So @pixelfed still hasn't fully acknowledged nor fixed the security vulnerability from earlier this year, despite multiple people asking for updates over the past ~6 months.
-
So @pixelfed still hasn't fully acknowledged nor fixed the security vulnerability from earlier this year, despite multiple people asking for updates over the past ~6 months.
Consider this friendly public encouragement to finish the fix and publish the security advisory
thisismissem@hachyderm.io what was this in reference to, the one where Pixelfed allows anyone on a server access to a followers only post if one person on that server is a follower?
-
@julian yeah, that one. He prevented it from being exploited further, but because pixelfed doesn't sync its remote account followers, anyone who managed to exploit it before hand is still able to exploit it, because pixelfed erroneously added follower records locally without there being an Accept(Follow). Sync would purge those invalid records
And the CVE / Security vulnerability report still isn't published.
-
@deadsuperhero @thisismissem the fix was shipped months ago, thanks for spreading misinformation!
@dansup @deadsuperhero @thisismissem so are Pixelfed servers not patching or what?
Or is this just another case of Mastodon finding ways to punch down other software in the ecosystem? -
@dansup @deadsuperhero @thisismissem so are Pixelfed servers not patching or what?
Or is this just another case of Mastodon finding ways to punch down other software in the ecosystem?@feld @dansup @deadsuperhero no, it's than Dan only fixed part of the problem, which was preventing it from being exploited further.
He hasn't implemented follower collection-synchronisation in order to remove any erroneous follower records from pixelfed servers (where pixelfed thinks a follower is approved, but the target server doesn't)
Additionally, he's not released the security vulnerability report.
He's been saying for months to multiple people he's working on it or about to release it, but it's been, what, 6 months? Hence the very public nudge to finally fix this vulnerability once and for all.
-
@feld @dansup @deadsuperhero no, it's than Dan only fixed part of the problem, which was preventing it from being exploited further.
He hasn't implemented follower collection-synchronisation in order to remove any erroneous follower records from pixelfed servers (where pixelfed thinks a follower is approved, but the target server doesn't)
Additionally, he's not released the security vulnerability report.
He's been saying for months to multiple people he's working on it or about to release it, but it's been, what, 6 months? Hence the very public nudge to finally fix this vulnerability once and for all.
thisismissem@hachyderm.io could a hot fix simply be to have Pixelfed remove all follower records and re-associate them on demand?
Talking out of my ass here though.
-
@julian basically for every remote account that a pixelfed server knows about & has at least 2 outbound follow records to, the followers collection needs to be pulled and any follow records that aren't in the remote follower's collection need to be deleted.
Follower collection synchronisation makes that pretty performant to do.
Essentially you have pixelfed servers that think accounts A +B are following remote actor Z, but only A was approved by actor Z, but pixelfed erroneously stored B as a follow instead of a follow request. So follow record B for remote actor Z needs to be deleted
I think I'm summarising it right, been a while since I read the report and code.
-
So @pixelfed still hasn't fully acknowledged nor fixed the security vulnerability from earlier this year, despite multiple people asking for updates over the past ~6 months.
Consider this friendly public encouragement to finish the fix and publish the security advisory
@thisismissem @pixelfed The fix was shipped and announced in March.
https://mastodon.social/@pixelfed/114215925957179498
I'm working on collection sync, but that is a Mastodon extension that isn't supported in most software keep in mind.
Maybe you could have reached out privately instead of publicly shaming an open source fediverse project into implementing a Mastodon-only fix.
We do accept PRs, and you could have contributed a fix to help ship sync quicker if you did really care (adonis is based on laravel, php is ez)
-
@thisismissem @pixelfed The fix was shipped and announced in March.
https://mastodon.social/@pixelfed/114215925957179498
I'm working on collection sync, but that is a Mastodon extension that isn't supported in most software keep in mind.
Maybe you could have reached out privately instead of publicly shaming an open source fediverse project into implementing a Mastodon-only fix.
We do accept PRs, and you could have contributed a fix to help ship sync quicker if you did really care (adonis is based on laravel, php is ez)
@dansup @pixelfed myself and others have been for months waiting for you to follow up with collection sync to ensure only the accounts truly approved to be followers are allowed as followers on pixelfed's side. I know renaud and claire have asked, and I've been asking shlee.
It's also *not* a mastodon only fix, collection sync is a FEP like any other.
I've already made it clear in the past that due to the way you treat your contributors, I would not contribute to your projects, but this concerns more than just you, hence trying to get answers and progress.
-
@thisismissem @pixelfed The fix was shipped and announced in March.
https://mastodon.social/@pixelfed/114215925957179498
I'm working on collection sync, but that is a Mastodon extension that isn't supported in most software keep in mind.
Maybe you could have reached out privately instead of publicly shaming an open source fediverse project into implementing a Mastodon-only fix.
We do accept PRs, and you could have contributed a fix to help ship sync quicker if you did really care (adonis is based on laravel, php is ez)
@dansup @pixelfed from what I can see, pixelfed 0.12.5 included no change to rectify invalid Follow records in your database by asking the remote actor for all its currently approved followers, therefore the original exploit(s) of the security vulnerability still exist within your database: https://github.com/pixelfed/pixelfed/compare/v0.12.4...v0.12.5
-
@dansup @pixelfed myself and others have been for months waiting for you to follow up with collection sync to ensure only the accounts truly approved to be followers are allowed as followers on pixelfed's side. I know renaud and claire have asked, and I've been asking shlee.
It's also *not* a mastodon only fix, collection sync is a FEP like any other.
I've already made it clear in the past that due to the way you treat your contributors, I would not contribute to your projects, but this concerns more than just you, hence trying to get answers and progress.
@thisismissem hello Emelia. just read this all now and wondering if you recommend leaving pixelfed?
thank u for providing detail as to what the issue is about for this designer to understand what the major concerns are.
I don't know how he treats contributors but also haven't posted anything there for weeks so unsure if I shall keep my account alive knowing this now. Thank you in advance!
Would you also have other recommendations of other pixelfed-like solutions or is it simpler to just post pix directly on one's account here on Fedi from the server I am part of? Thanks again!
-
@thisismissem hello Emelia. just read this all now and wondering if you recommend leaving pixelfed?
thank u for providing detail as to what the issue is about for this designer to understand what the major concerns are.
I don't know how he treats contributors but also haven't posted anything there for weeks so unsure if I shall keep my account alive knowing this now. Thank you in advance!
Would you also have other recommendations of other pixelfed-like solutions or is it simpler to just post pix directly on one's account here on Fedi from the server I am part of? Thanks again!
@Crissy I think people can make their own assessments, but I do believe Dan has spread himself too thin with too many projects, which results in lower cadence and quality software in general.
Whilst I'd like for an instagram like service to succeed on Fedi, I'm not sure that's going to happen with Pixelfed given the way Dan acts. Ic he focused on one project and brought in different lead developers for the others, they might have a chance lf succeeding, but managing multiple very large projects at once isn't a recipe for success imo.
Things are so bad that there's even an open letter to NLNet to get them to cancel grants, and that's something incredibly rare. I wish it wasn't that way.
Even in the thread he's accused me of misinformation, when what I've said continues to be correct. A security researcher shouldn't be left waiting for months for their advisory to be published if it is indeed fixed as he claims, but I don't think it's fully fixed.
-
@dansup @pixelfed myself and others have been for months waiting for you to follow up with collection sync to ensure only the accounts truly approved to be followers are allowed as followers on pixelfed's side. I know renaud and claire have asked, and I've been asking shlee.
It's also *not* a mastodon only fix, collection sync is a FEP like any other.
I've already made it clear in the past that due to the way you treat your contributors, I would not contribute to your projects, but this concerns more than just you, hence trying to get answers and progress.
@thisismissem @pixelfed so what's the alternative?
-
@thisismissem @pixelfed so what's the alternative?
@hiphopheaven @pixelfed I'm not saying "don't use Pixelfed", no, in fact I want people to be safe using and federating with Pixelfed.
However, I am calling on Dan & the pixelfed team (?) to do the right thing and fully fix this vulnerability, and do the remediation work necessary, and adopt better security release practices.
Having this in a state of "kinda fixed" for 6 months or so isn't great.
-
@dansup @deadsuperhero no published vulnerability report for it either:
@thisismissem @dansup @deadsuperhero why are we pulling our forks and daggers out over this? Are we not together in building the fediverse?
I'm not sure why this needs to be put on blast in public.
You do amazing work. This is pretty aggressive considering the context.
-
@thisismissem @dansup @deadsuperhero why are we pulling our forks and daggers out over this? Are we not together in building the fediverse?
I'm not sure why this needs to be put on blast in public.
You do amazing work. This is pretty aggressive considering the context.
@chad @dansup @deadsuperhero it's been at least six months of waiting for that CVE to be published, but instead it hasn't happened. This is bad security posture.
The last answer I'd had months ago from Dan was "I'll publish it when I implement followers collection sync to fully fix the issue", and there's been a lot of people privately asking for updates for months.
-
@chad @dansup @deadsuperhero it's been at least six months of waiting for that CVE to be published, but instead it hasn't happened. This is bad security posture.
The last answer I'd had months ago from Dan was "I'll publish it when I implement followers collection sync to fully fix the issue", and there's been a lot of people privately asking for updates for months.
@thisismissem @dansup @deadsuperhero sorry, I have a hard time seeing this as "friendly public encouragement".
Dan is but one human, pushing four(?) full stack softwares. There's no where near enough devs in the fediverse and this is a prime example. I know in his heart of hearts he's doing everything he can as one human.
-
@thisismissem @dansup @deadsuperhero sorry, I have a hard time seeing this as "friendly public encouragement".
Dan is but one human, pushing four(?) full stack softwares. There's no where near enough devs in the fediverse and this is a prime example. I know in his heart of hearts he's doing everything he can as one human.
@chad @dansup @deadsuperhero and that's kinda the problem isn't it? Doing multiple large things isn't sustainable, and it means that stuff like this drags on. If he wants to focus on loops, great, find someone to lead pixelfed, but trying to be the leader of multiple projects but not actually doing the things a leader should be doing isn't good for the fediverse.
One person alone shouldn't be attempting to build everything for the fediverse, others might build things if they think there's space for them to build, but instead Dan says he's going to do XYZ repeatedly and then fails to deliver.
Focus is a good thing, especially when the complexity we have is involved, and it's not like people haven't been trying to get answers on this. Posting publicly wasn't my first choice months ago.
-
@chad @dansup @deadsuperhero and that's kinda the problem isn't it? Doing multiple large things isn't sustainable, and it means that stuff like this drags on. If he wants to focus on loops, great, find someone to lead pixelfed, but trying to be the leader of multiple projects but not actually doing the things a leader should be doing isn't good for the fediverse.
One person alone shouldn't be attempting to build everything for the fediverse, others might build things if they think there's space for them to build, but instead Dan says he's going to do XYZ repeatedly and then fails to deliver.
Focus is a good thing, especially when the complexity we have is involved, and it's not like people haven't been trying to get answers on this. Posting publicly wasn't my first choice months ago.
@thisismissem @dansup @deadsuperhero so who else that has the talent, time, and treasure is going to step up and do it?
-
@chad @dansup @deadsuperhero and that's kinda the problem isn't it? Doing multiple large things isn't sustainable, and it means that stuff like this drags on. If he wants to focus on loops, great, find someone to lead pixelfed, but trying to be the leader of multiple projects but not actually doing the things a leader should be doing isn't good for the fediverse.
One person alone shouldn't be attempting to build everything for the fediverse, others might build things if they think there's space for them to build, but instead Dan says he's going to do XYZ repeatedly and then fails to deliver.
Focus is a good thing, especially when the complexity we have is involved, and it's not like people haven't been trying to get answers on this. Posting publicly wasn't my first choice months ago.
@chad @dansup @deadsuperhero trying to do everything often leads to doing all things poorly.
The blossoming fedi software is all ones where the folks are actually focused on just that project, whether that's the mastodon team with mastodon, rimu's team with piefed, julian and nodebb, bonfire and bonfire social.
Meanwhile Dan somehow things he can build a TikTok and a Instagram and a WhatsApp competitor all at once with fairly minimal team — he's the outlier here, and I don't think this behaviour should necessarily be encouraged because it is giving poor results and underdelivering to people.
-
@thisismissem @dansup @deadsuperhero so who else that has the talent, time, and treasure is going to step up and do it?
@chad @dansup @deadsuperhero plenty of people, there's countless projects across the fedi for all sorts of things, dan doesn't need to be a one man army.
He could, if he wanted to, find a new lead developer for pixelfed if his interests are in loops now.
