Back

@dansup You're human and make mistakes, as everybody else. But you fixed it, talked about it openly and asked for forgiveness, according to your post. Few people do that. Kudos to you

@dansup I had to read the replies to this post to realize you weren’t writing a parody of the recent Signal-gate episode.

@dansup The follower approval feature itself in #activitypub is the vulnerability. It is wrong to give users the expectation that their social media posts are private. Also, approving followers reminds me of DRM on mp3 files. What are we doing?

@dansup We appreciate you!

@dansup Hi Daniel. Security and open source surely has some trickiness. Let me know if you need someone to talk to! (It seems that you already support GitHub's flow with https://github.com/pixelfed/pixelfed/security/advisories/new which is nice. I would lean into that more heavily)

@dansup So sorry to hear about this, Daniel. Such mistakes happen to all of us. But you own up, take some lessons and move on. At least you don't work with anything related to national security — like planning a bombing attack on other countries. Just imagine!

@dansup thank you for the open dialog.

"Remote followers-only content was temporarily exposed to new followers they didn't approve"

1. Is it fair to say followers-only content is still exposed on any Pixelfed service that hasn't updated to 0.12.5?

2. Can we get clarity on how updated servers can retroactively remove unapproved followers - assuming that after the update any existing unapproved follows are still operational?

@dansup Just to give you more of an idea of the consequences of not maing this a minimal patch:

1. I always have difficulty with upgrades because I use an external volume for storage. The upgrade broke it again, so I'll need to find the time to deal with it. Fortunately, it's a single-user instance with 1 bot in it that hardly follows anyone, so it's not affected by tue current problem.