple logic things or "oops we forgot this security header" type stuff
   
   Even if they can find an exploit to write to files on the filesystem and even overwrite Pleroma/Akkoma source files, it's useless because the app doesn't recompile code automatically when run in production mode.
   
   You should deploy Pleroma/Akkoma with the files being readonly to the app anyway, but we can't enforce how people deploy their services. This has always been an issue with webservers. I fought this battle with Apache CGI/FCGI stuff 20 years ago.
   
   If someone thinks they can pwn Pleroma that hard I will give an invitation to my server so they can demonstrate it. I am skeptical, though.
   
   
   edit: we still have a lot of functions without typespecs, but it's in a good state right now IMO
   •  (mint@ryona.agency)'s status on Wednesday, 17-Apr-2024 01:17:43 JST 

     in reply to

     • disarray
     @feld @disarray >You should deploy Pleroma/Akkoma with the files being readonly to the app anyway
     But think of the poor tzdata begging for write access every five seconds in logs!
     New Janny in Town likes this.
   • feld (feld@bikeshed.party)'s status on Wednesday, 17-Apr-2024 01:22:54 JST feld

     in reply to

     • 
     • disarray
     @mint @disarray there's a setting for it to use /tmp actually and I thought we had that enabled but maybe not?
     
     config :tzdata, :data_dir, "/tmp"
      likes this.
   •  (mint@ryona.agency)'s status on Wednesday, 17-Apr-2024 01:28:38 JST 

     in reply to

     • disarray
     @feld @disarray I've fully disabled it on my instance anyway (config :tzdata, :autoupdate, :disabled), not having a data for some bantustan changing its timezone is the biggest non-issue for software where virtually every timestamp is in UTC.
   • feld (feld@bikeshed.party)'s status on Wednesday, 17-Apr-2024 01:31:42 JST feld

     in reply to

     • 
     • LS
     • disarray
     @mint @disarray yeah that's a good point, I'm wondering if we REALLY need it anyway?
     
     have you considered this @lain ?
      likes this.
   •  (mint@ryona.agency)'s status on Wednesday, 17-Apr-2024 02:04:15 JST 

     in reply to

     • pomstan
     • disarray
     @pomstan @feld @disarray Because they system maintainters are le slow.
     https://github.com/lau/tzdata/issues/54
   • pomstan (pomstan@xn--p1abe3d.xn--80asehdb)'s status on Wednesday, 17-Apr-2024 02:04:16 JST pomstan

     in reply to

     • 
     • disarray

     @mint @feld @disarray why can't it use the system database?