#dev 2024-02-03

2024-02-03 UTC
tPoltergeist, pharalia and kody joined the channel
# 01:58 
[tantek] Anyone running a Mastodon instance ( [timothy_chambe] ) FYI: https://github.com/mastodon/mastodon/security/advisories/GHSA-3fjr-858r-92rw
# 02:02 
aaronpk wow
# 02:08 
aaronpk Here's the commit for the unsupported branch. It's tough to tell what the problem was tho https://github.com/mastodon/mastodon/commit/b1ed009c65802b70c9b780f3c7c3a866cba72478
pharalia joined the channel
# 02:09 
aaronpk That's some pretty thoroughly undocumented code 😅
pharalia and geoffo joined the channel
# 02:24 
[tantek] cc: [snarfed] in case any of it has Bridgy Fed implications (possible impersonations messing up Bridgy Fed?)
CRISPR, j12t, tPoltergeist, gRegor, geoffo, gxt, [Al_Abut]1, lazcorp, [William_Jack_P], [tantek], IWSlackGateway, [KevinMarks], Loqi and [20_s_Net] joined the channel
# 15:59 
Soni has anyone made an 88x31 for JXL?
Loqi, [jeremycherfas], IWDiscord, erscheinung[d], ytseboy[d], magikarp_salesma, the_kovah[d], marmadilemanteat, chrisaldrich[d], hidjy[d], skyth3r[d], againstthefuture, yxtbi39pa8cte[d], Gremblo[d], geoffo, [Al_Abut] and [snarfed] joined the channel
# 18:04 
[snarfed] yeah that Mastodon vuln is real. large overlap with ActivityPub broadly, since authorization in general is largely unspecified. we made a first pass at documenting it in https://www.w3.org/wiki/SocialCG/ActivityPub/Authentication_Authorization
# 18:04 
[snarfed] I think that ended up in a good place, but overall there's still a lot that's un- or under-specified that contributes to problems like this
# 18:04 
[snarfed] (not sure there's anything here that BF needs to or can mitigate, but I'm happy to hear specific concerns)
[tantek] joined the channel
# 18:13 
[KevinMarks] “I had a lot of trouble with HTTP Signatures.  Because they are cursed and I cannot read documentation. But mostly the cursed thing.” https://shkspr.mobi/blog/2024/02/a-tiny-incomplete-single-user-write-only-activitypub-server-in-php/
# 18:19 
[snarfed] hah yes. afaik this vuln was about authorization though, ie ownership/permission checks, not authentication/sigs
# 18:19 
[snarfed] https://github.com/w3c/activitypub/issues/394#issuecomment-1922504816
# 18:21 
aaronpk "impersonate and take over any remote account" is confusing
# 18:21 
aaronpk "impersonate" I get, but what does "take over a remote account" mean?
# 18:27 
Soni probably migrate it
gRegor, gxt and bterry joined the channel
# 19:37 
[KevinMarks] Does it mean replace the posts from the remote account in the instance cache?
gRegor and jonnybarnes joined the channel
# 20:55 
Soni oh that would also make sense
tPoltergeist, gRegor, gRegorLove_ and CRISPR joined the channel
# 23:03 
capjamesg [20_s_Net] You'd do <ul><li><a href="...">my page</a></li>...</ul> to make a list of links.
# 23:06 
[20_s_Net] ok I can't quite make sense of that right now but I will try
# 23:13 
[20_s_Net] prehaps I should focus on making more pages rather than making the thing that links to them first in hindsight
# 23:13 
capjamesg That sounds like a good plan!
# 23:13 
capjamesg You can copy that code that I put above and it will work, though 😉
# 23:13 
capjamesg The cool thing about HTML is that only a few lines gets you really far.
# 23:14 
[20_s_Net] anyway, at risk of burning out and the time I'm going to as the google home says club duvet
# 23:14 
[20_s_Net] so night night
# 23:14 
capjamesg Sleep well!
# 23:14 
capjamesg Let us know how we can help whenever you're next working on your site.
# 23:14 
capjamesg It is exciting to see you make a website -- it is a big accomplishment!
# 23:35 
[KevinMarks] You can just make links with <p> inbetween too if you don't want an explicit link