Federated Timeline

Home | Notifications | New Note | Local | Federated | Search | Logout

Federated Timeline


洪 民憙 (Hong Minhee) :nonbinary:@hongminhee@hollo.social (2026-05-19 14:02:59)
The world's first Fedify book, Practical Fedify: Introduction to ActivityPub Microblog Development (実践Fedify——ActivityPubマイクロブログ開発入門), has been published in Japan. This is also the first book I have ever published, and it feels quite surreal that my first book is in Japanese rather than my native language, Korean. This book is an expanded version based on the official English Fedify tutorial, Creating your own federated microblog, with various additions. Yumetsuki Mama (ゆめつきママ) worked on the cute book cover illustration, which features the Fedify dinosaur mascot, Misskey's mascot Ai-chan, and the Mastodon mascot together. It is scheduled to be published in both e-book and print formats on the 22nd by Impress NextPublishing. See also the Amazon Japan.


fedicat@fedicat@pc.cafe boosted:
@Auster@thebrainbin.org (2026-05-17 04:08:32)
Are people backing up the fediverse?


#fediverse


Most fediverse platforms are run by common users, not entities with either monetary, commercial, political or geopolitical interests to keep the platforms alive. But that also means the instances could disappear when money gets tight, if the interest dies out, if there are technical difficulties that are hard to deal with, etc.


This brings me to the opening question, are people taking at least what they find relevant from the fediverse, and backing it up on web archival services, or at least backing up locally as screenshots, HTML/MHTML files, etc., so if their instance or the propagated contents die, at least there is a register the content ever existed?


@fediverse


ささきち￤C108 1日目ｰ東イ20a@ssk_chi@misskey.io boosted:
@__ka_3@misskey.io (2026-05-18 21:48:02)
:punipuni: #ハァハァ……太もも見せて……
---Attachments---
image: https://media.misskeyusercontent.com/io/6a5c39c4-102d-4310-8b70-d319c1dfdd71.webp?sensitive=true
image: https://media.misskeyusercontent.com/io/webpublic-808abe69-e3c9-4e2b-a785-055ab2e20ec3.png?sensitive=true
image: https://media.misskeyusercontent.com/io/28a85789-5b79-450a-8ed3-9eef9f3494ec.webp?sensitive=true
image: https://media.misskeyusercontent.com/io/e6107f31-c0de-4327-8fb2-054738468961.webp?sensitive=true


佐々木/네코가와@nounashi7298@social.nekokawa.net (2026-05-19 13:34:47)
瀬戸弘司俺は好きだよ


ささきち￤C108 1日目ｰ東イ20a@ssk_chi@misskey.io boosted:
@hozumik@misskey.io (2026-05-18 09:23:45)
:iiyone__ooo::tamaranai::suki_sugiru: #ハァハァ……太もも見せて……
---Attachments---
image: https://media.misskeyusercontent.com/io/3564d12d-6b5d-4723-9028-e14f598ed35c.webp?sensitive=true
image: https://media.misskeyusercontent.com/io/595fcc8a-c12a-45b3-bdcf-a6a2ce34d289.webp?sensitive=true
image: https://media.misskeyusercontent.com/misskey/91b99ca9-e831-4f13-8554-eedf8b9cf74b.png?sensitive=true
image: https://media.misskeyusercontent.com/misskey/40e8d858-980f-4045-bd59-564f7b85ea4c.jpg?sensitive=true


ささきち￤C108 1日目ｰ東イ20a@ssk_chi@misskey.io (2026-05-19 13:12:25)
多肉の寄せ植えかわいい:blobcat_cactuswalk:


ささきち￤C108 1日目ｰ東イ20a@ssk_chi@misskey.io boosted:
@majidedekaipurin@misskey.io (2026-05-19 13:09:05)
これだけ見てほしい　可愛いので
---Attachments---
image: https://media.misskeyusercontent.com/io/webpublic-040a4d68-78ad-4bb8-b039-ff7c8996e3bc.webp


:majidekapurin_cry_up:マジでデカいプリン@majidedekaipurin@misskey.io (2026-05-19 13:09:05)
これだけ見てほしい　可愛いので
---Attachments---
image: https://media.misskeyusercontent.com/io/webpublic-040a4d68-78ad-4bb8-b039-ff7c8996e3bc.webp


ささきち￤C108 1日目ｰ東イ20a@ssk_chi@misskey.io (2026-05-19 12:57:56)
久々に見たい映画あって予約しちゃった:ameowattention:

fedicat@fedicat@pc.cafe boosted:
@hollo@hollo.social (2026-05-19 12:00:52)
Hollo security updates: 0.7.16 and 0.8.5
If you run Hollo, update to a patched release now. Hollo 0.7.16 and 0.8.5 fix several security issues in ActivityPub federation, the web admin UI, OAuth, and the transitive fast-xml-parser dependency.

On the federation side, three inbox handlers were missing authorization checks. Any remote actor could send a Delete to remove any cached post by IRI, an Update to overwrite or first-materialize a cached post under another actor's name, or a cross-origin Announce whose attacker-controlled embedded body materialized as someone else's post. The checks now differ by activity type. A Delete is ignored unless the deleter's origin matches the cached post author's origin. An Update is ignored unless the activity actor, the embedded object's id, and its attributedTo all share an origin. For Announce, Hollo no longer trusts attacker-supplied embedded content to create or overwrite the original post: unknown cross-origin objects are fetched from their canonical URL, and any newly cached object must have matching id and attributedTo origins. Separately, Follow, Like, EmojiReact, and Announce from a blocked actor were processed normally and still produced notifications; they are now silently dropped at the inbox.

On the web admin side, login and OTP cookies were set without HttpOnly, SameSite, or Secure, and state-changing forms had no Origin or Sec-Fetch-Site check. A single reflected XSS could exfiltrate the admin session, and a malicious page could submit a hidden cross-site form to disable 2FA, delete an account, or silently authorize a rogue OAuth application. The affected dashboard routes and POST /oauth/authorize now run Hono's CSRF middleware, and the login and OTP cookies now carry those attributes.

The transitive fast-xml-parser (carried in via the AWS SDK that backs S3 storage) is now pinned to patched versions, closing one critical and several high-severity advisories. Hollo also now uses constant-time comparison fo

Hollo :hollo:@hollo@hollo.social (2026-05-19 12:00:52)
Hollo security updates: 0.7.16 and 0.8.5
If you run Hollo, update to a patched release now. Hollo 0.7.16 and 0.8.5 fix several security issues in ActivityPub federation, the web admin UI, OAuth, and the transitive fast-xml-parser dependency.


ささきち￤C108 1日目ｰ東イ20a@ssk_chi@misskey.io (2026-05-19 11:08:19)
:soda_ice: wip
---Attachments---
image: https://media.misskeyusercontent.com/io/f68cbe36-61c3-41c3-9c5e-96e804499ccc.png?sensitive=true


nathanlovestrees@nathanlovestrees@disabled.social (2026-05-19 10:20:54)
mastodon’s best use is for popping in to share all the stuff you did while you weren’t on mastodon


うなさか@unasaka0309@misskey.io (2026-05-19 09:33:53)
FANZAのランキング見てると自分の性癖が淡白すぎて醤油砂糖みりん酒で煮つけにしたくなる


うなさか@unasaka0309@misskey.io (2026-05-19 09:11:10)
Bluesky君死んじゃった


wakest likes your bugs ⁂@liaizon@social.wake.st (2026-05-19 08:43:27)
looks like @Discourse just got a boatload of CVEs patched

via @announcements
---Attachments---
image: https://social.wake.st/system/media_attachments/files/116/598/230/636/664/644/original/cacdea403470f5bf.png


ささきち￤C108 1日目ｰ東イ20a@ssk_chi@misskey.io boosted:
@gogo80000v@misskey.io (2026-05-19 03:48:01)
:tere::manaka_panic::tere::hawawa:
---Attachments---
image: https://media.misskeyusercontent.com/io/5356b0d9-a4d6-4fe9-b75d-286ff3e8f66a.webp?sensitive=true


ささきち￤C108 1日目ｰ東イ20a@ssk_chi@misskey.io boosted:
@yuduki_nh@misskey.io (2026-05-19 02:48:33)
:skeb::daikansya_unchikun:
https://skeb.jp/@yuduki_nh/works/81
---Attachments---
image: https://media.misskeyusercontent.com/io/92eafe3b-dd14-4521-a870-209ad7b7429c.webp


ささきち￤C108 1日目ｰ東イ20a@ssk_chi@misskey.io (2026-05-19 08:41:48)
:ohayoo::nikkori_taiyou:


fedicat@fedicat@pc.cafe boosted:
@reiver@mastodon.social (2026-05-19 07:14:05)
RE: https://mastodon.social/@reiver/116597841178183282

There is also the other question of — would the resume / CV be JSON-LD.

On one hand, if it was in JSON-LD, it would make it machine-legible similar to ActivityPub.

On the other hand, I don't think anyone is going to write JSON-LD (especially HTML embedded in a JSON string value) by hand. But, I do think some people will want to write their resume by hand.

It feels like user-experience is fighting with JSON-LD based machine-legibility.

#ActivityPub #ActivityStreams #FediDev #ProToGo #JSONLD


Reply to @mradcliffe@nokoto.org
mradcliffe@mradcliffe@nokoto.org (2026-05-19 07:14:23)
When last I left off, I made a pull request to peertube/http-signature library try to help the JavaScript ecosystem reach RFC 9421 parity while being backwards-compatible with cavage-12 draft implementations. There has not been any traction on this yet. Maybe because PeerTube has abandoned its own use of the library.

So our current ecosystem state is the following:

PeerTube uses misskey-dev/node-http-message-signatures library and owns the defacto unmaintained peertube/http-signature library.
Misskey and the rest of the ‘keyverse use peertube/http-signature library and Misskey owns the defacto...


@reiver ⊼ (Charles) :batman:@reiver@mastodon.social (2026-05-19 07:14:05)
RE: https://mastodon.social/@reiver/116597841178183282

There is also the other question of — would the resume / CV be JSON-LD.

On one hand, if it was in JSON-LD, it would make it machine-legible similar to ActivityPub.

On the other hand, I don't think anyone is going to write JSON-LD (especially HTML embedded in a JSON string value) by hand. But, I do think some people will want to write their resume by hand.

It feels like user-experience is fighting with JSON-LD based machine-legibility.

#ActivityPub #ActivityStreams #FediDev #ProToGo #JSONLD


fedicat@fedicat@pc.cafe (2026-05-19 06:50:14)
tired of looking at blue links, trying underlines
---Attachments---
image: https://cdn.masto.host/pccafe/media_attachments/files/116/597/785/393/091/986/original/f236a5b6d1ed60e1.jpeg


Michael Kratzenberg 📢@kratzen@berg.mobilecourant.org (2026-05-19 06:19:39)
I cannot describe in words what I feel at the moment. Hate and Islamaphobia should have no place in this country. I pray for the victims and Families of the victims of the tragic shooting in San Diego.


Reply to @silverpill@mitra.social
Light@light@noc.social (2026-05-19 06:02:26)
@silverpill @n0iroh
Haven't read yet but this reminds me of @VeilidNetwork, which advertises itself as "if Tor and IPFS had sex"


Niléane@nileane@nileane.fr (2026-05-19 06:00:12)
@cheeaun feature request for @phanpy: an option to disable the "hide toolbars when scrolling down" behavior 🙏🥺


Reply to @adele@social.pollux.casa
Larry Garfield@Crell@phpc.social (2026-05-19 05:55:31)
@adele Did you sign up for a remote ticket to stream sessions? (Totally get not wanting a long trip, especially crossing the US border.)


Reply to @jjmbkctm2@pawoo.net
:onmyou:‮:vc:‭Charlie Root‬@relay@mastodon.hakurei.win (2026-05-19 05:44:13)
@jjmbkctm2 このイメージに当てはまりそうなのはMisskeyってよりmisskey.ioかな


Reply to @adele@social.pollux.casa
philip@philip@gotosocial.wittamore.fr (2026-05-19 03:44:07)
@adele ok, so it's a feature 😄


silverpill@silverpill@mitra.social (2026-05-19 05:43:53)
https://www.iroh.computer/blog/tor-custom-transport

>Use iroh with Tor for anonymous connections

This is an interesting development. I don't want to choose between Tor and I2P, so a higher level p2p networking library that can use both networks simultaneously sounds like a great solution.

@n0iroh Do you plan to implement #I2P custom transport? Or perhaps you know someone who is working on it?

Older Notes