renchap, 9 months ago

@nemobis Thanks for this initiative! We wanted to do it, but did not had the infrastructure in place.
I started drafting a design doc to get update alerts built into Mastodon, and I hope to find the time to finish it and publish it soon so someone can look at implementing it :)

nemobis, 9 months ago

@renchap Great to hear!

floho, 10 months ago

@nemobis I’m another one of the people who were very happy to get your email. Thanks for your efforts to keep the community alive and safe! Your writeup was very interesting - we live in awesome times, looking at the power of those tools that enabled you to put this together in, quote, „a few hours of work over the weekend“ 🙌

nemobis, 10 months ago

@floho Thank you!

devnull, 10 months ago

@nemobis 🙂

Between you and a bunch of others I ended up being advised to upgrade by at least 4 or 5 separate people hah!

Really really solid work by the community to get the word out. Very envious and really demonstrates the power of the #fediverse

In my case I already had a migration to #mastohost scheduled, so that's why I was lagging behind on the upgrades 😳

nemobis, 10 months ago

@devnull Well done!

Hopefully the notification redundancy isn't overwhelming yet for most admins. :)

gruifor, 10 months ago

@nemobis Yeah, thanks for that. Without the notification, I also wouldn't have upgraded so fast as I'm on vacation.

christopotamus, 10 months ago

@nemobis you rock!

ernie, 10 months ago

@nemobis worked on me!

GossiTheDog, 10 months ago

deleted_by_author

nemobis, 10 months ago

@GossiTheDog Thank you! It was made easier by being able to quote you on the risks.

acka47, 10 months ago

@nemobis That was a great read. I appreciate you informed about the whole process, your considerations along the way and the tools used.

olaf, 10 months ago

@nemobis an excellent example of collaborative security…

Andres, 10 months ago

@nemobis
Great work!
I'm also trying to help the :fediverse: announcing a weak point on the way the user actions are handled and notified to the origin instance:
hardcoredevs.com/fediverse-interactions-and-their-consecuences/
So far without any luck.

nemobis, 10 months ago

@Andres Interesting. I don't know how heavy these actions are in practice. I also filed a report about a specific case of inefficient federation, it's about user deletions: https://github.com/mastodon/mastodon/issues/21674

Andres, 10 months ago

@nemobis
Nice!
The interactions are not heavy at all, but those can be unlimited in amount, due to the lack of any rate-limit.
I imagine a 1 person DDoS is possible from a big instance to a smaller one.

nemobis, 10 months ago

@Andres Yes, Aral famously is one such big user able to melt other people's instances. ;) https://ar.al/2022/11/09/is-the-fediverse-about-to-get-fryed-or-why-every-toot-is-also-a-potential-denial-of-service-attack/

However I think the far worse problem is that by default Mastodon doesn't control at all whether ActivityPub requests are coming from a "real" ActivityPub server/user, so I believe it's still easy to produce a spam wave like https://github.com/mastodon/mastodon/issues/21977 .

Andres, 10 months ago

@nemobis
Thanks for the link to Aral's article!
Yes I have been thinking about exactly that an how a potential millions-of-followers user back in Threads would kill any instance.

andypiper, 10 months ago

@nemobis wow, thank you - lots of learnings here. Appreciate you!

pierobosio, 10 months ago

@nemobis

Iniziativa lodevole. Io devo ancora aggiornare. Sono fuori sede in ferie. Ho il server in self hosting a casa chiuso alle registrazioni e al momento non è semplice raggiungerlo da remoto su connessione mobile per aggiornare. Ho da fare prima un backup e poi dopo aggiornare. Tutti i programmatori dovrebbero sapere che ogni applicazione che gestisce un pur qualsiasi banale input sarà sempre potenzialmente vulnerabile e occorre fare estesi penetration test.

nemobis, 10 months ago

@pierobosio Verissimo. (Ti ho risposto anche per posta elettronica.)

legoktm, 10 months ago

@nemobis TIL about a mastodon-admin mailing list, link please? :)

nemobis, 10 months ago

@legoktm https://lists.ffdn.org/wws/info/mastodon-admin

lffontenelle, 10 months ago

@nemobis

🤔 IIRC the Public Knowledge Project has a mailing list to announce updates to administrators of OJS (and OMP and OPS I guess) instances. I thought @Mastodon has the same!!

Nikoh, 10 months ago

@nemobis beh tutto sommato mi sembra sia andata bene 😅

nemobis, 10 months ago

@Nikoh Rimangono ancora 3000 istanze da aggiornare però. 😬

Nikoh, 10 months ago

@nemobis vero però credo sia inevitabile, così tanta libertà comporta (o dovrebbe) un po' più di attenzione da parte degli utenti nello scegliere l'istanza a cui iscriversi. Comunque ad esempio a me non è arrivata la tua email, probabilmente perché ero alla 4.1.2....

nemobis, 10 months ago

@Nikoh Oh. Nella mia lista del 2023-07-08T20:00:00Z risulta che la tua istanza fosse già su 4.1.4+glitch, è falso?

Nikoh, 10 months ago

@nemobis è corretto, fino al giorno prima era 4.1.2

nemobis, 10 months ago

@Nikoh Bene. Ho aspettato la fine di sabato perché ho immaginato che chi gestisce un'istanza da 10 utenti attivi non lo faccia nel tempo lavorativo.

downey, 10 months ago

@nemobis This is the way! 🏆