So @pixelfed still hasn't fully acknowledged nor fixed the security vulnerability from earlier this year, despite multiple people asking for updates over the past ~6 months.
-
@rey @thisismissem @dansup @deadsuperhero I'm aware. It's also 6am MDT.
-
@chad @thisismissem @dansup @deadsuperhero this thread started three days ago and he has, apparently, already responded to it
-
@rey @chad @dansup @deadsuperhero yes, and the only response has been an accusation of spread misinformation which was easily disproven
-
@thisismissem @rey @dansup @deadsuperhero I feel that given the overall careful discussion here, an accusation of misinformation is a great departure.
-
@thisismissem @chad @dansup @deadsuperhero why do they not create an alternative? This ia suppose to be the power of open source you can fork projects and create new wonderful things
-
@hiphopheaven @thisismissem @dansup @deadsuperhero there's no one stopping anyone from forking Dan's projects.
-
@chad @rey @dansup @deadsuperhero that was *his* accusation. Not mine. I then spent the time to review the changes, and was fully prepared to update as resolved, only, it wasn't & the changes where thousands of lines of unrelated code. I spent quite some time checking.
-
@chad @hiphopheaven @dansup @deadsuperhero it's hard when he'll actively fight against you, iirc, he got extremely mad when pixelfed-glitch was started, and threatened a trademark lawsuit. That probably killed that person's energy to work on it.
He also went after the developer of Vernissage a while back too, when they decided to do their own thing away from pixelfed.
Meanwhile he raises 100k for pixelfed, but it seems like all the energy is going into his other projects.
-
chad@mstdn.ca re: "step up or shut up", thisismissem@hachyderm.io has been (is currently?) a contributor for Pixelfed, and was the person responsible for the discovery, analysis, and responsible disclosure of the 10/10 severity vulnerability from last year.
She also provided best practice recommendations and guidance on remediation, all for free (there was no security fund back then, and Pixelfed has no bug bounty.)
For her to buck responsible disclosure practice (and even then she's being deliberately vague about the technical details) is a sign that someone is being stonewalled.
