Follow

Mastodev and meta, security bug with Mastodon 

Listen, web development is hard and I'm not looking to cancel Eugen over this, but this bug is a huge breach in federation security that undermines people's ability to trust the platform. Being told someone doesn't follow you when they actually still do is dangerous because of the follower-only post feature. People need to have confidence that these posts are only going to the accounts on their follower list, for what I think are pretty obvious reasons. The fact that this can only be fixed by a patch to the software is really bad, as any instance that refuses to update will still have the ability to stealth follow people with no recourse except to defederate from the instance entirely.

The Mastodon project gets paid $150k a year through grants and monthly patron subscriptions. $60k of that is supposed to cover Eugene's salary, and the rest is supposed to go into development of the software.

My question is: how did this go undetected for a year, and how did it pass QA in the first place? Again, software dev is not as simple as laypeople think it is, so I'm not claiming incompetence here, but Mastodon is a well funded project, especially in the FOSS space where most projects make less than $50 a year. I think it's reasonable to expect answers.

Are there devs being paid to do QA sweeps for each release, particularly with security issues like this? Was this bug introduced through a different feature being added, or was the user feature in the settings panel not implemented correctly and shipped without thorough testinf? What steps will be taken to change the QA process so that bugs like this don't slip through again? How many people are being paid to work on Mastodon, and how many hours a month do they contribute?

re: Mastodev and meta, security bug with Mastodon 

@sandrockcstm sorry, i must be late to the party. what happened?

re: Mastodev and meta, security bug with Mastodon 

@garbados @sandrockcstm I'm not familiar with most of the details but there was some bug related to follow requests that made followers only posts visible to some non-followers

re: Mastodev and meta, security bug with Mastodon 

Mastodev and meta, security bug with Mastodon 

@sandrockcstm Serious question: does Mastodon even have formal QA? If not, there's your answer.

Mastodev and meta, security bug with Mastodon 

@ari I have no idea, but if it doesn't it absolutely needs it.

Mastodev and meta, security bug with Mastodon 

@sandrockcstm I agree. There'd definitely be overhead but I can't imagine that they can't spare another 60 for a full time QA unless that 150 is gross pre-tax numbers. I know maloki used to be a community manager which I assume she got paid for, but no longer.

re: Mastodev and meta, security bug with Mastodon 

@sandrockcstm Last time I worked with Mastodon internals, it really didn't seem like security was a concern.

re: Mastodev and meta, security bug with Mastodon 

@jadenw That's definitely an attitude I've noticed in the past. Apparently there was basically a mutiny about 3-4 years back where the users forced Eugen into implementing some basic anti-harassment features (I don't remember exactly what they were), but his stance was basically "this won't solve the problem perfectly so why bother."

I've had a lot of issues with his stances in the past and I'm trying to give the benefit of the doubt here, but he's just... not addressing it at all. No statement, no roadmap forward, nothing.

Although he did merge the pull request that fixes it (a minor miracle in itself), but that doesn't really restore my confidence in the software.

I guess moving forward we just all have to hope that glitch-soc and the other forks of Mastodon stay maintained and care more about their users than he does.

Sign in to participate in the conversation
Elekk: Gameing and Other Delightful Pursuits

The social network of the future: No ads, no corporate surveillance, ethical design, and decentralization! Own your data with Mastodon!