Home | Notifications | New Note | Local | Federated | Search | Logout
Federated Timeline
Reply to @Feditext@mastodon.social
Feditext@Feditext@mastodon.social (2026-05-24 05:30:15)
We're back! Brian fixed the issue and Feditext should work again for all of our TestFlight users. If it doesn't, please manually open TestFlight and check for a new build.
#Feditext
Fedilab Apps@apps@toot.fedilab.app (2026-05-24 05:22:30)
I read your concerns and I deeply appreciate them. The goal was only to give more visibility on what is being fixed and improved. Things are working well as they are, and some of you warned me about side effects. If I ever start to feel uncomfortable with milestones, from pressure or anything else, I can always tell you and stop. What we all want is to make Fedilab better.
silverpill@silverpill@mitra.social boosted:
@jae@mastodon.bsd.cafe (2026-05-24 00:52:47)
as the world turns, does does single-binary #fediverse frontends. just implemented background pollling for notifications with a subtle indicator. still sitting at ~14mb binary tested against #pleroma #mastodon #gotosocial #mitra
---Attachments---
image: https://media.bsd.cafe/bsdmmedia01/media_attachments/files/116/624/687/166/850/305/original/cb93f47b41219953.png
Reply to @silverpill@mitra.social
Phantasm@phnt@fluffytail.org (2026-05-24 05:20:49)
@silverpill
>this measure is ineffective and can easily be circumvented by changing the keyId parameter of a signature.
I never thought about it like that, but that too is a way to circumvent it. Although you would still need some way to publish that key and a valid Actor for verification, a server. If a remote server implementing restrictions on fetching based on signatures only disallows the instance Actor, then that is a way to bypass that restriction. Although I think there currently is no implementation that does that. Mastodon instead blocks everything on the domain including all subdomains and GTS probably does the same. No idea how the Misskey forks and Iceshrimp.NET do it though. Of course using different domains works as well.
>Servers MUST NOT allow clients to publish activities where embedded objects are owned by another actor.
Unrelated to the this FEP, but this came up when fixing the recent Pleroma security issues. There is no agreed upon way of federating moderation decisions to remote instances. It is logical when validating remote Update Activities to only allow Activities that update Objects owned by the same Actor, however that is never guaranteed when for example an admin on a remote instance forces a post to be NSFW. Similarly Delete Activities can have the Actor be the moderator, but Object actually owned by user.
Reply to @silverpill@mitra.social
Alex Gleason@0461fcbecc4c3374439932d6b8f11269ccdb7cc973ad7a50ae362db135a474dd@mostr.pub (2026-05-24 05:17:56)
Those things are too hard on ActivityPub. Join the dark side.
Reply to @jae@mastodon.bsd.cafe
silverpill@silverpill@mitra.social (2026-05-24 05:12:50)
@jae tui? looks great
Reply to @8c593cc6084205228f9d5f826249596710bbbee6236d54e2c74b2826d00e4c83@mostr.pub
silverpill@silverpill@mitra.social (2026-05-24 05:11:08)
@8c593cc6084205228f9d5f826249596710bbbee6236d54e2c74b2826d00e4c83 @0461fcbecc4c3374439932d6b8f11269ccdb7cc973ad7a50ae362db135a474dd
ActivityPub.
We now getting capabilities previously available only on SSB & Nostr. Key-based identity, local-first clients.
Reply to @silverpill@mitra.social
Evan Prodromou@evan@cosocial.ca (2026-05-24 05:03:52)
@silverpill
I don't think this makes sense: "Servers MUST NOT allow clients to publish activities where embedded objects are owned by another actor."
We've never had this requirement; it's not built into ActivityPub; it's not how federation work.
- Like
- Announce
- inReplyTo
- Follow
- Accept
- Reject
I think two way verification is a better mechanism than same-origin. So, check that the `object` of a `Create` has the same `attributedTo` as the `actor`.
Reply to @phnt@fluffytail.org
silverpill@silverpill@mitra.social (2026-05-24 05:00:56)
@phnt @feld @lain That's correct. Activities are added to local outbox and sent to the gateway when it becomes available.
fedicat@fedicat@pc.cafe boosted:
@silverpill@mitra.social (2026-05-24 04:52:17)
FEP-fe34 (Origin-based security model) update : https://codeberg.org/fediverse/fep/pulls/849
I tried to better explain the assumptions on which the model is based, and clarified how exactly origins should enforce boundaries between actors:
Servers MUST ensure that activities published by a client do not represent unauthorized actions. This includes activities embedded within other activities and objects.
Servers MUST NOT allow clients to publish activities where embedded objects are owned by another actor.
Lemmy API and Mastodon API implementers don't have to worry about this, but one needs to be very careful when accepting arbitrary payloads from clients, for example, when implementing ActivityPub C2S API or FEP-ae97 API. Unfortunately, these security issues are completely ignored by people who push for wide deployment of ActivityPub C2S API.
Another addition is the recommendation to not use partially embedded objects, because that might lead to cache poisoning:
Embedded non-anonymous objects SHOULD NOT be partial representations. A server that relies on embedding for authentication might save a partial representation of an object to the cache, replacing the full object.
(see this issue for details: https://codeberg.org/silverpill/feps/issues/21)
#fep_fe34 #activitypub
Reply to @silverpill@mitra.social
silverpill@silverpill@mitra.social (2026-05-24 04:56:26)
@phnt Following on one of our conversations, I now call out authorized fetch as ineffective when it is used on public objects:
Some servers require an HTTP signature in an attempt to limit access to public objects. In this scenario, the request is expected to be signed with a key that is owned by a server actor. However, this measure is ineffective and can easily be circumvented by changing the keyId parameter of a signature.
fedicat@fedicat@pc.cafe boosted:
@benpate@mastodon.social (2026-05-24 03:13:06)
#Fediverse, I need your help.
I have a budget for a small contract to improve #Emissary, and am looking for a talented web designer to create a new default theme for the server.
Highlights:
* Probably ~60 hours of work
* Anywhere in the world
* Must be a good person
Details are here:
https://benpate.dev/20260601-html-designer
If you know someone who's great with HTML+CSS+Design, and is looking for a short gig, please share this with them :)
#FediHire #GetFediHired
silverpill@silverpill@mitra.social (2026-05-24 04:52:17)
FEP-fe34 (Origin-based security model) update : https://codeberg.org/fediverse/fep/pulls/849
I tried to better explain the assumptions on which the model is based, and clarified how exactly origins should enforce boundaries between actors:
Servers MUST ensure that activities published by a client do not represent unauthorized actions. This includes activities embedded within other activities and objects.
Servers MUST NOT allow clients to publish activities where embedded objects are owned by another actor.
Lemmy API and Mastodon API implementers don't have to worry about this, but one needs to be very careful when accepting arbitrary payloads from clients, for example, when implementing ActivityPub C2S API or FEP-ae97 API. Unfortunately, these security issues are completely ignored by people who push for wide deployment of ActivityPub C2S API.
Another addition is the recommendation to not use partially embedded objects, because that might lead to cache poisoning:
Embedded non-anonymous objects SHOULD NOT be partial representations. A server that relies on embedding for authentication might save a partial representation of an object to the cache, replacing the full object.
(see this issue for details: https://codeberg.org/silverpill/feps/issues/21)
#fep_fe34 #activitypub
fedicat@fedicat@pc.cafe boosted:
@mkljczk@pl.fediverse.pl (2026-05-24 04:35:26)
i think having multiple shitty implementations of a thing is better than having just one shitty implemention of a thing
Jeff@box464@mastodon.social (2026-05-24 04:44:25)
Peter Pan Mini Golf in #Austin
“Still here. Still weird. Since 1948”
Can confirm the weirdness.
---Attachments---
image: https://files.mastodon.social/media_attachments/files/116/625/411/791/690/490/original/3fd57f4fce0789c3.jpeg
image: https://files.mastodon.social/media_attachments/files/116/625/412/394/288/026/original/578db2e6a6201ab8.jpeg
image: https://files.mastodon.social/media_attachments/files/116/625/602/077/988/182/original/d4f8360dd2dfd70e.jpeg
image: https://files.mastodon.social/media_attachments/files/116/625/446/314/203/761/original/2e0b75c2bb1ee003.jpeg
nicole mikołajczyk@mkljczk@pl.fediverse.pl (2026-05-24 04:35:26)
i think having multiple shitty implementations of a thing is better than having just one shitty implemention of a thing
Reply to @feld@friedcheese.us
Phantasm@phnt@fluffytail.org (2026-05-24 04:24:51)
@feld @lain
@silverpill partially solved this I think with minimitra by turning Mitra into a proxy/gateway (probably already used for the nomadic activity shenanigans). A client stores posts locally and sends them off when it comes online to the proxy that handles the rest.
fedicat@fedicat@pc.cafe boosted:
@FediGarden@social.growyourown.services (2026-05-24 03:31:04)
DataSci.social is a Mastodon server for researchers & practitioners in human-centric data science, broadly defined. For example human-centric network science, social data science, computational social science, geospatial data science.
:Fediverse: https://datasci.social
You can find out more at https://datasci.social/about or contact the admin account @mszll
#FeaturedServer #DataScience #DataSci #NetworkScience #SocialScience #Geospatial #Mastodon #Fediverse #FreeFediverse
Reply to @lain@lain.com
feld@feld@friedcheese.us (2026-05-24 04:05:43)
@lain well the outbox would exist on your local device not on the server lol 🙃
Reply to @feld@friedcheese.us
lain, author of the quixote@lain@lain.com (2026-05-24 03:52:42)
@feld they should add outboxes to activitypub
wait
feld@feld@friedcheese.us (2026-05-24 03:50:37)
Trying to post on fedi with poor signal is torture. The only good experience is with an email gateway like the DeltaChat bridge. Why don't apps default to the concept of an outbox and background sending ?
Fedi.Garden@FediGarden@social.growyourown.services (2026-05-24 03:31:04)
DataSci.social is a Mastodon server for researchers & practitioners in human-centric data science, broadly defined. For example human-centric network science, social data science, computational social science, geospatial data science.
:Fediverse: https://datasci.social
You can find out more at https://datasci.social/about or contact the admin account @mszll
#FeaturedServer #DataScience #DataSci #NetworkScience #SocialScience #Geospatial #Mastodon #Fediverse #FreeFediverse
Ben Pate 🤘🏻@benpate@mastodon.social (2026-05-24 03:13:06)
#Fediverse, I need your help.
I have a budget for a small contract to improve #Emissary, and am looking for a talented web designer to create a new default theme for the server.
Highlights:
* Probably ~60 hours of work
* Anywhere in the world
* Must be a good person
Details are here:
https://benpate.dev/20260601-html-designer
If you know someone who's great with HTML+CSS+Design, and is looking for a short gig, please share this with them :)
#FediHire #GetFediHired
ᴏᴏᴍ-ᴋɪʟʟᴇʀ: 333@jae@mastodon.bsd.cafe (2026-05-24 03:09:36)
darkmode/lightmode added to #fediverse tui.
working out a bug with remote images from #mitra and #mastodon causing geometry skewing, but i think that's a jae problem.
---Attachments---
image: https://media.bsd.cafe/bsdmmedia01/media_attachments/files/116/625/224/448/204/698/original/87e3d995b702fc85.png
image: https://media.bsd.cafe/bsdmmedia01/media_attachments/files/116/625/225/869/876/914/original/64a051966a5715c8.png
fedicat@fedicat@pc.cafe boosted:
@me@doasu.dev (2026-05-24 02:49:48)
I've only used #snac for about half a year, and my instance takes up ~250MB of disk space and ~25MB of memory. :)
I wish more modern software was like #snac2 (:
CC: @grunfink@comam.es
Reply to @computer@glamour.ovh
the initra mf@me@doasu.dev (2026-05-24 02:49:48)
I've only used #snac for about half a year, and my instance takes up ~250MB of disk space and ~25MB of memory. :)
I wish more modern software was like #snac2 (:
CC: @grunfink@comam.es
fedicat@fedicat@pc.cafe boosted:
@mastoblaster@mastoblaster.app (2026-05-23 17:57:40)
MastoBlaster Build 94 is now available on TestFlight.
This is a major release that merges several different development branches I've been working on, bringing together a lot of moving parts into a single build. A long, sleepless night…
Here is what changed:
Full Drafts Support: A complete end-to-end draft flow. It includes auto-save, the ability to edit existing drafts, and a smart cancel confirmation that either discards a new draft or restores the original state if you were editing. It supports replies, quotes, polls, and media metadata.Trending Posts: Added a new trending timeline type with proper offset pagination support.Timeline Position Improvements: Added extra protection to stop SwiftUI from overwriting your saved scroll position when the view disappears or goes to the background. If a saved post can't be found in the cache, the app will now try a direct status fetch before giving up.UI & Navigation Fixes: Tapping Content Warnings (CW), "Show Filtered Post", or "Show More" now goes through an inline-action guard, fixing the bug where tapping them would accidentally trigger row navigation into the thread. Filtered posts also get proper bottom padding so the list separator doesn't sit on top of the button.Instance Compatibility & Tweaks: Added customizable timeout settings for slower instances (like snac on older hardware). I also fixed the 405 error when setting alt text on GoToSocial, and updated marker sync to strictly align with Mastodon’s documented form shape.Testing focus: I've implemented search fixes ensuring queries stay locked to the account you are searching from. If you are on GoToSocial, please test this thoroughly and let me know how it behaves. Since this build is the result of a massive merge, keep an eye out for any regressions.#MastoBlaster #MastoBlasterUpdates #iOS #Mastodon #snac #GoToSocial #Fediverse #Apple
fedicat@fedicat@pc.cafe boosted:
@mkljczk@pl.fediverse.pl (2026-05-23 20:36:17)
mastodon admin api finally lets you fetch both resolved and unresolved reports in a single request
https://github.com/mastodon/mastodon/commit/6b2616453ffe7430295bea3d3ccbf06ada67e033
Elefeed@elefeed@mastodon.social (2026-05-24 02:05:13)
No app store needed. Elefeed installs as a PWA directly from your browser.
📱 Android (Chrome): three-dot menu → "Add to Home Screen"
🍎 iPhone (Safari): Share → "Add to Home Screen"
You get a home screen icon, push notifications, offline caching, and a full-screen experience.
No download. No extra permissions.
👉 elefeed.app
#Elefeed #PWA #Mastodon #MobileApp #Fediverse
---Attachments---
image: https://files.mastodon.social/media_attachments/files/116/624/976/260/825/390/original/91bd428a943c980a.jpg
fedicat@fedicat@pc.cafe boosted:
@df@s.dfaria.eu (2026-05-24 01:45:27)
#Starling is a lightweight #PHP #fediverse server you can install by just copying files over FTP to a shared host. No PostgreSQL, no workers, no DevOps. Owning your data with #ActivityPub can be much simpler than with #ATProtocol. Have you tried it?
https://github.com/dfaria-eu/Starling
Older Notes