Federated Timeline

Home | Notifications | New Note | Local | Federated | Search | Logout

Federated Timeline


Reply to @tadano@mt.watamelon.win
silverpill@silverpill@mitra.social (2026-05-21 02:46:26)
@tadano

There is a list of breaking changes: https://codeberg.org/silverpill/mitra/src/branch/main/docs/mitra_5_0.md
But most likely none of this affects you

Hollo :hollo:@hollo@hollo.social (2026-05-21 02:39:43)
Hollo security updates: 0.7.17, 0.8.6, and 0.9.1
If you run Hollo, update to a patched release now. CVE-2026-42462 affects Fedify's Linked Data Signature handling, and Hollo depends on Fedify for ActivityPub federation.

Fedify verifies incoming ActivityPub activities with several mechanisms, including HTTP Signatures, Object Integrity Proofs, and Linked Data Signatures. The vulnerable path is Linked Data Signatures: the signature is checked over the canonical RDF graph, but JSON-LD can represent the same graph in more than one JSON shape. In affected versions, that gap could let a signed activity be reshaped so that Fedify reads a different ActivityPub object shape than intended—without invalidating the signature.

The fix makes Fedify normalize Linked Data Signature-verified activities against its local JSON-LD context before interpreting them, and rejects JSON-LD constructs that can preserve the signed RDF graph while changing the ActivityPub object shape. For full technical details of the underlying vulnerability, see the Fedify security announcement.

All Hollo versions up to and including 0.7.16, 0.8.5, and 0.9.0 are affected. Patched releases are 0.7.17 for the 0.7.x series, 0.8.6 for the 0.8.x series, and 0.9.1 for the 0.9.x series.

For 0.7.x deployments, update to 0.7.17:

docker pull ghcr.io/fedify-dev/hollo:0.7.17
For 0.8.x deployments, update to 0.8.6:

docker pull ghcr.io/fedify-dev/hollo:0.8.6
For 0.9.x deployments, update to 0.9.1:

docker pull ghcr.io/fedify-dev/hollo:0.9.1
After pulling the new image, restart your Hollo container. If you deploy from source, pull the corresponding release tag and restart.

Thanks to @Claire for the report and responsible disclosure to the Fedify project.

If anything is unclear, ask below.


Reply to @tadano@mt.watamelon.win
Tadano@tadano@mt.watamelon.win (2026-05-21 02:36:38)
ALSO
>how to pull past posts from profiles quickly so I am not looking at a profile timeline with gaping holes

Fedify: ActivityPub server framework@fedify@hollo.social (2026-05-21 02:35:44)
Fedify security updates: 1.9.11, 1.10.10, 2.0.18, 2.1.14, and 2.2.3
If you use Fedify, update to a patched release now. CVE-2026-42462 affects Fedify's Linked Data Signature handling. An attacker could use JSON-LD graph-restructuring features to change how a signed activity is interpreted without invalidating its Linked Data Signature.

The fix makes Fedify normalize Linked Data Signature-verified activities against Fedify's local JSON-LD context before interpreting them, and rejects JSON-LD constructs that can preserve the signed RDF graph while changing the ActivityPub object shape consumed by Fedify.

Patched releases are 1.9.11, 1.10.10, 2.0.18, 2.1.14, and 2.2.3. The GitHub Security Advisory is GHSA-9rfg-v8g9-9367, and the CVE ID is CVE-2026-42462.

Update @fedify/fedify:

npm update @fedify/fedify
yarn upgrade @fedify/fedify
pnpm update @fedify/fedify
bun update @fedify/fedify
deno update @fedify/fedify
After updating, redeploy. If you run other Fedify-based servers, update those too.

Thanks to @Claire for the report and responsible disclosure.

If anything is unclear, ask below.


Tadano@tadano@mt.watamelon.win (2026-05-21 02:33:32)
Alright now to figure out the following issues:
>why instances like ryona.agency, tsundere.love, annihilation.social aren't loading images (all media is proxied by default i.e. not loaded from a local cache)
>why custom emoji reacts are not working despite cust emotes being usable in posting/being on the server
>if database shenanigans need to be done upgrading from 4.x to 5.3.0
>why federation is slow and how to get older posts in a timely manner (AI log analysis kept mentioning a duplicate key bug, unsure if hallucinatory or me being dumb :cirnoshrug:)
>why @relaystalker is STILL getting stuck on follow requesting with relay accounts
>how to get this instance to communicate with dedicated relays
>how to get tor/tor federation up with this docker setup
>how to federate over I2P
>how to temporarily get schwartzwelt up in a container without all the media so I can migrate all my followers from there to here

All shall be figured out in time as I relearn sysadmining :watamelonogey:
t. Instance running on Rocky Linux for the first time

Repost if you can! God willing this reaches as many Mitra sysadmins as possible because I don't think I can badger silverpill alone without being terribly rude/annoying :watamelonsweat:
---Attachments---
image: https://mt.watamelon.win/media/1e00183e82cb8e3d1434c5114efa6670b1788a50b1341cc603bdf86d3bee7608.png
image: https://mt.watamelon.win/media/35245a3b381a820da851cd964f5ef000f3658165c9906c0d07e4ff3d8f8b5fb3.png


Nova@Chishiki611@enby.life boosted:
@misty@digipres.club (2026-05-21 00:40:16)
Hometown admins: we’ve released v4.5.10+hometown-1.2.1. This incorporates today’s Mastodon security release which fixes high severity bugs. We recommend that all admins update immediately. https://github.com/hometown-fork/hometown/releases/tag/v4.5.10%2Bhometown-1.2.2

#HometownAdmin


Wafrn - software development and instance info@admin@app.wafrn.net (2026-05-21 01:10:03)
Images available now

If you updated last week already, you just use the standard update method



RE: https://app.wafrn.net/fediverse/post/f84a56a2-d43a-4d2a-a461-618fdf0fa53a


SK@sk_@misskey.io (2026-05-21 00:51:55)
:serina_face_smile:
---Attachments---
image: https://media.misskeyusercontent.com/io/9e474d1f-1d9a-43c3-869b-97dc3eaaf357.png?sensitive=true


Coro@Coro@mstdn.maud.io (2026-05-21 00:49:40)
green coke、甘くないあっさりめのコカコーラという味でした。


fedicat@fedicat@pc.cafe boosted:
@mirlo@musician.social (2026-05-21 00:12:02)
We are open source, cooperatively-run, community-led and in the process of joining the social web. We're also working collaboratively with others in the space towards different modes of decentralisation, going against enshittification and one-size-fits-all approaches.

If you'd like to support our work and help allocate more resources towards these things, there are several ways to do so at the link below. Thank you! 💪🐦‍⬛ 

https://mirlo.space/team/tip

#SupportUs #Fediverse #Support #Coop #Coops


Misty@misty@digipres.club (2026-05-21 00:40:16)
Hometown admins: we’ve released v4.5.10+hometown-1.2.1. This incorporates today’s Mastodon security release which fixes high severity bugs. We recommend that all admins update immediately. https://github.com/hometown-fork/hometown/releases/tag/v4.5.10%2Bhometown-1.2.2

#HometownAdmin


Connected Places@fediversereport@mastodon.social (2026-05-21 00:37:12)
Various projects on the open social web are working towards private data, whether that's @Mastodon getting funding for adding E2EE, Lemmy's upcoming 1.0 release featuring private communities, or Bluesky's work on expanding atproto with permissioned data.

Bounded communities with private data using open protocols sound quite like @matrix however. 

I'm taking a closer look, as this comparison turns out to be quite a lot stranger than expected

https://connectedplaces.online/reports/fr163-decrypting-matrix/


mirlo.space@mirlo@musician.social (2026-05-21 00:12:02)
We are open source, cooperatively-run, community-led and in the process of joining the social web. We're also working collaboratively with others in the space towards different modes of decentralisation, going against enshittification and one-size-fits-all approaches.

If you'd like to support our work and help allocate more resources towards these things, there are several ways to do so at the link below. Thank you! 💪🐦‍⬛ 

https://mirlo.space/team/tip

#SupportUs #Fediverse #Support #Coop #Coops


Nova@Chishiki611@enby.life boosted:
@sharkey@sharkey.team (2026-05-20 23:49:46)
develop has been updated! happy patching, everyone


Reply to @sharkey@sharkey.team
Sharkey - Official Account@sharkey@sharkey.team (2026-05-20 23:49:46)
develop has been updated! happy patching, everyone


fedicat@fedicat@pc.cafe boosted:
@box464@mastodon.social (2026-05-20 20:43:43)
@hollo releases a new major version update, 0.90. Too many changes to hit in a single post! Skimming, the most notable to users will be the switch from Pico CSS (my weekend hobbyist fave) to Uno CSS. At least in screenshots, the new UI is taking on a polished look.

Planning to upgrade, but need to review this a bit more before flipping the switch.

https://github.com/fedify-dev/hollo/discussions/496

#FediDev #ActivityPub


Nova@Chishiki611@enby.life boosted:
@noisytoot@berkeley.edu.pl (2026-05-20 23:26:05)
For Akkoma and Pleroma users, this says:

Unofficial Announcement: We just released 2026.5.4-beta.0 of Misskey, which includes important security fixes. Official 2026.5.4, along with security advisory, is expected to be released several hours later due to timezone differences.

RE: https://transfem.social/notes/amhpmefg5yrf003n


fedicat@fedicat@pc.cafe boosted:
@vernissage@mastodon.social (2026-05-20 22:15:51)
If you’d like to support the project and have a little free time, I’d really appreciate your help with translations. Every contribution makes a difference. 🤩

The translations have already been pre-translated automatically, so the main task is to review and approve them. Once all language translations are approved, the new version of the app will be released to production.

You can join the translation team here:
https://crowdin.com/project/vernissageweb

#Vernissage #Translation #OpenSource #Fediverse


Reply to @Coro@mstdn.maud.io
Coro@Coro@mstdn.maud.io (2026-05-20 23:40:57)
現代自動車、いいタイミングでいい会社を買ったな。
---
現代自動車が「ヒト型ロボットアトラスを年間3万台生産する工場」を米ジョージア州に : 経済 : ハンギョレ新聞

https://japan.hani.co.kr/arti/economy/56233.html


fedicat@fedicat@pc.cafe boosted:
@sharkey@sharkey.team (2026-05-20 22:48:26)
We've released 2025.4.7, containing the security fixes mentioned. Work on merging the security fixes into develop is underway.

RE: https://sharkey.team/notes/amckzae8d8ka0001


fedicat@fedicat@pc.cafe boosted:
@MastodonEngineering@mastodon.social (2026-05-20 22:53:32)
We just released Mastodon 4.5.10, 4.4.17, and 4.3.23.

These versions contain several medium and high severity security fixes.

Also, please note that this marks the final Mastodon v4.3 update, this branch is now unsupported. If you are still using it, please move to a newer version as soon as possible.

Full release notes and update instructions are available on the GitHub releases page.

https://github.com/mastodon/mastodon/releases

#MastoAdmin


fedicat@fedicat@pc.cafe boosted:
@dansup@mastodon.social (2026-05-20 22:59:45)
Loops is the privacy focused alternative to TikTok, a fully self-hostable + ActivityPub federated platform.

A few highlights:
- Starter Kits: https://joinloops.org/starter-kits
- Embeds: https://dansup.github.io/loops-embed-demo/
- Atom feeds: https://loops.video/feeds/1.atom

Learn more: https://joinloops.org/why-loops-matters

#Loops #TikTok


arce@arce (2026-05-20 23:36:32)
Quite noticeable the difference in loading time between #tinyap and others ...


fedicat@fedicat@pc.cafe boosted:
@peertube@framapiaf.org (2026-05-20 23:13:47)
For platforms already running #PeerTube release candidate version 8.2.0-rc.1, we have also released version 8.2.0-rc.2, which includes these fixes as well: https://github.com/Chocobozzz/PeerTube/releases/tag/v8.2.0-rc.2


fedicat@fedicat@pc.cafe boosted:
@reiver@mastodon.social (2026-05-20 23:13:47)
I may have written a JSON-LD schema for JSON Resume.

It is defined in terms of ActivityPub.
For example:

'Resume' is a sub-type of an ActivityPub 'Object'. There are some new fields defined. Etc.

...

Now the question is — where do I put it?

Do I create a pull-request to the JSON Resume resume-schema repo?

Do I create a FEP?

Do I put it somewhere else?

#ActivityPub #ActivityStreams #FediDev #ProToGo #JSONLD #JSONresume


Nova@Chishiki611@enby.life boosted:
@kakkokari_gtyih@transfem.social (2026-05-20 23:16:52)
Unofficial Announcement: We just released 2026.5.4-beta.0 of Misskey, which includes important security fixes. Official 2026.5.4, along with security advisory, is expected to be released several hours later due to timezone differences.


fedicat@fedicat@pc.cafe boosted:
@peertube@framapiaf.org (2026-05-20 23:13:46)
We've just published #PeerTube 8.1.6 to fix several security issues. If you're running a platform, please update as soon as possible.

The full changelog can be found here: https://github.com/Chocobozzz/PeerTube/releases/tag/v8.1.6


Noisytoot@noisytoot@berkeley.edu.pl (2026-05-20 23:26:05)
For Akkoma and Pleroma users, this says:

Unofficial Announcement: We just released 2026.5.4-beta.0 of Misskey, which includes important security fixes. Official 2026.5.4, along with security advisory, is expected to be released several hours later due to timezone differences.

RE: https://transfem.social/notes/amhpmefg5yrf003n


（仮）- Kakkokari@kakkokari_gtyih@transfem.social (2026-05-20 23:16:52)
Unofficial Announcement: We just released 2026.5.4-beta.0 of Misskey, which includes important security fixes. Official 2026.5.4, along with security advisory, is expected to be released several hours later due to timezone differences.


Kerstin@erictapen@chaos.social (2026-05-20 23:14:39)
If you are working on Fediverse software, you might have heard about FEP-8a8e, which is an upcoming standard to unitize how events (as in gatherings of people) are shared via ActivityPub.

I'm currently working on a cool new validation tool that is supposed to help developers write correct implementations of this standard:

https://validate.event-federation.eu/

🧵1/7
---Attachments---
image: https://assets.chaos.social/media_attachments/files/116/607/312/809/662/750/original/0727a2b20d3e0967.png

Older Notes