I enjoyed reading this. Admittedly I'm very new to the activity pub protocol, but it's hard to grasp at first how this leak actually occurs.<p>I read this part of the activity pub spec and I think I get it, but not completely. So it is really up to the activity pub server implementation to strip the bto/bcc audience fields and do the "right thing" in order to preserve privacy? Could anyone shed some light on this?<p><a href="https://www.w3.org/TR/activitypub/#remove-bto-bcc-before-delivery" rel="nofollow">https://www.w3.org/TR/activitypub/#remove-bto-bcc-before-del...</a>
There was an interesting follow-up to this post that adds more context to the incident and problem space: <a href="https://lemmy.world/post/27522773" rel="nofollow">https://lemmy.world/post/27522773</a>
The real meat<p>> The problem only becomes apparent when you have at least one legit accepted follower from a Pixelfed server. Now that server is allowed to fetch all your private posts. And when it knows the posts, it has to decide who to show them. When you accept a follower, you not only place your trust to keep a secret on them, but also on their admin and the software they are running.<p>Like I get it, compromises had to be made due to cacheing because it would be untenable if the same server had to fetch a single post hundreds of thousands of times but this makes activitypub an extremely high trust protocol between servers.
ActivityPub just hands out "private" posts and trusts the foreign server implicitly to only show them to the right users.<p>But it's pixelfed's fault
This really sounds like a problem with ActivityPub if it doesn't have a protocol-level mechanism for this. The idea that an incomplete AP implementation is less secure than a complete one is worrisome to say the least.
> the release dropped. While the version increment (v0.12.4 to v0.12.5) implies a minor update, it’s a huge leap. We’re totalling more than 450 commits, including the requirement of a new version of PHP<p>yeah this is not a great way of doing things (even for solo devs)
So wait. You have a federated protocol that trusts and expects <i>every instance</i> to enforce a user privacy setting?<p>That is, put simply, utterly incompetent shitty design.