This thread has taken too much of my time & energy, and I'm shifting that to elsewhere. I've preserved the thread here: https://ghostarchive.org/archive/JfGbx
Feel free to stop reblogging. I still would like to see pixelfed actually publish the vulnerability report on GitHub, and fix the issue with followings on pixelfed being out of sync with remote accounts due to this bug, but whatever.
Dan the Dev is too thinly spread. He has great talent, but works on far too much. The result is that things suffer. Projects and promises lapse. People get frustrated. Tempers flare. Dan gets pissed off, understandably. Then come the churlish toots
One could argue that we have no right to dictate his workload. However, he's putting out a product (products maybe?) and it comes with responsibility and expectations from the 110k active users. And what about the people who gave up their hard earned cash to fund over $100k to his projects. What was the plan there? I've never seen any firm strategy. Where's the crowdfunding being used?
People want to help him. I have offered several times over the years. I have a list of crap UI issues. I've offered/suggested that he needs to test stuff before launch. If he has a test group, it's not working .... and it can't be your friends! Testing is a thorough and serious aspect of software dev. It's not happening here.
He's hinted at a new team. He has been asked to introduce this team. I'ts never happened that I have seen, and the messages go unacknowledged.
No one really wants to see Pixelfed fail (well there are probably some), but on the whole I think we all want this to work. It's the makings of a great product.
Important issues, like the one raised here in the original toot can't go unfixed and ignored. The point of the fedi is to be open (and supportive), trusting, and honest with user data.
There's a general anti-pattern to many #FOSS projects, which I call the "One Man Army", where over time - as the popularity of a project steadily grows - just coding isn't enough and more and more additional aspects of the Free software development lifecycle, the #FSDL, must be addressed in order for the project to remain sustainable. Pixelfed at the time was my inspiration to coin the anti-pattern:
https://mastodon.social/@pixelfed/114215925957179498
I'm working on collection sync, but that is a Mastodon extension that isn't supported in most software keep in mind.
Maybe you could have reached out privately instead of publicly shaming an open source fediverse project into implementing a Mastodon-only fix.
We do accept PRs, and you could have contributed a fix to help ship sync quicker if you did really care (adonis is based on laravel, php is ez)
Re: So @pixelfed still hasn't fully acknowledged nor fixed the security vulnerability from earlier this year, despite multiple people asking for updates over the past ~6 months.
@peachfiend@mastodon.sdf.org @thisismissem@hachyderm.io Tbh @pixelfed@pixelfed.social would probably be better put as an app using the Mastodon API instead as it would allow for people to login and post text based posts but still would allow you to have a Instagram look and layout when you want.
Notice how it links back to the published security vulnerability report on Mastodon? Notice how the vulnerability for Pixelfed doesn't?
Here's the same for the only published advisory for Pixelfed: https://nvd.nist.gov/vuln/detail/CVE-2024-25108
This was mostly empty last I looked, and the corresponding security advisory on GitHub's side wasn't published: https://github.com/pixelfed/pixelfed/security
I'm not sure why this needs to be put on blast in public.
You do amazing work. This is pretty aggressive considering the context.
However, I am calling on Dan & the pixelfed team (?) to do the right thing and fully fix this vulnerability, and do the remediation work necessary, and adopt better security release practices.
Having this in a state of "kinda fixed" for 6 months or so isn't great.
thank u for providing detail as to what the issue is about for this designer to understand what the major concerns are.
I don't know how he treats contributors but also haven't posted anything there for weeks so unsure if I shall keep my account alive knowing this now. Thank you in advance!
Would you also have other recommendations of other pixelfed-like solutions or is it simpler to just post pix directly on one's account here on Fedi from the server I am part of? Thanks again!
A space for Bonfire maintainers and contributors to communicate
