So @pixelfed still hasn't fully acknowledged nor fixed the security vulnerability from earlier this year, despite multiple people asking for updates over the past ~6 months.
-
@thisismissem @pixelfed The fix was shipped and announced in March.
https://mastodon.social/@pixelfed/114215925957179498
I'm working on collection sync, but that is a Mastodon extension that isn't supported in most software keep in mind.
Maybe you could have reached out privately instead of publicly shaming an open source fediverse project into implementing a Mastodon-only fix.
We do accept PRs, and you could have contributed a fix to help ship sync quicker if you did really care (adonis is based on laravel, php is ez)
@dansup @pixelfed from what I can see, pixelfed 0.12.5 included no change to rectify invalid Follow records in your database by asking the remote actor for all its currently approved followers, therefore the original exploit(s) of the security vulnerability still exist within your database: https://github.com/pixelfed/pixelfed/compare/v0.12.4...v0.12.5
-
@dansup @pixelfed myself and others have been for months waiting for you to follow up with collection sync to ensure only the accounts truly approved to be followers are allowed as followers on pixelfed's side. I know renaud and claire have asked, and I've been asking shlee.
It's also *not* a mastodon only fix, collection sync is a FEP like any other.
I've already made it clear in the past that due to the way you treat your contributors, I would not contribute to your projects, but this concerns more than just you, hence trying to get answers and progress.
@thisismissem hello Emelia. just read this all now and wondering if you recommend leaving pixelfed?
thank u for providing detail as to what the issue is about for this designer to understand what the major concerns are.
I don't know how he treats contributors but also haven't posted anything there for weeks so unsure if I shall keep my account alive knowing this now. Thank you in advance!
Would you also have other recommendations of other pixelfed-like solutions or is it simpler to just post pix directly on one's account here on Fedi from the server I am part of? Thanks again!
-
@thisismissem hello Emelia. just read this all now and wondering if you recommend leaving pixelfed?
thank u for providing detail as to what the issue is about for this designer to understand what the major concerns are.
I don't know how he treats contributors but also haven't posted anything there for weeks so unsure if I shall keep my account alive knowing this now. Thank you in advance!
Would you also have other recommendations of other pixelfed-like solutions or is it simpler to just post pix directly on one's account here on Fedi from the server I am part of? Thanks again!
@Crissy I think people can make their own assessments, but I do believe Dan has spread himself too thin with too many projects, which results in lower cadence and quality software in general.
Whilst I'd like for an instagram like service to succeed on Fedi, I'm not sure that's going to happen with Pixelfed given the way Dan acts. Ic he focused on one project and brought in different lead developers for the others, they might have a chance lf succeeding, but managing multiple very large projects at once isn't a recipe for success imo.
Things are so bad that there's even an open letter to NLNet to get them to cancel grants, and that's something incredibly rare. I wish it wasn't that way.
Even in the thread he's accused me of misinformation, when what I've said continues to be correct. A security researcher shouldn't be left waiting for months for their advisory to be published if it is indeed fixed as he claims, but I don't think it's fully fixed.
-
@dansup @pixelfed myself and others have been for months waiting for you to follow up with collection sync to ensure only the accounts truly approved to be followers are allowed as followers on pixelfed's side. I know renaud and claire have asked, and I've been asking shlee.
It's also *not* a mastodon only fix, collection sync is a FEP like any other.
I've already made it clear in the past that due to the way you treat your contributors, I would not contribute to your projects, but this concerns more than just you, hence trying to get answers and progress.
@thisismissem @pixelfed so what's the alternative?
-
@thisismissem @pixelfed so what's the alternative?
@hiphopheaven @pixelfed I'm not saying "don't use Pixelfed", no, in fact I want people to be safe using and federating with Pixelfed.
However, I am calling on Dan & the pixelfed team (?) to do the right thing and fully fix this vulnerability, and do the remediation work necessary, and adopt better security release practices.
Having this in a state of "kinda fixed" for 6 months or so isn't great.
-
@dansup @deadsuperhero no published vulnerability report for it either:
@thisismissem @dansup @deadsuperhero why are we pulling our forks and daggers out over this? Are we not together in building the fediverse?
I'm not sure why this needs to be put on blast in public.
You do amazing work. This is pretty aggressive considering the context.
-
@thisismissem @dansup @deadsuperhero why are we pulling our forks and daggers out over this? Are we not together in building the fediverse?
I'm not sure why this needs to be put on blast in public.
You do amazing work. This is pretty aggressive considering the context.
@chad @dansup @deadsuperhero it's been at least six months of waiting for that CVE to be published, but instead it hasn't happened. This is bad security posture.
The last answer I'd had months ago from Dan was "I'll publish it when I implement followers collection sync to fully fix the issue", and there's been a lot of people privately asking for updates for months.
-
@chad @dansup @deadsuperhero it's been at least six months of waiting for that CVE to be published, but instead it hasn't happened. This is bad security posture.
The last answer I'd had months ago from Dan was "I'll publish it when I implement followers collection sync to fully fix the issue", and there's been a lot of people privately asking for updates for months.
@thisismissem @dansup @deadsuperhero sorry, I have a hard time seeing this as "friendly public encouragement".
Dan is but one human, pushing four(?) full stack softwares. There's no where near enough devs in the fediverse and this is a prime example. I know in his heart of hearts he's doing everything he can as one human.
-
@thisismissem @dansup @deadsuperhero sorry, I have a hard time seeing this as "friendly public encouragement".
Dan is but one human, pushing four(?) full stack softwares. There's no where near enough devs in the fediverse and this is a prime example. I know in his heart of hearts he's doing everything he can as one human.
@chad @dansup @deadsuperhero and that's kinda the problem isn't it? Doing multiple large things isn't sustainable, and it means that stuff like this drags on. If he wants to focus on loops, great, find someone to lead pixelfed, but trying to be the leader of multiple projects but not actually doing the things a leader should be doing isn't good for the fediverse.
One person alone shouldn't be attempting to build everything for the fediverse, others might build things if they think there's space for them to build, but instead Dan says he's going to do XYZ repeatedly and then fails to deliver.
Focus is a good thing, especially when the complexity we have is involved, and it's not like people haven't been trying to get answers on this. Posting publicly wasn't my first choice months ago.
-
@chad @dansup @deadsuperhero and that's kinda the problem isn't it? Doing multiple large things isn't sustainable, and it means that stuff like this drags on. If he wants to focus on loops, great, find someone to lead pixelfed, but trying to be the leader of multiple projects but not actually doing the things a leader should be doing isn't good for the fediverse.
One person alone shouldn't be attempting to build everything for the fediverse, others might build things if they think there's space for them to build, but instead Dan says he's going to do XYZ repeatedly and then fails to deliver.
Focus is a good thing, especially when the complexity we have is involved, and it's not like people haven't been trying to get answers on this. Posting publicly wasn't my first choice months ago.
@thisismissem @dansup @deadsuperhero so who else that has the talent, time, and treasure is going to step up and do it?
-
@chad @dansup @deadsuperhero and that's kinda the problem isn't it? Doing multiple large things isn't sustainable, and it means that stuff like this drags on. If he wants to focus on loops, great, find someone to lead pixelfed, but trying to be the leader of multiple projects but not actually doing the things a leader should be doing isn't good for the fediverse.
One person alone shouldn't be attempting to build everything for the fediverse, others might build things if they think there's space for them to build, but instead Dan says he's going to do XYZ repeatedly and then fails to deliver.
Focus is a good thing, especially when the complexity we have is involved, and it's not like people haven't been trying to get answers on this. Posting publicly wasn't my first choice months ago.
@chad @dansup @deadsuperhero trying to do everything often leads to doing all things poorly.
The blossoming fedi software is all ones where the folks are actually focused on just that project, whether that's the mastodon team with mastodon, rimu's team with piefed, julian and nodebb, bonfire and bonfire social.
Meanwhile Dan somehow things he can build a TikTok and a Instagram and a WhatsApp competitor all at once with fairly minimal team — he's the outlier here, and I don't think this behaviour should necessarily be encouraged because it is giving poor results and underdelivering to people.
-
@thisismissem @dansup @deadsuperhero so who else that has the talent, time, and treasure is going to step up and do it?
@chad @dansup @deadsuperhero plenty of people, there's countless projects across the fedi for all sorts of things, dan doesn't need to be a one man army.
He could, if he wanted to, find a new lead developer for pixelfed if his interests are in loops now.
-
@chad @dansup @deadsuperhero trying to do everything often leads to doing all things poorly.
The blossoming fedi software is all ones where the folks are actually focused on just that project, whether that's the mastodon team with mastodon, rimu's team with piefed, julian and nodebb, bonfire and bonfire social.
Meanwhile Dan somehow things he can build a TikTok and a Instagram and a WhatsApp competitor all at once with fairly minimal team — he's the outlier here, and I don't think this behaviour should necessarily be encouraged because it is giving poor results and underdelivering to people.
@thisismissem @dansup @deadsuperhero "he's building things but not at the rate I would approve" is quite the take considering he's currently a one man band and I'm sure Eugen was at some point.
I'm really not subscribing to this as really, the fediverse is in its infancy and this exclusionism is exactly what is inhibiting its growth.
Again, appreciate what you do writ large, but I'm not behind this take.
-
@chad @dansup @deadsuperhero plenty of people, there's countless projects across the fedi for all sorts of things, dan doesn't need to be a one man army.
He could, if he wanted to, find a new lead developer for pixelfed if his interests are in loops now.
@thisismissem @dansup @deadsuperhero why would he need a new lead dev if he's perfectly capable of being in that role?
Where are others offering PRs?
-
@thisismissem @dansup @deadsuperhero "he's building things but not at the rate I would approve" is quite the take considering he's currently a one man band and I'm sure Eugen was at some point.
I'm really not subscribing to this as really, the fediverse is in its infancy and this exclusionism is exactly what is inhibiting its growth.
Again, appreciate what you do writ large, but I'm not behind this take.
@chad @dansup @deadsuperhero yes, Eugen was a one man band at one point, but he focused on one thing instead of trying to do everything. He also accepted help when it was given, he worked with pull requests instead of in isolation.
And it's not that it's a "rate I would approve", it's him saying "yeah, I'm almost done with that" and then crickets for months. Or "yeah, I'm going to build this and write a FEP", and then nothing materialises.
Dan has also alienated a tonne of people who at one point or another wanted to help him.
People rely on Dan's software, and he does a lot of marketing, so people's expectations are set high. If you say you're going to do something, do it, or explain why you're not, with something better than "I'm distracted by my other three projects"
-
@thisismissem @dansup @deadsuperhero why would he need a new lead dev if he's perfectly capable of being in that role?
Where are others offering PRs?
@chad @dansup @deadsuperhero If he's not actually doing the leading then that's a problem. Where are the people doing PRs? He chased them all off, I can think of at least 3 people that wanted to contribute actively to his projects and he pissed them off by being completely unpredictable to work with.
-
@chad @dansup @deadsuperhero yes, Eugen was a one man band at one point, but he focused on one thing instead of trying to do everything. He also accepted help when it was given, he worked with pull requests instead of in isolation.
And it's not that it's a "rate I would approve", it's him saying "yeah, I'm almost done with that" and then crickets for months. Or "yeah, I'm going to build this and write a FEP", and then nothing materialises.
Dan has also alienated a tonne of people who at one point or another wanted to help him.
People rely on Dan's software, and he does a lot of marketing, so people's expectations are set high. If you say you're going to do something, do it, or explain why you're not, with something better than "I'm distracted by my other three projects"
@thisismissem @dansup @deadsuperhero all those words are great, and I align with many of them, but I still haven't seen anyone offer a PR for any of his projects.
Honestly, and I'm sorry to say, this is a step up or shut up situation.
"He created too much too quickly" really isn't aligned with any of the values many of us hold in the hopes of growth of the fediverse.
-
@thisismissem @dansup @deadsuperhero all those words are great, and I align with many of them, but I still haven't seen anyone offer a PR for any of his projects.
Honestly, and I'm sorry to say, this is a step up or shut up situation.
"He created too much too quickly" really isn't aligned with any of the values many of us hold in the hopes of growth of the fediverse.
@chad @dansup @deadsuperhero he literally chased away all the people who wanted to contribute, like seriously, no other fedi dev had had a letter like this written: https://dansup-open-letter.github.io
Ask dan about how he works sometimes, because last I knew he tended to have thousands of untracked files where he was doing too many changes at once, but not finishing any of them or working in branches such that he could cleanly switch tasks — that's what leads to those massive "do all the things" merges.
If he hadn't chased others away from his projects it'd be a different matter.
-
@chad @dansup @deadsuperhero he literally chased away all the people who wanted to contribute, like seriously, no other fedi dev had had a letter like this written: https://dansup-open-letter.github.io
Ask dan about how he works sometimes, because last I knew he tended to have thousands of untracked files where he was doing too many changes at once, but not finishing any of them or working in branches such that he could cleanly switch tasks — that's what leads to those massive "do all the things" merges.
If he hadn't chased others away from his projects it'd be a different matter.
@thisismissem @dansup @deadsuperhero this conversation has progressed to the point where I think Dan is owed an opportunity to weigh in.
-
@chad @dansup @deadsuperhero he literally chased away all the people who wanted to contribute, like seriously, no other fedi dev had had a letter like this written: https://dansup-open-letter.github.io
Ask dan about how he works sometimes, because last I knew he tended to have thousands of untracked files where he was doing too many changes at once, but not finishing any of them or working in branches such that he could cleanly switch tasks — that's what leads to those massive "do all the things" merges.
If he hadn't chased others away from his projects it'd be a different matter.
@chad @dansup @deadsuperhero his repeated response to issues raised is "fake news" or "misinformation", when what's being said is easily provable. He is the marker of his current situation, and only he can do the work to rectify it.
