洪 民憙 (Hong Minhee) :nonbinary:'s avatar

洪 民憙 (Hong Minhee) :nonbinary:

@hongminhee@hollo.social

1,075 following1,887 followers

An intersectionalist, feminist, and socialist living in Seoul (UTC+09:00). @tokolovesme's spouse. Who's behind @fedify, @hollo, and @botkit. Write some free software in , , , & . They/them.

서울에 사는 交叉女性主義者이자 社會主義者. 金剛兔(@tokolovesme)의 配偶者. @fedify, @hollo, @botkit 메인테이너. , , , 等으로 自由 소프트웨어 만듦.

()

Website

https://hongminhee.org/

GitHub

https://github.com/dahlia

Blog

https://writings.hongminhee.org/

Hackers' Pub

https://hackers.pub/@hongminhee

Hollo :hollo:
@hollo@hollo.social

Hollo 0.9.0 is out. https://github.com/fedify-dev/hollo/discussions/496

The biggest change this release is a complete redesign of every server-rendered page. Pico CSS is replaced by a new design system built on UnoCSS, and your chosen theme color now tints your profile and dashboard pages throughout.

Other highlights:

  • Passkey (WebAuthn) authentication: sign in with a biometric or PIN gesture, which counts as MFA so there's no separate TOTP step
  • Full FEP-044f quote authorization: QuoteRequest/Accept/Reject federation, quote policy enforcement, and dereferenceable QuoteAuthorization objects
  • A configurable media proxy (MEDIA_PROXY=proxy or cache) that re-serves remote avatars, attachments, and preview images from Hollo's own origin
  • Optional split-domain WebFinger via HANDLE_HOST + WEB_ORIGIN
  • Public followers/following pages and per-post reaction list pages (likes, boosts, emoji reactions, quotes)

There were also several serious database performance fixes: profile page queries that were taking hundreds of seconds on cold caches, a NodeInfo endpoint doing a full table scan on every request, and a handful of timeline pagination bugs.

Public profile for 洪 民憙 (Hong Minhee) with a bookstore header image, circular avatar, follower and following counts, bio, custom fields including website and GitHub links, and a pinned post card below
ALT text

Public profile for 洪 民憙 (Hong Minhee) with a bookstore header image, circular avatar, follower and following counts, bio, custom fields including website and GitHub links, and a pinned post card below

The “Edit @hongminhee” admin page showing the new Hollo design: profile image upload areas for avatar and header, identity fields for display name and bio, custom fields table with label-value pairs, privacy checkboxes, a 20-swatch theme color picker with orange selected, and a “Save changes” button
ALT text

The “Edit @hongminhee” admin page showing the new Hollo design: profile image upload areas for avatar and header, identity fields for display name and bio, custom fields table with label-value pairs, privacy checkboxes, a 20-swatch theme color picker with orange selected, and a “Save changes” button

NTSK
@ntek@hl.oyasumi.dev

みんなHollo使おうぜ!!!!!!!!!!!!!!

川音리오@KawaneRio#8706
@rio@kawane.misskey.online

This is the CUTEST kawaii Ai-chan ((あい)"Ai" is a normal female Japanese name meaning "Indigo" both the color and the plant; "Ai"-chan, the mascot of Misskey, has nothing to do with Large Language Models) I have ever seen from a technical literature titled like "Practical Fedify: An Introduction to ActivityPub Microblog Development"! I even see other mascots in the Fediverse too, like Don the Mastodon and that Blue Dinosaur mascot of Fedify (I don't know its name).
Huge thanks to @hongminhee@hollo.social https://hollo.social/@hongminhee for their work on authoring this amazing book and developing Fedify itself! And if you can read Japanese and are interested in Fedify and ActivityPub Development, then definitely check this one out! You can pre-order the book on Amazon Japan → https://amzn.asia/d/0hQSKBmI (The book will be printed on May 22)

Book cover "Practical Fedify" (実践Fedify) featuring anime-style girl, elephant, and blue creature. Subtitle: "Introduction to Microblog Development" (マイクロブログ開発入門). Technical guide covering decentralized social network mechanisms for microblog development.
ALT text

Book cover "Practical Fedify" (実践Fedify) featuring anime-style girl, elephant, and blue creature. Subtitle: "Introduction to Microblog Development" (マイクロブログ開発入門). Technical guide covering decentralized social network mechanisms for microblog development.

洪 民憙 (Hong Minhee) :nonbinary:
@hongminhee@hollo.social · Reply to 洪 民憙 (Hong Minhee) :nonbinary:

日本で世界初のFedifyの書籍「実践Fedify——ActivityPubマイクロブログ開発入門」が出版されました。この本は私にとって初めての著書でもありますが、最初の本が母語の韓国語ではなく日本語だというのは、なんだかとても不思議な気分ですね。本書は、英語で書かれたFedifyの公式チュートリアル「Creating your own federated microblog」をベースに、様々な加筆を行ったものです。Fedifyのマスコットの恐竜と、Misskeyのマスコットである三須木みすき あい、Mastodonのマスコットが一緒に描かれた可愛い表紙のイラストは、ゆめつきママさんが描いてくださいました。電子書籍と紙の書籍の両方で、来る22日にインプレス NextPublishingから出版される予定です。

インプレス NextPublishing刊、洪 民憙(ホン・ミンヒ)著「実践Fedify——ActivityPubマイクロブログ開発入門」の表紙。セーラー服を着たMisskeyの猫耳マスコット・藍ちゃんが、Fedifyの青い恐竜マスコットとMastodonの黄色い象マスコットの上でジャンプしながら指を差しており、周囲にはカラフルな星や幾何学模様が散りばめられている。
ALT text

インプレス NextPublishing刊、洪 民憙(ホン・ミンヒ)著「実践Fedify——ActivityPubマイクロブログ開発入門」の表紙。セーラー服を着たMisskeyの猫耳マスコット・藍ちゃんが、Fedifyの青い恐竜マスコットとMastodonの黄色い象マスコットの上でジャンプしながら指を差しており、周囲にはカラフルな星や幾何学模様が散りばめられている。

洪 民憙 (Hong Minhee) :nonbinary:
@hongminhee@hollo.social

The world's first Fedify book, Practical Fedify: Introduction to ActivityPub Microblog Development (実践Fedify——ActivityPubマイクロブログ開発入門), has been published in Japan. This is also the first book I have ever published, and it feels quite surreal that my first book is in Japanese rather than my native language, Korean. This book is an expanded version based on the official English Fedify tutorial, Creating your own federated microblog, with various additions. Yumetsuki Mama (ゆめつきママ) worked on the cute book cover illustration, which features the Fedify dinosaur mascot, Misskey's mascot Ai-chan, and the Mastodon mascot together. It is scheduled to be published in both e-book and print formats on the 22nd by Impress NextPublishing. See also the Amazon Japan.

Cover of Practical Fedify: Introduction to ActivityPub Microblog Development (実践Fedify——ActivityPubマイクロブログ開発入門) by Hong Minhee (洪 民憙), published by Impress NextPublishing. Ai-chan, Misskey's cat-eared mascot in a sailor uniform, jumps and points upward above Fedify's blue dinosaur mascot and Mastodon's small golden mascot, with colorful stars and geometric shapes scattered around.
ALT text

Cover of Practical Fedify: Introduction to ActivityPub Microblog Development (実践Fedify——ActivityPubマイクロブログ開発入門) by Hong Minhee (洪 民憙), published by Impress NextPublishing. Ai-chan, Misskey's cat-eared mascot in a sailor uniform, jumps and points upward above Fedify's blue dinosaur mascot and Mastodon's small golden mascot, with colorful stars and geometric shapes scattered around.

のえる
@noellabo@fedibird.com

お、洪民憙さんの本でてるじゃん。

みんなActivityPubの自力実装で挫折するぐらいなら、この本を買ってFedify組み込んで開発するといいよ。

実践Fedify ActivityPubマイクロブログ開発入門
nextpublishing.jp/book/19496.h

nextpublishing.jp

実践Fedify ActivityPubマイクロブログ開発入門 | インプレス NextPublishing

本書は、JavaScript/TypeScriptの基礎知識を有する読者を対象に、分散型ソーシャルネットワークであるフェディバースを支えるActivi...

:rss: PR TIMES
@prtimes@rss-mstdn.studiofreesia.com

分散型ソーシャルネットワークの仕組みを理解しよう! 『実践Fedify ActivityPubマイクロブログ開発入門』発行 技術の泉シリーズ、5月の新刊
prtimes.jp/main/html/rd/p/0000

prtimes.jp

分散型ソーシャルネットワークの仕組みを理解しよう! 『実践Fedify ActivityPubマイクロブログ開発入門』発行 技術の泉シリーズ、5月の新刊

株式会社インプレスホールディングスのプレスリリース(2026年5月19日 11時00分)分散型ソーシャルネットワークの仕組みを理解しよう! 『実践Fedify ActivityPubマイクロブログ開発入門』発行 技術の泉シリーズ、5月の新刊

오르필 많이먹기 협회
@makanomoyaki@qdon.space

실천 Fedify

- 일단 대표로 아이 쨩(미스키 마스코트)가 대문짝만한게 그려져있음 (귀여워)
- 마스토돈도 뒤에 그려져있음
- 한국이 아니라 일본임
- 저자 이름이 가타카나로 홍민희가 아니라 한자 그대로 써있음

hackers.pub/@hongminhee/019e3e

hackers.pub

일본에서 제가 쓴 Fedify 책 〈실천 Fedify: ActivityPub 마이크로블로그 개발 입문〉(実践Fedify——ActivityPubマイクロブログ開発入門)이 나왔어요! 정식 출판된 책은 처음 써보는데, 그게 한국어가 아니라 일본어라는 게 뭔가 신기하네요…! 출판사 페이지: https://nextpublishing.jp/book/19496.htmlAmazon Japan: https://amzn.asia/d/0hA3KTeQ

일본에서 제가 쓴 Fedify 책 〈실천 Fedify: ActivityPub 마이크로블로그 개발 입문〉(実践Fedify——ActivityPubマイクロブログ開発入門)이 나왔어요! 정식 출판된 책은 처음 써보는데, 그게 한국어가 아니라 일본어라는 게 뭔가 신기하네요…! 출판사 페이지: https://nextpublishing.jp/book/19496.htmlAmazon Japan: https://amzn.asia/d/0hA3KTeQ

洪 民憙 (Hong Minhee)
@hongminhee@hackers.pub

일본에서 제가 쓴 Fedify 책 〈실천 Fedify: ActivityPub 마이크로블로그 개발 입문〉(実践Fedify——ActivityPubマイクロブログ開発入門)이 나왔어요! 정식 출판된 책은 처음 써보는데, 그게 한국어가 아니라 일본어라는 게 뭔가 신기하네요…!

출판사 페이지: https://nextpublishing.jp/book/19496.html
Amazon Japan: https://amzn.asia/d/0hA3KTeQ



RE: https://fedibird.com/@noellabo/116599256677289467

〈실천 Fedify: ActivityPub 마이크로블로그 개발 입문〉(実践Fedify——ActivityPubマイクロブログ開発入門)이라는 일본어 기술 서적 표지입니다. 고양이 귀를 한 소녀가 캐릭터들과 함께 활기차게 달리는 모습이 그려져 있으며, 파스텔 톤의 별과 도형들이 배경에 장식되어 있습니다. 하단에는 분산형 소셜 네트워크의 구조를 이해하라는 문구가 적혀 있습니다.
ALT text

〈실천 Fedify: ActivityPub 마이크로블로그 개발 입문〉(実践Fedify——ActivityPubマイクロブログ開発入門)이라는 일본어 기술 서적 표지입니다. 고양이 귀를 한 소녀가 캐릭터들과 함께 활기차게 달리는 모습이 그려져 있으며, 파스텔 톤의 별과 도형들이 배경에 장식되어 있습니다. 하단에는 분산형 소셜 네트워크의 구조를 이해하라는 문구가 적혀 있습니다.

洪 民憙 (Hong Minhee)
@hongminhee@hackers.pub

일본에서 제가 쓴 Fedify 책 〈실천 Fedify: ActivityPub 마이크로블로그 개발 입문〉(実践Fedify——ActivityPubマイクロブログ開発入門)이 나왔어요! 정식 출판된 책은 처음 써보는데, 그게 한국어가 아니라 일본어라는 게 뭔가 신기하네요…!

출판사 페이지: https://nextpublishing.jp/book/19496.html
Amazon Japan: https://amzn.asia/d/0hA3KTeQ



RE: https://fedibird.com/@noellabo/116599256677289467

〈실천 Fedify: ActivityPub 마이크로블로그 개발 입문〉(実践Fedify——ActivityPubマイクロブログ開発入門)이라는 일본어 기술 서적 표지입니다. 고양이 귀를 한 소녀가 캐릭터들과 함께 활기차게 달리는 모습이 그려져 있으며, 파스텔 톤의 별과 도형들이 배경에 장식되어 있습니다. 하단에는 분산형 소셜 네트워크의 구조를 이해하라는 문구가 적혀 있습니다.
ALT text

〈실천 Fedify: ActivityPub 마이크로블로그 개발 입문〉(実践Fedify——ActivityPubマイクロブログ開発入門)이라는 일본어 기술 서적 표지입니다. 고양이 귀를 한 소녀가 캐릭터들과 함께 활기차게 달리는 모습이 그려져 있으며, 파스텔 톤의 별과 도형들이 배경에 장식되어 있습니다. 하단에는 분산형 소셜 네트워크의 구조를 이해하라는 문구가 적혀 있습니다.

This quote was not authorized by the quoted post's author.

洪 民憙 (Hong Minhee) :nonbinary:
@hongminhee@hollo.social · Reply to 洪 民憙 (Hong Minhee) :nonbinary:

Hollo 0.7.16および0.8.5のセキュリティパッチをリリースしました。かなり多くの脆弱性を一度に修正するパッチです。早急にアップデートしてください。

Hollo :hollo:
@hollo@hollo.social

Hollo security updates: 0.7.16 and 0.8.5

If you run Hollo, update to a patched release now. Hollo 0.7.16 and 0.8.5 fix several security issues in ActivityPub federation, the web admin UI, OAuth, and the transitive fast-xml-parser dependency.

On the federation side, three inbox handlers were missing authorization checks. Any remote actor could send a Delete to remove any cached post by IRI, an Update to overwrite or first-materialize a cached post under another actor's name, or a cross-origin Announce whose attacker-controlled embedded body materialized as someone else's post. The checks now differ by activity type. A Delete is ignored unless the deleter's origin matches the cached post author's origin. An Update is ignored unless the activity actor, the embedded object's id, and its attributedTo all share an origin. For Announce, Hollo no longer trusts attacker-supplied embedded content to create or overwrite the original post: unknown cross-origin objects are fetched from their canonical URL, and any newly cached object must have matching id and attributedTo origins. Separately, Follow, Like, EmojiReact, and Announce from a blocked actor were processed normally and still produced notifications; they are now silently dropped at the inbox.

On the web admin side, login and OTP cookies were set without HttpOnly, SameSite, or Secure, and state-changing forms had no Origin or Sec-Fetch-Site check. A single reflected XSS could exfiltrate the admin session, and a malicious page could submit a hidden cross-site form to disable 2FA, delete an account, or silently authorize a rogue OAuth application. The affected dashboard routes and POST /oauth/authorize now run Hono's CSRF middleware, and the login and OTP cookies now carry those attributes.

The transitive fast-xml-parser (carried in via the AWS SDK that backs S3 storage) is now pinned to patched versions, closing one critical and several high-severity advisories. Hollo also now uses constant-time comparison for the OAuth PKCE check and the multi-credential client-secret consistency check, and it warns at startup when LOG_QUERY=true is set, because drizzle-orm logs bound parameter values, including OAuth tokens and other secrets.

All Hollo versions up to and including 0.7.15 and 0.8.4 are affected. Patched releases are 0.7.16 for the 0.7.x series and 0.8.5 for the 0.8.x series. CHANGES.md has the longer notes, including the availability trade-off for cross-origin Announce validation when the canonical origin is unreachable.

For 0.7.x deployments, update to 0.7.16:

docker pull ghcr.io/fedify-dev/hollo:0.7.16

For 0.8.x deployments, update to 0.8.5:

docker pull ghcr.io/fedify-dev/hollo:0.8.5

After pulling the new image, restart your Hollo container. If you deploy from source, pull the corresponding release tag and restart.

If anything is unclear, ask below.

Release Hollo 0.8.5 · fedify-dev/hollo

Released on May 19, 2026. Fixed a security vulnerability where any federated actor could send a Delete activity to remove cached remote posts authored by any other actor, because the inbox handle...

洪 民憙 (Hong Minhee) :nonbinary:
@hongminhee@hollo.social · Reply to 洪 民憙 (Hong Minhee) :nonbinary:

Hollo 0.7.16 및 0.8.5 保安(보안) 패치를 릴리스했습니다. 相當(상당)히 많은 保安(보안) 脆弱點(취약점)을 한 ()에 고치는 패치입니다. 早速(조속)히 업데이트 하시기 바랍니다.

Hollo :hollo:
@hollo@hollo.social

Hollo security updates: 0.7.16 and 0.8.5

If you run Hollo, update to a patched release now. Hollo 0.7.16 and 0.8.5 fix several security issues in ActivityPub federation, the web admin UI, OAuth, and the transitive fast-xml-parser dependency.

On the federation side, three inbox handlers were missing authorization checks. Any remote actor could send a Delete to remove any cached post by IRI, an Update to overwrite or first-materialize a cached post under another actor's name, or a cross-origin Announce whose attacker-controlled embedded body materialized as someone else's post. The checks now differ by activity type. A Delete is ignored unless the deleter's origin matches the cached post author's origin. An Update is ignored unless the activity actor, the embedded object's id, and its attributedTo all share an origin. For Announce, Hollo no longer trusts attacker-supplied embedded content to create or overwrite the original post: unknown cross-origin objects are fetched from their canonical URL, and any newly cached object must have matching id and attributedTo origins. Separately, Follow, Like, EmojiReact, and Announce from a blocked actor were processed normally and still produced notifications; they are now silently dropped at the inbox.

On the web admin side, login and OTP cookies were set without HttpOnly, SameSite, or Secure, and state-changing forms had no Origin or Sec-Fetch-Site check. A single reflected XSS could exfiltrate the admin session, and a malicious page could submit a hidden cross-site form to disable 2FA, delete an account, or silently authorize a rogue OAuth application. The affected dashboard routes and POST /oauth/authorize now run Hono's CSRF middleware, and the login and OTP cookies now carry those attributes.

The transitive fast-xml-parser (carried in via the AWS SDK that backs S3 storage) is now pinned to patched versions, closing one critical and several high-severity advisories. Hollo also now uses constant-time comparison for the OAuth PKCE check and the multi-credential client-secret consistency check, and it warns at startup when LOG_QUERY=true is set, because drizzle-orm logs bound parameter values, including OAuth tokens and other secrets.

All Hollo versions up to and including 0.7.15 and 0.8.4 are affected. Patched releases are 0.7.16 for the 0.7.x series and 0.8.5 for the 0.8.x series. CHANGES.md has the longer notes, including the availability trade-off for cross-origin Announce validation when the canonical origin is unreachable.

For 0.7.x deployments, update to 0.7.16:

docker pull ghcr.io/fedify-dev/hollo:0.7.16

For 0.8.x deployments, update to 0.8.5:

docker pull ghcr.io/fedify-dev/hollo:0.8.5

After pulling the new image, restart your Hollo container. If you deploy from source, pull the corresponding release tag and restart.

If anything is unclear, ask below.

Release Hollo 0.8.5 · fedify-dev/hollo

Released on May 19, 2026. Fixed a security vulnerability where any federated actor could send a Delete activity to remove cached remote posts authored by any other actor, because the inbox handle...

洪 民憙 (Hong Minhee) :nonbinary:
@hongminhee@hollo.social

We have released security patches for Hollo 0.7.16 and 0.8.5. This update addresses a significant number of security vulnerabilities at once. Please update your software as soon as possible.

Hollo :hollo:
@hollo@hollo.social

Hollo security updates: 0.7.16 and 0.8.5

If you run Hollo, update to a patched release now. Hollo 0.7.16 and 0.8.5 fix several security issues in ActivityPub federation, the web admin UI, OAuth, and the transitive fast-xml-parser dependency.

On the federation side, three inbox handlers were missing authorization checks. Any remote actor could send a Delete to remove any cached post by IRI, an Update to overwrite or first-materialize a cached post under another actor's name, or a cross-origin Announce whose attacker-controlled embedded body materialized as someone else's post. The checks now differ by activity type. A Delete is ignored unless the deleter's origin matches the cached post author's origin. An Update is ignored unless the activity actor, the embedded object's id, and its attributedTo all share an origin. For Announce, Hollo no longer trusts attacker-supplied embedded content to create or overwrite the original post: unknown cross-origin objects are fetched from their canonical URL, and any newly cached object must have matching id and attributedTo origins. Separately, Follow, Like, EmojiReact, and Announce from a blocked actor were processed normally and still produced notifications; they are now silently dropped at the inbox.

On the web admin side, login and OTP cookies were set without HttpOnly, SameSite, or Secure, and state-changing forms had no Origin or Sec-Fetch-Site check. A single reflected XSS could exfiltrate the admin session, and a malicious page could submit a hidden cross-site form to disable 2FA, delete an account, or silently authorize a rogue OAuth application. The affected dashboard routes and POST /oauth/authorize now run Hono's CSRF middleware, and the login and OTP cookies now carry those attributes.

The transitive fast-xml-parser (carried in via the AWS SDK that backs S3 storage) is now pinned to patched versions, closing one critical and several high-severity advisories. Hollo also now uses constant-time comparison for the OAuth PKCE check and the multi-credential client-secret consistency check, and it warns at startup when LOG_QUERY=true is set, because drizzle-orm logs bound parameter values, including OAuth tokens and other secrets.

All Hollo versions up to and including 0.7.15 and 0.8.4 are affected. Patched releases are 0.7.16 for the 0.7.x series and 0.8.5 for the 0.8.x series. CHANGES.md has the longer notes, including the availability trade-off for cross-origin Announce validation when the canonical origin is unreachable.

For 0.7.x deployments, update to 0.7.16:

docker pull ghcr.io/fedify-dev/hollo:0.7.16

For 0.8.x deployments, update to 0.8.5:

docker pull ghcr.io/fedify-dev/hollo:0.8.5

After pulling the new image, restart your Hollo container. If you deploy from source, pull the corresponding release tag and restart.

If anything is unclear, ask below.

Release Hollo 0.8.5 · fedify-dev/hollo

Released on May 19, 2026. Fixed a security vulnerability where any federated actor could send a Delete activity to remove cached remote posts authored by any other actor, because the inbox handle...

Hollo :hollo:
@hollo@hollo.social

Hollo security updates: 0.7.16 and 0.8.5

If you run Hollo, update to a patched release now. Hollo 0.7.16 and 0.8.5 fix several security issues in ActivityPub federation, the web admin UI, OAuth, and the transitive fast-xml-parser dependency.

On the federation side, three inbox handlers were missing authorization checks. Any remote actor could send a Delete to remove any cached post by IRI, an Update to overwrite or first-materialize a cached post under another actor's name, or a cross-origin Announce whose attacker-controlled embedded body materialized as someone else's post. The checks now differ by activity type. A Delete is ignored unless the deleter's origin matches the cached post author's origin. An Update is ignored unless the activity actor, the embedded object's id, and its attributedTo all share an origin. For Announce, Hollo no longer trusts attacker-supplied embedded content to create or overwrite the original post: unknown cross-origin objects are fetched from their canonical URL, and any newly cached object must have matching id and attributedTo origins. Separately, Follow, Like, EmojiReact, and Announce from a blocked actor were processed normally and still produced notifications; they are now silently dropped at the inbox.

On the web admin side, login and OTP cookies were set without HttpOnly, SameSite, or Secure, and state-changing forms had no Origin or Sec-Fetch-Site check. A single reflected XSS could exfiltrate the admin session, and a malicious page could submit a hidden cross-site form to disable 2FA, delete an account, or silently authorize a rogue OAuth application. The affected dashboard routes and POST /oauth/authorize now run Hono's CSRF middleware, and the login and OTP cookies now carry those attributes.

The transitive fast-xml-parser (carried in via the AWS SDK that backs S3 storage) is now pinned to patched versions, closing one critical and several high-severity advisories. Hollo also now uses constant-time comparison for the OAuth PKCE check and the multi-credential client-secret consistency check, and it warns at startup when LOG_QUERY=true is set, because drizzle-orm logs bound parameter values, including OAuth tokens and other secrets.

All Hollo versions up to and including 0.7.15 and 0.8.4 are affected. Patched releases are 0.7.16 for the 0.7.x series and 0.8.5 for the 0.8.x series. CHANGES.md has the longer notes, including the availability trade-off for cross-origin Announce validation when the canonical origin is unreachable.

For 0.7.x deployments, update to 0.7.16:

docker pull ghcr.io/fedify-dev/hollo:0.7.16

For 0.8.x deployments, update to 0.8.5:

docker pull ghcr.io/fedify-dev/hollo:0.8.5

After pulling the new image, restart your Hollo container. If you deploy from source, pull the corresponding release tag and restart.

If anything is unclear, ask below.

Release Hollo 0.8.5 · fedify-dev/hollo

Released on May 19, 2026. Fixed a security vulnerability where any federated actor could send a Delete activity to remove cached remote posts authored by any other actor, because the inbox handle...

Matt Campbell
@matt@toot.cafe

I just read about a blind person vibe-coding a new email client for Windows. Not linking because I don't want people to pile onto this person, who is a veteran of the software industry and a respected, persistent accessibility advocate and contributor to assistive technology. Instead, I want to point out how badly the commercial software industry, particularly Microsoft in this case, has failed us such that an individual feels the need to do this. Don't know what to do instead though.

스쟝
@siliconsjang@siliconbeest.sjang.dev

Again, this service is to develop and test siliconbeest.
Soon, maybe in few days or something, I am going to make a MAIN siliconbeest service with new domain, (and yes, keep this service up and running) so you can use this service but also keep on eye on the new domain!