fiat_lux

@fiat_lux@lemmy.zip

This is a remote user, information on this page may be incomplete. View at Source ↗

Relocated from: @fiat_lux@lemmy.world ⛓️‍💥(04-2026)

⁨Comment⁩ on ⁨Important - Piefed.zip down due to security maintenance (Resolved)⁩ ⁨⁨2⁩ ⁨weeks⁩ ago⁩:
The raw changes are interesting but not particularly descriptive of the problem(s?) it intends to resolve, so I can’t gauge whether it achieves the goal from this. The description of the version bump as simply “security improvements” doesn’t help me determine if any of these changes add dedicated tests or anything else to prevent future occurrences (and I’m not traversing the repository on my phone). Additionally, the issue acknowledged via inline comment: “This will probably break PeerTube federation” is odd to omit from even the briefest changelog. In my opinion, this is not that reassuring an update.

The LLM generated report of Lemmy’s vulnerability, which I note requires an entire DNS configuration to exploit, is a little ironic to point to as an authoritative source while characterizing the Piefed exploit discovery as “someone running an LLM and trying to discover vulnerabilities without double checking them”.

But I don’t think it’s necessary or helpful to have a competitive security score-card situation between packages either - I would much prefer that each ActivityPub implementation is meaningfully improving their development lifecycle processes, especially around security risk mitigation, even if they don’t go quite as far as having a formal “security posture”.
⁨Comment⁩ on ⁨Important - Piefed.zip down due to security maintenance (Resolved)⁩ ⁨⁨2⁩ ⁨weeks⁩ ago⁩:
A few months ago I mentioned in a thread about Piefed there were questionable system design choices that indicated that other parts of the system should be carefully examined for how they’re handling and sanitizing input. I’m assuming someone discovered one of the places that this was actively exploitable.

From what I’ve seen of the code, although Python is not my specialty, it might be worth delaying reactivation until it can demonstrate that it is at least somewhat resistant to the OWASP Top 10, especially Injection.

Irresponsible disclosure is annoying, but vastly better than discovery and exploitation by those who aren’t going to disclose at all.