Give it a rest. A fork of Mastodon created a new abstraction for “private posts” and started sending to instances some posts that were marked in a new way as “private,” and now they’re trying to blame Pixelfed for not adopting their homemade standard for what posts their servers are sending out to everyone that they’re not supposed to show, and what ones they are supposed to show. And, Pixelfed fixed it once they became aware of the issue.
It’s fixed in 1.12.5. Why is this not titled “Mastodon instances claim to their users to offer ‘private’ posts but send them out exactly like normal posts, get surprised when software that hasn’t magically adopted their new standard is showing them to people”?
I don’t understand why people don’t understand that AcitivityPub is not a private protocol. Like at all. Its not meant to be and was never meant to be. Any “privacy” improvements from random instances are not part of the core code structure and do not work outside of them 99% of the time.
It’s good to be aware of and in general treat anything uploaded to the internet as public, but it also is a bug that the software isn’t working right.
It was a poorly implemented feature that was never communicated and when said feature failed to function outside of the specific instance it was designed for, people threw shit. That’s not a bug. If anything its an integration failure. A failure that is entirely the fault of the mastodon instance team. Calling it a vulnerability is fuckin wild.
