Comment on The fediverse has a bullying problem
Microw@lemm.ee 1 week agoThat is still not the point the commenter and the original blog author were making.
What we can take away from this episode is that Pixelfed implemented the fix in a way that suggests they would not handle a 0 day exploit with a “reql” vulnerability well. And having followed dansup’s projects for a while that doesnt surprise me, because he clearly prefers to work “chaoticly” than in a structured, regulated way.
The “taking the heat” is something completely seprrate and boils down to stupid people on the internet needing to be angry at someone.
AwesomeLowlander@sh.itjust.works 1 week ago
I’m not sure you can make that conclusion. This isn’t a real vulnerability, and this isn’t a surprise to anybody who knows how the AP protocol works. Dansup didn’t reveal anything that was previously unknown, the blog author just has an axe to grind. It’s unfair to assume that an actual 0 day vulnerability would have been treated the same way.
brrt@sh.itjust.works 1 week ago
I’m genuinely curious what you would call this and what distinguishes it from a vulnerability.
Leaving aside responsibility, the system could have been set up in a way that wouldn’t have exposed user data but wasn’t. This is now fixed and user data isn’t exposed via this method any longer. What is the right word for what it was at the moment this flaw was discovered?
AwesomeLowlander@sh.itjust.works 6 days ago
Not me who downvoted you, FYI.
To me, a vulnerability is something unforeseen, that allows bad actors to exploit the system in an unintended manner. In this case, the system is working perfectly as designed. Just because another system decided to implement a new feature without consulting anybody else, does not make it a vulnerability. Or perhaps it does, but with the vulnerability on the side of Mastodon, since they’re the ones telling their users their post is private when it is actually nothing of the sort.
What would I call it? An unsupported feature. One that Mastodon forced everybody else to implement without asking or any respect.
brrt@sh.itjust.works 6 days ago
I appreciate your reply and understand your perspective. I still don’t fully agree, it might be a matter of the point of view from which you look at this issue. But I think in essence we are on the same page.
Thanks for not abandoning the discussion!
PhilipTheBucket@ponder.cat 1 week ago
Correct. And as I tangentially mentioned, even if you do think this needs to be kept secret, then the blog author would still be wrong, because this blog post is doing is doing way more “harm” by publicizing the issue than any amount of commit notes ever could.
But yes, trying to keep this secret like a 0-day is completely the backwards model for how to handle it.