Notices by Emelia 👸🏻 (thisismissem@hachyderm.io), page 2

Details of the @pixelfed security vulnerability from February 10th have now been published.

If you are still using a vulnerable version (39.5% of pixelfed instances as of today), then you should update immediately, otherwise someone may just be able to turn off federation for your instance.

https://github.com/pixelfed/pixelfed/security/advisories/GHSA-gccq-h3xj-jgvf

#pixelfed #security #fediverse

That's something I'd love a reporter covering this spam wave to know: Discord is being used to coordinate illegal activity, and discord has no mechanisms for people to report abuse.

abuse@ and support@ emails are dead ends, and their contact form has no "report abuse" option that works. Reporting it via the child safety team also didn't work.

cc @verge @404mediaco @theregister

Wowzers, that Mastodon CVE recently was quite something:

• You can inject a post that is attributed to any remote user
• You can overwrite the server's copy of any remote user
• You can rekey the server's copy of any remote user, by just listing another key

The full technical write up is worth a read: https://arcanican.is/excerpts/cve-2024-23832/discovery.htm

Given that Taylor Swift was just targeted with AI generated non-consensual sexual imagery, here's your reminder to submit media you're targeted in to https://stopncii.org to get it hashed & taken down from all participating sites.

#TaylorSwift #stopncii

@aral @wedistribute ah, alrighty; I'm just really tired today 😅

@aral @wedistribute yeah, but it was removed for good reasons, see: https://github.com/mastodon/mastodon/pull/23989

You can still access it if you have an access token for a user, which requires the whole oauth dance for that.

Goal was to improve security, privacy and safety. Same reason I've blocked client credential based access for now.

That hot take by that podcast by the @verge is supremely bad.

Like, there's countless women working really hard across the fediverse to make it safe and enjoyable, and you're just completely ignoring all our work. Wooo patriarchy and misogyny, fantastic choice 🙄

Even more so, many of those women happen to be transgender women, so I guess you're making an all round trash fire of an opinion piece.

@feditips to add to this, if it's a reply / reply to a reply that you see, you can report to your server mods and to the OPs mods, and to the replier's mods.

@feditips @firecat I believe the recommendation is still to not use authorised fetch, but I can't recall the details.

(OcapN is really interesting because it embeds the permissions in the activity itself)

@firecat @feditips the problem here lies not within Mastodon necessarily, but the underlying protocol, ActivityPub — there are ongoing attempts to fix, e.g., the recently published OcapN paper, but it's ultimately kinda complicated

@Gargron is that the right handle? that profile looks empty?

Do any friends have a company in Germany that could hire a junior web developer at the moment? Either as a junior or intern?

I've a friend based in Berlin, Germany, who's desperately in need of work so she can retain health insurance and stay in the country, after her last internship fell short of 6 months (company failed).

If you know of anything, please reach out! Boosts welcome!

#GetFediHired #fedihired

@carnage4life do instance-local trending topic help in this regard? (Mastodon has these under the explore page)

TIL: After you follow someone, you can go to the "..." menu on their profile, and change which languages you'll receive their posts in!

@Gargron @evan wouldn't this be solvable by removing it from the context collection?

@hrefna so far I don't think anyone's doing sharding or partitooning.. maybe mastodon.social at a stretch.

Really a question for @Gargron or @renchap

Can y'all imagine what the #Fediverse would be like if the projects had the kind of funding to enable this scale of development?

@stux stux!! 😂

@aral oh, also, you should really handle the `delete` events there too, otherwise you'll end up potentially showing deleted statuses, which at minimum would be a privacy issue.

@aral hey, just a heads up, your code sample for websockets at: https://codeberg.org/kitten/app#updates-socket will no longer work in v4.2 of mastodon, as unauthenticated access to the streaming API has been removed.