How to Install #Pixelfed on #Ubuntu VPS (8 Step Quick-Start Guide)

This article provides a guide for how to install Pixelfed on Ubuntu VPS.
What is Pixelfed?
PixelFed is a decentralized, open-source photo-sharing platform similar to Instagram but built on the #Fediverse (federated social networks using the #ActivityPub protocol). It allows users to host their own instances and interact with users across different ...
Continued #installguide #selfhosting #vpsguide

Une sorte de Wikipédia fédéré grâce à ActivityPub.
https://ibis.wiki/

#Mastodon #Pixelfed #FAIL #security #ActivityPub

Вместо эпиграфа

— У вас дыра в безопасности!
— Ну, хоть что-то у нас в безопасности...

«Вылетит слово — не поймаешь, а у нас догонят, поймают и посадят»

Коротко:

Вы решили вручную одобрять подписчиков и думаете, что кроме одобренных никто не увидит ваши постыдные постики? #ActivityPub отправляет сообщения не просто «подписчикам», а на их сервер. После этого сервер должен проявить порядочность и показывать только тем, кто на вас подписан.

Pixelfed, однако, игнорирует вопросы одобрения подписки для внешних серверов. В результате, если вы одобрили кого-то из пикселфеда, ваши «подзамочные» посты будут доступны всем юзерам с того сервера.

Тада-а-а-м! Собсно, не только пикселфеда это касается, баг (или злонамеренное действие) доступности сообщений с якобы ограниченной видимостью возможен примерно везде, где не используется E2EE шифрование, #НоЭтоНеТочно. «Что знают трое — знает и свинья».

https://fokus.cool/2025/03/25/pixelfed-vulnerability.html

Les projets les plus actifs (que j'ai trouvé) qui proposent un support #ActivityPub généraliste pour #DjangoFramework

- Pyfed, @kene29 Très belle librairie mais très jeune (2024). Cherche des testeurs & contributeurs.
https://dev.funkwhale.audio/funkwhale/pyfed/
- django-activitypub-toolkit @raphael Activement développé https://github.com/mushroomlabs/django-activitypub-toolkit
- Takahé: An efficient ActivityPub Server, for small installs with multiple domains. Compatible API Mastodon mais n'a pas bougé depuis plus d'un an https://docs.jointakahe.org/en/latest/features/

#Pixelfed leaks private posts from other #Fediverse instances, 20250325,
https://fokus.cool/2025/03/25/pixelfed-vulnerability.html

『There's a reasonable chance you have a follower on one of the big Pixelfed instances [...] An attacker who wants to see your private posts could create an account there, follow you, and immediately see your posts. You would receive a follow request, but it wouldn’t matter ...』

#ActivityPub #mastodon what #privacy?

1/

I think HTML being the default content type for ActivityPub / ActivityStreams is unfortunate in some ways.

HTML was originally a "dumb" document format. But, it is now a "smart" application format — with privacy & security concerns.

https://mastodon.social/@reiver/108237663610634862

You should NOT just take whatever HTML is in the 'content', and put it in the web-browser to view it.

You have to sanitize it. Or, render (unsafe) HTML to (safe) HTML.

¿Badges en el Fediverse? ¡Así es, ya se está cocinando! Adivina qué, tengo un prototipo funcionando para emitir badges con ActivityPub.

Está un poco hecho un desmadre, pero necesito ayuda para hacerlo increíble.

Échale un ojo, dime qué opinas y ¡vamos a crear algo chido juntos!

https://www.youtube.com/watch?v=Ot0egwtbRgc

Previews in ActivityPub / ActivityStreams is what should bind the disparate software and user-experiences on the Fediverse.

Not the ActivityStreams 'Note'.

...

Previews using 'icon', 'image', 'name', 'summary', etc.

"One of the other fun things that shipped with the beta last week was that we included a feedback widget which invites people to reply to a Note directly inside Ghost to tell us how their experience is going. So we're using ActivityPub replies to an ActivityPub note to collect feedback about ActivityPub functionality using ActivityPub. Here, hold my turtles."

https://activitypub.ghost.org/the-social-web-lift-off/

It turns out, as always, that your social media posts are public. ActivityPub features that attempt to set any other expectations for users are wrong and should maybe be considered a vulnerability in and of themselves. #ActivityPub #privacy #Pixelfed #Mastodon
https://mastodon.catgirl.cloud/@49016/114224653241416593

Oh, great. #Pixelfed had a broken implementation of "follower-only" posts, _and_ fucked up the disclosure / bugfix release process.

https://fokus.cool/2025/03/25/pixelfed-vulnerability.html

Summary of the bug: If you have a protected account (on Pixelfed, Mastodon, GTS, whatever) and a Pixelfed user followed you and got approved by you, _all_ users on that instance were now able to see your followers-only posts, not just the one you approved.

Ibis is a #federated encyclopedia which uses the #ActivityPub protocol, just like #Mastodon or #Lemmy

https://ibis.wiki/

Hmm, looks like a general "followers only" problem with the ActivityPub protocol. IMHO. This is not so much a Pixelfed issue, as any software can ignore the request to wait for a follow and just follow a user anyway. (ie if a bad actor wants to track "follower only" posts, they can build something to subscribe to followers only) #ActivityPub

https://fokus.cool/2025/03/25/pixelfed-vulnerability.html

HOLY FUCK!

Stay the fuck away from loops.video! (https://bajsicki.com/blog/loops-video-terms/) (Edit: Apparently the TOS have been changed. You might wanna stay cautious, though.)

Also, if you have any followers from an unpatched Pixelfed server, you might want to know that your follower-only posts can be easily read by people who aren't following you. (https://fokus.cool/2025/03/25/pixelfed-vulnerability.html)

If you're hosting a Pixelfed instance: Good luck updating!

https://www.youtube.com/watch?v=D0wbCctcEIA

Recommendation against bluesky

Recherche logiciel de forum la suite
https://ludovic.hirlimann.net/2025/03/recherche-logiciel-de-forum-la-suite.html