"Activities addressed to this [public address] special URI shall be accessible to all users, without authentication."
https://www.w3.org/TR/activitypub/#public-addressing
The "public address" is:
https://www.w3.org/ns/activitystreams#Public
(Yes, I am posting this for a reason.)
What is the standard method of specifying primary language of a post in #ActivityPub?
Mastodon and Hollo add contentMap.[languageCode] to object. But Pleroma and Misskey don't.
And what if there are multiple keys in contentMap?
Exciting community updates! 2TonWaffle is evolving with a clearer focus for both our main site and Indie Creator Hub. We're fully embracing the #Fediverse with #ActivityPub integration through #NodeBB and #Ghost platforms, making our content more accessible and connected than ever. Learn about our streaming plans on #Moonbeam and our vision for a more streamlined 2025!
https://2tonwaffle.com/platform-clarity-streamlining-the-2tonwaffle-ecosystem/
#IndieGaming #CreatorCommunity #CommunityBuilding
Im Labor läuft jetzt eine länger geplante Änderung, mit der die "Lang-URLs" von Beiträgen anstelle /statuses/ (was #Mastodon-Stil ist) /notes/ enthalten (was der Bezeichnung von #ActivityPub entspricht).
Other algorithmic feeds can be generated by the user themselves using a small self-hosted LLM. Users will be able to generate these feeds by simply speaking them into existence:
The UI will show an input field, and the user will type what sorts of posts they want to see. E.g.: "Show me posts related to information security"
Then, the server will pass every single post that goes through the server's "global timeline" through this LLM-based filter. The ones the filter approves get sent to this "algorithmic feed" (really just a list).
This technique can make the concept of hashtags (like the ones below) obsolete.
I'm being driven up a wall by a Heisenbug I have with the #GoActivityPub HTTP-Signature plumbing.
On a multi tenant #ActivityPub service where I have two Actors, one of them can interact with the Fediverse at large without any issue, while the other gets HTTP Signature validation errors for every request.
There's no suspicious difference between the two private/public key pairs of the two actors. (I've even tried using the same key pair)
Sigh...
How to Install #Pixelfed on #Ubuntu VPS (8 Step Quick-Start Guide)
This article provides a guide for how to install Pixelfed on Ubuntu VPS.
What is Pixelfed?
PixelFed is a decentralized, open-source photo-sharing platform similar to Instagram but built on the #Fediverse (federated social networks using the #ActivityPub protocol). It allows users to host their own instances and interact with users across different ...
Continued
#installguide #selfhosting #vpsguide
Une sorte de Wikipédia fédéré grâce à ActivityPub.
https://ibis.wiki/
@dansup The follower approval feature itself in #activitypub is the vulnerability. It is wrong to give users the expectation that their social media posts are private. Also, approving followers reminds me of DRM on mp3 files. What are we doing?
#Mastodon #Pixelfed #FAIL #security #ActivityPub
Вместо эпиграфа
— У вас дыра в безопасности!
— Ну, хоть что-то у нас в безопасности...
«Вылетит слово — не поймаешь, а у нас догонят, поймают и посадят»
Коротко:
Вы решили вручную одобрять подписчиков и думаете, что кроме одобренных никто не увидит ваши постыдные постики? #ActivityPub отправляет сообщения не просто «подписчикам», а на их сервер. После этого сервер должен проявить порядочность и показывать только тем, кто на вас подписан.
Pixelfed, однако, игнорирует вопросы одобрения подписки для внешних серверов. В результате, если вы одобрили кого-то из пикселфеда, ваши «подзамочные» посты будут доступны всем юзерам с того сервера.
Тада-а-а-м! Собсно, не только пикселфеда это касается, баг (или злонамеренное действие) доступности сообщений с якобы ограниченной видимостью возможен примерно везде, где не используется E2EE шифрование, #НоЭтоНеТочно. «Что знают трое — знает и свинья».
Les projets les plus actifs (que j'ai trouvé) qui proposent un support #ActivityPub généraliste pour #DjangoFramework
- Pyfed, @kene29 Très belle librairie mais très jeune (2024). Cherche des testeurs & contributeurs.
https://dev.funkwhale.audio/funkwhale/pyfed/
- django-activitypub-toolkit @raphael Activement développé https://github.com/mushroomlabs/django-activitypub-toolkit
- Takahé: An efficient ActivityPub Server, for small installs with multiple domains. Compatible API Mastodon mais n'a pas bougé depuis plus d'un an https://docs.jointakahe.org/en/latest/features/
#Pixelfed leaks private posts from other #Fediverse instances, 20250325,
https://fokus.cool/2025/03/25/pixelfed-vulnerability.html
『I created an account on pixelfed.social and clicked follow on my partner’s Mastodon account, and… I could see all of her private posts. Instead of telling me I’d have to wait to have my follow accepted, I was already following her.』
#ActivityPub #mastodon what #privacy?
2/
I think there is a need for a "dumb" document format.
HTML is no longer that.
Markdown probably isn't it.
No one really uses enriched-text (IETF RFC 1896).
(I prefer wiki like formats, for various reasons, but —)
I don't think there is an obvious choice for a "dumb" document format, right now.
1/
I think HTML being the default content type for ActivityPub / ActivityStreams is unfortunate in some ways.
HTML was originally a "dumb" document format. But, it is now a "smart" application format — with privacy & security concerns.
https://mastodon.social/@reiver/108237663610634862
You should NOT just take whatever HTML is in the 'content', and put it in the web-browser to view it.
You have to sanitize it. Or, render (unsafe) HTML to (safe) HTML.
¿Badges en el Fediverse? ¡Así es, ya se está cocinando! Adivina qué, tengo un prototipo funcionando para emitir badges con ActivityPub.
Está un poco hecho un desmadre, pero necesito ayuda para hacerlo increíble.
Échale un ojo, dime qué opinas y ¡vamos a crear algo chido juntos!
Previews in ActivityPub / ActivityStreams is what should bind the disparate software and user-experiences on the Fediverse.
Not the ActivityStreams 'Note'.
...
Previews using 'icon', 'image', 'name', 'summary', etc.
"One of the other fun things that shipped with the beta last week was that we included a feedback widget which invites people to reply to a Note directly inside Ghost to tell us how their experience is going. So we're using ActivityPub replies to an ActivityPub note to collect feedback about ActivityPub functionality using ActivityPub. Here, hold my turtles."
It turns out, as always, that your social media posts are public. ActivityPub features that attempt to set any other expectations for users are wrong and should maybe be considered a vulnerability in and of themselves. #ActivityPub #privacy #Pixelfed #Mastodon
https://mastodon.catgirl.cloud/@49016/114224653241416593
Oh, great. #Pixelfed had a broken implementation of "follower-only" posts, _and_ fucked up the disclosure / bugfix release process.
https://fokus.cool/2025/03/25/pixelfed-vulnerability.html
Summary of the bug: If you have a protected account (on Pixelfed, Mastodon, GTS, whatever) and a Pixelfed user followed you and got approved by you, _all_ users on that instance were now able to see your followers-only posts, not just the one you approved.
