洪 民憙 (Hong Minhee)

@_elena Thanks! Yeah, this kawaii cover would be one of its selling points!

This is the CUTEST kawaii Ai-chan (藍(あい)"Ai" is a normal female Japanese name meaning "Indigo" both the color and the plant; "Ai"-chan, the mascot of Misskey, has nothing to do with Large Language Models) I have ever seen from a technical literature titled like "Practical Fedify: An Introduction to ActivityPub Microblog Development"! I even see other mascots in the Fediverse too, like Don the Mastodon and that Blue Dinosaur mascot of Fedify (I don't know its name).
Huge thanks to @hongminhee@hollo.social https://hollo.social/@hongminhee for their work on authoring this amazing book and developing Fedify itself! And if you can read Japanese and are interested in Fedify and ActivityPub Development, then definitely check this one out! You can pre-order the book on Amazon Japan → https://amzn.asia/d/0hQSKBmI #Fedify (The book will be printed on May 22)

日本で世界初のFedifyの書籍「実践Fedify——ActivityPubマイクロブログ開発入門」が出版されました。この本は私にとって初めての著書でもありますが、最初の本が母語の韓国語ではなく日本語だというのは、なんだかとても不思議な気分ですね。本書は、英語で書かれたFedifyの公式チュートリアル「Creating your own federated microblog」をベースに、様々な加筆を行ったものです。Fedifyのマスコットの恐竜と、Misskeyのマスコットである三須木（みすき） 藍（あい）、Mastodonのマスコットが一緒に描かれた可愛い表紙のイラストは、ゆめつきママさんが描いてくださいました。電子書籍と紙の書籍の両方で、来る22日にインプレス NextPublishingから出版される予定です。

The world's first Fedify book, Practical Fedify: Introduction to ActivityPub Microblog Development (実践Fedify——ActivityPubマイクロブログ開発入門), has been published in Japan. This is also the first book I have ever published, and it feels quite surreal that my first book is in Japanese rather than my native language, Korean. This book is an expanded version based on the official English Fedify tutorial, Creating your own federated microblog, with various additions. Yumetsuki Mama (ゆめつきママ) worked on the cute book cover illustration, which features the Fedify dinosaur mascot, Misskey's mascot Ai-chan, and the Mastodon mascot together. It is scheduled to be published in both e-book and print formats on the 22nd by Impress NextPublishing. See also the Amazon Japan.

お、洪民憙さんの本でてるじゃん。

みんなActivityPubの自力実装で挫折するぐらいなら、この本を買ってFedify組み込んで開発するといいよ。

実践Fedify　ActivityPubマイクロブログ開発入門
https://nextpublishing.jp/book/19496.html

分散型ソーシャルネットワークの仕組みを理解しよう！ 『実践Fedify　ActivityPubマイクロブログ開発入門』発行 技術の泉シリーズ、5月の新刊
https://prtimes.jp/main/html/rd/p/000007383.000005875.html

#prtimes #プレスリリース #ニュースリリース #配信 #サイト #サービス #方法 #代行 #PR_TIMES

실천 Fedify

- 일단 대표로 아이 쨩(미스키 마스코트)가 대문짝만한게 그려져있음 (귀여워)
- 마스토돈도 뒤에 그려져있음
- 한국이 아니라 일본임
- 저자 이름이 가타카나로 홍민희가 아니라 한자 그대로 써있음

https://hackers.pub/@hongminhee/019e3e78-8dbe-7973-b625-8bb50a098a63

일본에서 제가 쓴 Fedify 책 〈실천 Fedify: ActivityPub 마이크로블로그 개발 입문〉(実践Fedify——ActivityPubマイクロブログ開発入門)이 나왔어요! 정식 출판된 책은 처음 써보는데, 그게 한국어가 아니라 일본어라는 게 뭔가 신기하네요…!

출판사 페이지: https://nextpublishing.jp/book/19496.html Amazon Japan: https://amzn.asia/d/0hA3KTeQ

RE: https://fedibird.com/@noellabo/116599256677289467

Hollo 0.7.16および0.8.5のセキュリティパッチをリリースしました。かなり多くの脆弱性を一度に修正するパッチです。早急にアップデートしてください。

Hollo 0.7.16 및 0.8.5 保安(보안) 패치를 릴리스했습니다. 相當(상당)히 많은 保安(보안) 脆弱點(취약점)을 한 番(번)에 고치는 패치입니다. 早速(조속)히 업데이트 하시기 바랍니다.

We have released security patches for Hollo 0.7.16 and 0.8.5. This update addresses a significant number of security vulnerabilities at once. Please update your software as soon as possible.

Hollo security updates: 0.7.16 and 0.8.5

If you run Hollo, update to a patched release now. Hollo 0.7.16 and 0.8.5 fix several security issues in ActivityPub federation, the web admin UI, OAuth, and the transitive fast-xml-parser dependency.

On the federation side, three inbox handlers were missing authorization checks. Any remote actor could send a Delete to remove any cached post by IRI, an Update to overwrite or first-materialize a cached post under another actor's name, or a cross-origin Announce whose attacker-controlled embedded body materialized as someone else's post. The checks now differ by activity type. A Delete is ignored unless the deleter's origin matches the cached post author's origin. An Update is ignored unless the activity actor, the embedded object's id, and its attributedTo all share an origin. For Announce, Hollo no longer trusts attacker-supplied embedded content to create or overwrite the original post: unknown cross-origin objects are fetched from their canonical URL, and any newly cached object must have matching id and attributedTo origins. Separately, Follow, Like, EmojiReact, and Announce from a blocked actor were processed normally and still produced notifications; they are now silently dropped at the inbox.

On the web admin side, login and OTP cookies were set without HttpOnly, SameSite, or Secure, and state-changing forms had no Origin or Sec-Fetch-Site check. A single reflected XSS could exfiltrate the admin session, and a malicious page could submit a hidden cross-site form to disable 2FA, delete an account, or silently authorize a rogue OAuth application. The affected dashboard routes and POST /oauth/authorize now run Hono's CSRF middleware, and the login and OTP cookies now carry those attributes.

The transitive fast-xml-parser (carried in via the AWS SDK that backs S3 storage) is now pinned to patched versions, closing one critical and several high-severity advisories. Hollo also now uses constant-time comparison for the OAuth PKCE check and the multi-credential client-secret consistency check, and it warns at startup when LOG_QUERY=true is set, because drizzle-orm logs bound parameter values, including OAuth tokens and other secrets.

All Hollo versions up to and including 0.7.15 and 0.8.4 are affected. Patched releases are 0.7.16 for the 0.7.x series and 0.8.5 for the 0.8.x series. CHANGES.md has the longer notes, including the availability trade-off for cross-origin Announce validation when the canonical origin is unreachable.

For 0.7.x deployments, update to 0.7.16:

docker pull ghcr.io/fedify-dev/hollo:0.7.16

For 0.8.x deployments, update to 0.8.5:

docker pull ghcr.io/fedify-dev/hollo:0.8.5

After pulling the new image, restart your Hollo container. If you deploy from source, pull the corresponding release tag and restart.

If anything is unclear, ask below.

I just read about a blind person vibe-coding a new email client for Windows. Not linking because I don't want people to pile onto this person, who is a veteran of the software industry and a respected, persistent accessibility advocate and contributor to assistive technology. Instead, I want to point out how badly the commercial software industry, particularly Microsoft in this case, has failed us such that an individual feels the need to do this. Don't know what to do instead though.

Again, this service is to develop and test siliconbeest.
Soon, maybe in few days or something, I am going to make a MAIN siliconbeest service with new domain, (and yes, keep this service up and running) so you can use this service but also keep on eye on the new domain!

FEP-044f consent-respecting quote posts, so-called Mastodon-style quotes, has been implemented on Hackers' Pub. Now, when writing a post, you can choose who is allowed to quote it. Even if it has already been quoted, you can retroactively revoke it if it's an unwanted quote. Revoking a quote will remove your post from the post that quoted it.

The implementation of FEP-044f is also the first step toward implementing GoToSocial-style interaction controls. Interaction controls are literally a specification that lets you control all interactions on your posts, such as shares and comments, and FEP-044f is defined as an extension of this specification. Therefore, it's safe to say that the groundwork for interaction controls has been somewhat laid.

Of course, since there were many security-related aspects to consider while implementing FEP-044f, implementing the interaction control feature probably won't be very easy, but I still think it's a challenge worth taking on.

FEP-044f consent-respecting quote posts, so-called Mastodon-style quotes, has been implemented on Hackers' Pub. Now, when writing a post, you can choose who is allowed to quote it. Even if it has already been quoted, you can retroactively revoke it if it's an unwanted quote. Revoking a quote will remove your post from the post that quoted it.

The implementation of FEP-044f is also the first step toward implementing GoToSocial-style interaction controls. Interaction controls are literally a specification that lets you control all interactions on your posts, such as shares and comments, and FEP-044f is defined as an extension of this specification. Therefore, it's safe to say that the groundwork for interaction controls has been somewhat laid.

Of course, since there were many security-related aspects to consider while implementing FEP-044f, implementing the interaction control feature probably won't be very easy, but I still think it's a challenge worth taking on.

Hackers' Pub에 FEP-044f 인용 승낙 기능, 이른바 Mastodon 스타일 인용 기능이 구현되었습니다. 이제 콘텐츠를 작성할 때 누가 그 콘텐츠를 인용하도록 허용할 지 정할 수 있습니다. 이미 인용된 경우에도, 원하지 않는 인용의 경우 사후에 그 인용을 취소(revoke)할 수도 있습니다. 인용을 취소하면 해당 단문에서 인용되었던 자신의 콘텐츠가 빠지게 됩니다.

FEP-044f 규격 구현은 GoToSocial 스타일 상호작용 제어 구현의 첫걸음이기도 합니다. 상호작용 제어란 말 그대로 공유나 댓글과 같은 자신의 콘텐츠에 대한 상호작용 전반을 통제할 수 있는 규격으로, FEP-044f 규격이 해당 규격의 한 확장으로 정의된 것입니다. 따라서 상호작용 제어를 위한 기반은 어느 정도 마련되었다고 볼 수 있습니다.

물론, FEP-044f를 구현하면서도 보안과 관련해 신경 쓸 부분이 많았기에, 상호작용 제어 기능을 구현하는 게 아주 쉽지는 않을 것 같긴 합니다만, 그럼에도 도전할 가치가 있다고 생각합니다.

아, 그리고 인용 승낙 기능은 새 프런트엔드(web-next)에서만 사용 가능합니다. 레거시 프런트엔드에서 작성한 단문이나 게시글은 모두 디폴트 인용 권한(공개 및 조용히 공개 → 누구나 인용 가능, 팔로워만 및 언급된 사용자만 → 나만 인용 가능)을 따르게 됩니다.

Released LogTape 2.1.0. The headline feature is a throttling filter—when the same log message fires thousands of times a second during an outage, it suppresses the flood and optionally emits a summary. Also new: logfmt formatter, timezone-aware timestamps, and HMAC pseudonymization for privacy-preserving log correlation.

https://github.com/dahlia/logtape/discussions/165

BunのZig → Rustへの移植がそこそこ動いているという話を聞いて、それならMisskeyのフェデレーション部分をFedifyに差し替えるのもやってみる価値があるかなと思った。

DeepSeek-V4-Flash means LLM steering is interesting again https://lobste.rs/s/wycfiy #vibecoding
https://www.seangoedecke.com/steering-vectors/

I'm getting closer to something showable on my side project, a recipe and baking app, #federated with #ActivityPub, https://cookifed.dev.
I'm not ready to accept new users yet, but @dmathieu@cuisine.social is the first ever #cookifed federated account!

@reiver @evan @karen Yes, correct!

@reiver I don't know the exact date yet either, but according to the COSCUP organizers, they said they'll do their best to schedule our track for Sunday, August 9th.

@evan @karen

Thank you @hongminhee@hollo.social for sponsoring me on github. You can join them at my sponsors profile: https://github.com/sponsors/SJang1?o=nsm&sc=t

갑자기 @siliconsjang 님이 서울 올라오셔서 같이 又來屋(우래옥) 왔음…!

We just released Bonfire Social 1.0.3 🔥

Blog post with all the details: bonfirenetworks.org/posts/bo...

It comes with dozens of bug fixes and UX improvements, plus:

• Federated comments embeddable on any web page.

• Deep Ghost integration: SSO, membership tier sync, and automatic article import.

• New dashboard widgets: spotlight, polls closing soon, top discussions.

• #CalmEmpowerment: a new design pattern that starts with a few sensible defaults, offers a middle layer of common adjustments, and reveals the full options only when you need them. Boundaries and post permissions got this treatment first, more to follow...

• Modular community rules: a first step in bringing research and co-design with students and researchers at @hci@micro.blogs.princeton.edu into Bonfire, so governance becomes something communities can better define and share, and that others can fork and adapt.

#Bonfire #Fediverse #ActivityPub #Ghost #CommunityRules

@liaizon Yeah, here's the canary docs: https://canary.docs.hollo.social/install/split-domain/

Hollo 0.8.0 shipped less than a month ago, and 0.9.0 is already shaping up to be a bigger release than I expected. New frontend design, Passkey support, WebFinger domain separation, a media proxy, full FEP-044f (Mastodon-style quote posts) compliance, and Traditional Chinese docs. More details when it's out.