iltg

@iltg@sh.itjust.works

This is a remote user, information on this page may be incomplete. View at Source ↗

⁨Comment⁩ on ⁨The fediverse has a bullying problem⁩ ⁨⁨2⁩ ⁨days⁩ ago⁩:
taking care of bad servers is instance admin business, you’re conflating the user concerns with the instance owner concerns

generally this thread and previous ones have such bad takes on fedi structure: a federated and decentralized system must delegate responsibility and trust

if you’re concerned about spam, that’s mostly instance owner business. it’s like that with every service: even signal has spam, and signal staff deals with it, not you. you’re delegating trust

if you want privacy, on signal you need to delegate privacy to software. on fedi to server owners too, but that’s the only extra trust you need to pay

sending private messages is up to you. if i send a note and address it only to you, i’m delegating trust to you to not leak it, to the software to keep it confidential, and to the server owner to not snoop on it. on signal you still need to trust the software and the recipient

this whole “nothing is private on fedi” is a bad black/white answer to a gray issue. nothing is private ever, how can you trust AES and RSA? do you know every computer passing your packet is safe from side chain attacks to break your encryption? you claimed to work in security in another thread, i would expect you to know the concept of “threat modeling”
⁨Comment⁩ on ⁨The fediverse has a bullying problem⁩ ⁨⁨1⁩ ⁨week⁩ ago⁩:
lemmy’s approach still relies on audience targeting for privacy, just like mastodon. using a distinct object type (which is off spec btw) is “more secure” just because nobody else knows what lemmy is doing
⁨Comment⁩ on ⁨The fediverse has a bullying problem⁩ ⁨⁨1⁩ ⁨week⁩ ago⁩:
it’s not unrealistic to keep trust at the server level. following your rationale, you can’t trust my reply, or any, because any server could modify the content in transit. or hide posts. or make up posts from actors to make them look bad.

if you assume the network is badly behaved, fedi breaks down. it makes no sense to me that everything is taken for granted, except privacy.

servers will deliver, not modify, not make up stuff, not dos stuff, not spam you, but apparently obviously will leak your content?

fedi models trust at the server level, not user. i dont need to trust you, i need to trust just your server admin, and if i dont i defederate
⁨Comment⁩ on ⁨The fediverse has a bullying problem⁩ ⁨⁨1⁩ ⁨week⁩ ago⁩:
good reply but private items are not “quite literally blasted out to anyone who listens”, AP spec has audience targeting and content gets sent capillarly, like email. a Note for bob gets sent ONLY to bob’s server

as:Public content gets broadcasted by some software (relays) and inbox forwarded by others (mastodon, mitra).
⁨Comment⁩ on ⁨Pixelfed leaks private posts from other Fediverse instances - fiona fokus⁩ ⁨⁨1⁩ ⁨week⁩ ago⁩:
linking barely relevant threads is a bit annoying

your complaints on “unlisted vs public” are completely unrelated to the issue at hand

your analysis that relates to this pixelfed flaw is just:
Privacy Enforcement:
- No explicit requirements for how receiving servers should restrict visibility based on audience fields
- No requirements that servers must hide content from non-addressed users
these aren’t good analyses: content should be private by default, nowhere is stated otherwise. if you feel like this common sense practice is somewhat arbitrary, it’s actually mandated by GDPR and more data protection laws.

if you want to rule lawyer that “acktually spec doesnt EXPLICITLY say that you cant show stuff meant for alice to bob if bob asks” and ignore this web good practice (probably implied by the many privacy remarks in the spec but let’s ignore those) which is actually mandated by governments, feel free to still ignore the incompetence displayed by dansup in implementing something that every other fedi software managed, go for it

even if you were right, even if the spec was really that vague, even if it wasn’t a good practice and requirement, in a federation parties cooperate. pixelfed breaking a common agreement is defederation worthy, and dansup remains either incompetent for implementing badly something easy or toxic for federating ignoring what the federation requires

you’re still not addressing the point, just linking other posts back and forth and moving the goalpost
⁨Comment⁩ on ⁨Pixelfed leaks private posts from other Fediverse instances - fiona fokus⁩ ⁨⁨1⁩ ⁨week⁩ ago⁩:
audience targeting is NOT a new abstraction by mastodon, it’s part of ActivitySTREAMS, not even ActivityPUB

rtfm and do NOT give a rest to bad behaving software
⁨Comment⁩ on ⁨Pixelfed leaks private posts from other Fediverse instances - fiona fokus⁩ ⁨⁨1⁩ ⁨week⁩ ago⁩:
how is it a failure of mastodon that pixelfed doesn’t respect audience targeting? it’s not like it’s something that mastodon made up, this isn’t about unlisted/public
⁨Comment⁩ on ⁨Pixelfed leaks private posts from other Fediverse instances - fiona fokus⁩ ⁨⁨1⁩ ⁨week⁩ ago⁩:

variety of made up reasons

you are not engaging with the argument, just stating ideals

fedi developers should get paid? yes, look at gts and mastodon

fedi devs should also be held accountable of their fumbles

dansup showed quite some incompetence in handling security, delivering features, communicating clearly and honestly and treating properly third party devs

it’s fair for one person to not be able to handle a big software with big instance and big usercount. mastodon has a legal entity and a team, gts has no flagship instance, is aggressively open source and gathered a lot of contributors, dansup is winging it alone and failing

let’s just make a big fixed point of failure of dansup, what could go wrong … ?

check out mitra too, could probably use some funding because it’s transparent and delivers rather than promising the moon and delivering CVEs (but with a grant AND a kickstarter, maybe pay some other devs???)

like there are thousands of fedi projects, give 10 bucks to the little dev doing it for fun in their bedroom, more money will not make dansup more competent
⁨Comment⁩ on ⁨Pixelfed leaks private posts from other Fediverse instances - fiona fokus⁩ ⁨⁨1⁩ ⁨week⁩ ago⁩:
periodic reminder to not touch dansup software and to move away from pixelfed and loops

dansup is not competent and quite problematic and it’s not even over

developers with less funding (even 0) contributed way more to fedi, they’re just less vocal

dansup is all bark no bite, stop falling for it
⁨Comment⁩ on ⁨Pixelfed leaks private posts from other Fediverse instances - fiona fokus⁩ ⁨⁨1⁩ ⁨week⁩ ago⁩:
email works the same way. it’s impossible to implement private emails? if you cc your email to im.going.to@leak.it and it leaks, would it be fair to complain about the whole email system?
⁨Comment⁩ on ⁨Pixelfed leaks private posts from other Fediverse instances - fiona fokus⁩ ⁨⁨1⁩ ⁨week⁩ ago⁩:
this is wrong, you’re assuming incorrectly. private posts get sent to only intended recipients. pixelfed allows other recipients on the same server to read that. it’s not your instance software, it’s pixelfed, please dont spread misinformation based on uninformed assumptions
⁨Comment⁩ on ⁨Pixelfed leaks private posts from other Fediverse instances - fiona fokus⁩ ⁨⁨1⁩ ⁨week⁩ ago⁩:
if you deliver a letter to your cousin, and they leak it to all their friends, is it the post system’s fault? instances federate by default, but private posts require actual intention. if i make a private post, explicitly mark it as private, deliver it to your instance and then your instance leaks it, i’d blame the instance, not the system. even signal can leak if you send your stuff to unintended parties.

someone can create a rogue instance

you shouldn’t send private stuff to unreliable parties. big software and big instances have a reputation, and it’s constantly up to you whether sending them something or not. when @sus@totally.legit follows you, check where they’re from. if you just accept follows left and right, are your followers-only posts really private? and if you direct message someone on some sketchy instance, you still need to trust them to respect your privacy. it’s the same on signal, e2ee doesn’t make a difference

this is why i completely blame pixelfed here: it breaks trust in transit and that’s unacceptable because it makes the system untrustworthy. you can get followed by sketchy people on mastodon.social and they will only see what you send them. in this case, other people can see what you post, regardless of you sending it to them or not, and regardless of the target leaking it or not
⁨Comment⁩ on ⁨Can I still consider myself a “young woman” after I turn 24? I turn 24 in March (next month).⁩ ⁨⁨1⁩ ⁨month⁩ ago⁩:
im moving the cutoff as i age and im not going to stop :p
⁨Comment⁩ on ⁨Can we please make a viable (federated!) amazon alternative? I have an idea!⁩ ⁨⁨1⁩ ⁨month⁩ ago⁩:

“Can someone try and poke holes in this idea?”

you are still proposing a federate ad network. payments are left to crypto (not fedi), credit cards (not fedi) or paypal (not fedi). the shipping is done by shops themselves (not fedi) (also amazon handles ~80% of their deliveries, check in this thread for sources). What’s a “main shop”? doesn’t sound very decentralized. you suggest leaving contestation again to the shops to handle (not fedi).

what exactly are you fediversing here? the proposition to users would basically be a single view with all shops, but then just delegating to them? there can be value in this, i see it mostly as an ad network leveraging AP and I’m really not a fan. it isn’t really amazon

being angered by being shown issues in your idea doesn’t help your idea. go visit your local hackerspace and start building if you think we’re just naysayers
⁨Comment⁩ on ⁨Can we please make a viable (federated!) amazon alternative? I have an idea!⁩ ⁨⁨1⁩ ⁨month⁩ ago⁩:
you are not proposing a federated amazon, this is just federated ads and/or reviews.

how to process payments? how to ship goods? how to handle refunds? how to handle contestations?

please you can’t just make anything federated. this protocol is built for social media and struggles to take over that sphere, we should focus on one thing rather than throwing random stuff at the wall hoping it sticks (cough federated tik tok cough)
⁨Comment⁩ on ⁨You can see who upvoted and downvoted a post by viewing it in friendica.⁩ ⁨⁨1⁩ ⁨month⁩ ago⁩:
this is an icky issue because lemmy sends votes with empty addressing, so remote instances should count them but not show them to anyone. however mastodon (and *key) sends likes with empty addressing too, but considers them public. lemmy is (surprisingly) right here and should request that the rest of fedi respects the protocol and hides stuff based on its addressing. maybe open issues on mastodon and friendica

also this issue probably exists when seeing lemmy posts on any microblogging instance