this is... worse than I thought. Dude is a straight up grifter mooching on the open source community's good name and EU grants, and not a good project maintainer to boot.

[–] hellinkilla@hexbear.net 2 points 1 day ago (1 children)

I didn't follow all the details in the middle of the post. Its over me head.

But if pixelfed did this presumably by accident, wouldn't it be easy enough to create an intentionally malicious fediverse server for the purpose of bypassing privacy measures?

Shouldn't the instances offering the privacy to its own users be the place where the privacy happens? Instead of relying on other hosts to behave well.

[–] machinya@hexbear.net 1 points 8 hours ago

yes and no. it depends on the fedi implementation but most microblogging software sends private posts to other instances when someone on that instance follows you. then, they can do whatever they want with the private posts (pixelfed made all the posts not-private due a bug in the code but this can totally be done on purpose).

due to the way federation works, there is no way around this since the server has to has access to your private posts if it wants to show them to their users that follows you. this should be mitigated on the instance level (by not federating with bad instances) and on the user level (not accepting follows from bad instances) but both defaults are usually fully open, making it possible for anyone to create a new instance and pulling all your "private" posts. having an allowlist federation and private could improve the situation but this would make federation with new instances so there will always be pushback against that.

at the end of the day, there is nothing really private on the fediverse, even of the best scenario, so it should be taken as that.

[–] TheRealCharlesEames@lemm.ee 9 points 1 day ago

Confirms some of the bad vibes I've gotten from dan in the past. I'll be abandoning Pixelfed and Loops and no longer encouraging friends and family to try it out until he's out of the picture.