2nd exploit (or 2nd vector for the 1st exploit) found for Pleroma and its derivatives. Looks like Poa.st and possibly Bae.st had non-public information successfully exfiltrated.
@evan@prodromou.pub @evan@identi.ca ( and formerly @evan@e14n.com ) has said this a few times, but here it is again.
"Every time you post on Twitter, you produce value for the advertisers.
You tell everyone in your network there that it's OK to stay. That you're all helpless to leave.
You tell the people who've lost their jobs, the people who are being hounded and harassed, that they are not important to you.
You know you're going to be ashamed of it later.
Just stop posting.
Do it here, not there. Connect here, not there.
Don't reply, don't like, don't retweet.
Stop feeding your life into the machine."
This was true before Elon #Musk bought #Twitter, but I guess it wasn't as important before.
I don't fully agree, simply because there may be some advantages to many people who continue to use Twitter instead of moving to the #Fediverse (e.g., #GNU_Social, #Mastodon, #Pleroma, #Misskey, #PixelFed, #Lenny / #Lemmy, etc) or they would have moved over already.
Also, because unless one self-hosts one's own presence, an angry instance admin is all it takes to lose all posts and connections and have to start over. Or, if one has contacts on a different instance, then irate instance admins participating in #blockwars (including #fediblock) can separate the person from some portion of their contacts.
So remember, everything that Twitter is or can do to you, your Fediverse instance can also do. Most instances will never do most of those things, but pretending that one is safe here could result in disappointment in the future.
#Misskey security update. Someone created "instances" which trigger a denial of service in Misskey and possibly #Mastodon. From what I hear, #Pleroma is not vulnerable. #GNUsocial is likely also vulnerable.
We can expect a lot more of these kind of things now that the #Fediverse is getting attention.
@clacke I agree. I typically want to see what a site looks like and what its users are publicly posting before I decide to join.
But I also think most existing users of #Mastodon and #Pleroma don't use posting scopes to their advantage. If you don't want unmentioned non-followers to view your posts, choose a follwers-only scope. If you don't want your posts in the public timelines, choose a non-public scope.
GS groups can usually be joined from any GS instance, but as @administrator mentioned, glitches may happen. #Mastodon intentionally does not support GS groups, and same for #Pleroma.
@gnu2 I have not used #PleromaFE Pleroma front end on GS, but on its own #Pleroma back end, there is a setting to hide the site's built in background image. Unfortunately, it does not remember from session to session, so you have to import your own settings each time you log in.
I'm not sure whether the #Soapbox front-end can be used with #GNU_Social. #Pleroma started out as a front-end for #GS, as #Qvitter started falling behind. So even though #PleromaFE currently doesn't support GS, it may be possible to go back to when support was removed and re-add it.
There's a big rift happening in the #Pleroma and #Soapbox world right now. @lanodan writes about it from his perspective.
The attached screenshot shows what I saw. I personally like Mr Gleason, but this response would not be acceptable in any software project I'd run on my servers. I don't know what happened to make him so angry and hostile.
I know the feedback has been decidedly negative toward his change. But that should have been expected. Anyone that isn't / wasn't running Soapbox's newest develop branch thinks something is broken.
For the record, GNUsocial and its predecessor StatusNet had removed @ names from replies in the default front end for many years now. I would guess 10-12 years, or right around SN 1.0. I think the Qvitter front end added them back (as Twitter still had them at the time). And both Mastodon and Pleroma have them still. https://nu.federati.net/attachment/284703
#Pleroma (and I assume #Mastodon) have ‘relays’ built in, where an instance can join other instances’ relays, so that their outgoing traffic is shared with all the other instances that are members of that relay.
The advantage of a relay is that all of an instance’s public posts are automatically shared with other participating instances, where a followbot follows each user individually.
(Another thing that #Diaspora did a long time ago to improve federation.)
Hat Thieves (formerly at hatthiev.es/ but that appears to be gone now) was a group from Spain that was exploring independent and federated services. They operated GS, Mastodon, and Pleroma instances, plus lots of other FOSS but not federated things.
Whenever they opened a new federated instance, they’d immediately start following a bunch of people, to get posts into their network feed. The Masto and Pleroma instances would get angry and mass-block the instance.
Someone shut his #Fediverse #Pleroma server because he saw a polarized us vs them (there were additional reasons not contained in his article ... but you'd have to ask him directly).
I’m still looking for a low priced annual payment VPS provider that has a somewhat lower risk (of closure, hardware failure, etc) than most LEB hosts, so I can launch temporary testing instances (for example, the upgrade of GS to the #ActivityPub enabled 2.0 branch, and looking at how well #Zap, #Pleroma, #Friendica instances fit into the !FNetworks roadmap).
I’m also considering adding a Federati #Pump.io instance, but I need to talk with the Pump.io project about SSO options. Since they use Node.JS, I’d want it on a completely separate VPS, with some restrictions to prevent incidents. Also, if utilization is too low, that would likely close.
Currently, everything is still coming out of my pocket.
@storm #Pleroma comes with PleromaFE and MastoFE. I know PleromaFE is high in #JavaScript. If the #JabbaShit interferes with your assistive technologies, there is a separate front end called “Bloat”, which is supposed to be much less JavaScript-y.
I have not seen Bloat myself (I don’t even know the project’s URL), so this is all hearsay.
You may not see this ... but the best way would have been to create a separate subdomain for #Pleroma. There's a tendency for federation to break if different installs reuse the same "subdomain.domain.ext" name.
It is irritating that so many #socnets think they have to be entirely depending on #JavaScript. Mastodon and #Pleroma both require #JabbaShit before they display anything or have even basic functionality.
Caution: this episode is over three hours long, so I have not listened (and will likely only listen to a fraction of it).
I wish @tio had also brought someone from #GNU_Social and someone from #Pleroma (and maybe @mike@loadaverage.org @mike@z.macgirvin.com to represent #Hubzilla and #Zap (and #Mistpark, #Redmatrix), and @dansup developer and project founder / leader of #PixelFed, and perhaps someone from #PeerTube, #Misskey, and so on). The other thing I wish had been done is to slice this far-too-long episode into four pieces, each an hour or less in length.
Sorry, Michael, I don't know whether you're officially the project leader, so I left that unsaid.
@mangeurdenuage I don't think #Pleroma auto-hides post with #nsfw tags. It looks like a user "Filtering" setting in PleromaFE that must be re-entered each time one logs in.
I am conducting an anonymous survey for my MSc dissertation on the barriers to uptake of alternative social media platforms. If you're interested, please click the link below. Your input would be much appreciated!