@fionafokus@mystical.garden Side-question here, since I'm not very familiar with the code.

If I posted something privately, and it was visible to someone using Mastodon, who was followed by someone using Pixelfed, are there any conditions in which my private posts could have been exposed by proxy?

E.g. would it be visible by default, would it require a reaction/ renote (if possible) or a comment?

Just how large is this issue?

@fionafokus It's and interesting read, and yet another example of lack of testing of the product before release. I'm not saying all bugs would be eliminated but there are many, some very trivial, that would never have made it through any kind of testing.

Also disappointing that common practice was not adhered to in the way security reporting/fixing was handled by the developer. Exposing risk to the community unnecessarily.

Great article.

@fionafokus thank you for your work here, and your attempts to limit the damage by responsible disclosure, and the excellent writeup. I agree that there's an important discussion about the impact of this pattern of reckless behavior (and the willingness of so many cis male fediverse influencers to give it a pass and encourage people to donate to a project with this track record).

@fionafokus@mystical.garden
Ooph... I agree. The handling on the #pixelfed site was anything but professional.

For a software that has so many users... wow.

At least the whole thing confirms that my decision not to use this software was right

@fionafokus isn't that a fundamental problem? what stops a person who wants to follow people without their consent from running their own server?

(... my suspicion is that the desire of many fediversians to be visible and invisible at the same time is one of the internal contradictions that means other platforms win)

@fionafokus@mystical.garden Wow, that was fumbled about as much as humanly possible. I am impressed.

@fionafokus given the vuln remains in 0.12.4, couldn't a malicious actor simply setup an instance and go to town?

To me it feels as though that specific version should be blacklisted from federation then?

@fionafokus Thank you.

It's clear @dansup need more active co-maintainers. The project(s) suffer from the well known single-hero-dev problem.

@fionafokus hmm, side-question, what makes it bad about publishing patches?

or: why does coordinated disclosure exist?(?) why does it matter that he published patches instead of following a disclosure timeline, we thought that was only a thing to avoid pissing off corporate entities/avoid lawsuits and CFAA charges?

☝
cc @pablo @pitbuster por si acaso

@fionafokus

Thanks for this write-up! And thanks for your careful handling of the whole thing.

@fionafokus

That is so unfortunate. And I was thinking seriously about opening up another instance on pixelfed to allow for extended essays.

Is there a safer alternative out there that allows for more than 500-character toots and 4 images??

@fionafokus stages of grief learning about the necessary php upgrade

@fionafokus How can I check if all pixelfed instances I ever allowed followers from have updated their software?

It looks like I can't even export a list of my current followers in Mastodon...

@fionafokus well *that* was crap disclosure handling from upstream, disappointing

@fionafokus if i had a nickel for every software i use that required a new version of PHP in a minor/patch updat, i'd have two nickels

which isn't a lot but breaking changes go into major releases jfc

@fionafokus

Thx a lot for making this public and for your dedication and effort.
Read your blogpost with great interest and also the further sources and links at the bottom were of great help!

Thx again!