Dan the Dev is too thinly spread. He has great talent, but works on far too much. The result is that things suffer. Projects and promises lapse. People get frustrated. Tempers flare. Dan gets pissed off, understandably. Then come the churlish toots

One could argue that we have no right to dictate his workload. However, he's putting out a product (products maybe?) and it comes with responsibility and expectations from the 110k active users. And what about the people who gave up their hard earned cash to fund over $100k to his projects. What was the plan there? I've never seen any firm strategy. Where's the crowdfunding being used?

People want to help him. I have offered several times over the years. I have a list of crap UI issues. I've offered/suggested that he needs to test stuff before launch. If he has a test group, it's not working .... and it can't be your friends! Testing is a thorough and serious aspect of software dev. It's not happening here.

He's hinted at a new team. He has been asked to introduce this team. I'ts never happened that I have seen, and the messages go unacknowledged.

No one really wants to see Pixelfed fail (well there are probably some), but on the whole I think we all want this to work. It's the makings of a great product.

Important issues, like the one raised here in the original toot can't go unfixed and ignored. The point of the fedi is to be open (and supportive), trusting, and honest with user data.

https://mastodon.social/@pixelfed/114215925957179498

I'm working on collection sync, but that is a Mastodon extension that isn't supported in most software keep in mind.

Maybe you could have reached out privately instead of publicly shaming an open source fediverse project into implementing a Mastodon-only fix.

We do accept PRs, and you could have contributed a fix to help ship sync quicker if you did really care (adonis is based on laravel, php is ez)

Notice how it links back to the published security vulnerability report on Mastodon? Notice how the vulnerability for Pixelfed doesn't?

Here's the same for the only published advisory for Pixelfed: https://nvd.nist.gov/vuln/detail/CVE-2024-25108

This was mostly empty last I looked, and the corresponding security advisory on GitHub's side wasn't published: https://github.com/pixelfed/pixelfed/security

I'm not sure why this needs to be put on blast in public.

You do amazing work. This is pretty aggressive considering the context.

However, I am calling on Dan & the pixelfed team (?) to do the right thing and fully fix this vulnerability, and do the remediation work necessary, and adopt better security release practices.

Having this in a state of "kinda fixed" for 6 months or so isn't great.

thank u for providing detail as to what the issue is about for this designer to understand what the major concerns are.

I don't know how he treats contributors but also haven't posted anything there for weeks so unsure if I shall keep my account alive knowing this now. Thank you in advance!

Would you also have other recommendations of other pixelfed-like solutions or is it simpler to just post pix directly on one's account here on Fedi from the server I am part of? Thanks again!