DeepSeek-V4-Flash means LLM steering is interesting again https://lobste.rs/s/wycfiy #vibecoding
https://www.seangoedecke.com/steering-vectors/

I'm getting closer to something showable on my side project, a recipe and baking app, #federated with #ActivityPub, https://cookifed.dev.
I'm not ready to accept new users yet, but @dmathieu@cuisine.social is the first ever #cookifed federated account!

@reiver @evan @karen Yes, correct!

@reiver I don't know the exact date yet either, but according to the COSCUP organizers, they said they'll do their best to schedule our track for Sunday, August 9th.

@evan @karen

Thank you @hongminhee@hollo.social for sponsoring me on github. You can join them at my sponsors profile: https://github.com/sponsors/SJang1?o=nsm&sc=t

갑자기 @siliconsjang 님이 서울 올라오셔서 같이 又來屋(우래옥) 왔음…!

We just released Bonfire Social 1.0.3 🔥

Blog post with all the details: bonfirenetworks.org/posts/bo...

It comes with dozens of bug fixes and UX improvements, plus:

• Federated comments embeddable on any web page.

• Deep Ghost integration: SSO, membership tier sync, and automatic article import.

• New dashboard widgets: spotlight, polls closing soon, top discussions.

• #CalmEmpowerment: a new design pattern that starts with a few sensible defaults, offers a middle layer of common adjustments, and reveals the full options only when you need them. Boundaries and post permissions got this treatment first, more to follow...

• Modular community rules: a first step in bringing research and co-design with students and researchers at @hci@micro.blogs.princeton.edu into Bonfire, so governance becomes something communities can better define and share, and that others can fork and adapt.

#Bonfire #Fediverse #ActivityPub #Ghost #CommunityRules

@liaizon Yeah, here's the canary docs: https://canary.docs.hollo.social/install/split-domain/

Hollo 0.8.0 shipped less than a month ago, and 0.9.0 is already shaping up to be a bigger release than I expected. New frontend design, Passkey support, WebFinger domain separation, a media proxy, full FEP-044f (Mastodon-style quote posts) compliance, and Traditional Chinese docs. More details when it's out.

Hollo 0.8.0 shipped less than a month ago, and 0.9.0 is already shaping up to be a bigger release than I expected. New frontend design, Passkey support, WebFinger domain separation, a media proxy, full FEP-044f (Mastodon-style quote posts) compliance, and Traditional Chinese docs. More details when it's out.

Hollo 0.8.0 shipped less than a month ago, and 0.9.0 is already shaping up to be a bigger release than I expected. New frontend design, Passkey support, WebFinger domain separation, a media proxy, full FEP-044f (Mastodon-style quote posts) compliance, and Traditional Chinese docs. More details when it's out.

@cheeaun Is there any particular reason you're using vanilla npm instead of pnpm? I use pnpm, and I didn't have any issues at all in the same situation.

@liaizon Yeah, it's so-called Misskey-style quotes, and as far as I know, Pleroma/Akkoma also implements this style of quotes!

@liaizon That's probably because Hackers' Pub doesn't implement FEP-044f (Mastodon-style quotes) yet… I'll implement it soon!

知り合いの @siliconsjang さんが今日、SiliconBeest v1.0.0 を公開しました。Cloudflare Workers、D1、R2、Queuesだけで動くフェディバースサーバーで、Fedifyを使ってくれています。

個人的に面白いと思ったのは出発点で、Cloudflare障害のたびにフェディバースのサーバーがまとめて落ちるのを見て、「それならいっそCloudflareの上で動かせばよいのでは」と思ったのが始まりだそうです。

小規模なインスタンスならCloudflareの無料プランで、少し大きくなっても月5ドルくらいで運営できることを目指しているとのこと。まだ初期バージョンなので未実装の部分も多く、MastodonやMisskey APIとの互換性は未だ先の目標みたいです。

Fedifyを使ってくれているのもあって、個人的に嬉しいです。気になったので共有します。

ソースコードはAGPL 3.0でGitHubで公開されています。

#フェディバース #fediverse #ActivityPub #Cloudflare

知人(지인)인 @siliconsjang 님이 오늘 SiliconBeest v1.0.0을 公開(공개)했습니다. Fedify와 Cloudflare를 基盤(기반)으로 만든 #聯合宇宙(연합우주) 소프트웨어인데, Workers, D1, R2, Queues 등 #Cloudflare 서버리스 스택 위에서 全部(전부) 돌아갑니다.

發想(발상)의 出發點(출발점)이 재밌습니다. Cloudflare 障礙(장애) 때 聯合宇宙(연합우주) 서버들이 덩달아 다운되는 걸 보고, 「그럼 아예 Cloudflare 위에서 돌리면 되지 않나?」라는 생각에서 始作(시작)했다고 하네요.

費用(비용) 面(면)에서는 小規模(소규모) 인스턴스는 Cloudflare 無料(무료) 플랜, 조금 더 큰 規模(규모)는 月(월) $5 플랜으로 堪當(감당)할 수 있도록 하는 게 目標(목표)라고 합니다. 아직 初期(초기) 버전이라 未具顯(미구현) 機能(기능)이 많고, Mastodon 및 Misskey API 互換(호환)은 長期(장기) 目標(목표)로 보고 있다네요.

Fedify를 써주시는 분이라 반갑기도 하고, 應援(응원)하고 싶어 紹介(소개)합니다.

소스 코드는 AGPL 3.0으로 GitHub에 공개되어 있습니다.

#ActivityPub #연합우주 #페디버스

A friend of mine, @siliconsjang, released SiliconBeest v1.0.0 today. It's a #fediverse server built on #Cloudflare Workers, D1, R2, and Queues, using Fedify.

I like the starting point: after watching fediverse servers go down together during Cloudflare outages, they thought, why not just run on Cloudflare directly?

They're aiming for something cheap enough that a small instance can stay on Cloudflare's free plan, and a somewhat bigger one can fit in the $5/month tier. It's still early; a lot is missing, and Mastodon/Misskey API compatibility is more of a long-term goal.

I'm glad to see Fedify put to use for something like this. Worth checking out.

The source code is on GitHub under AGPL 3.0.

#ActivityPub #fedidev

안녕하세요! Hello everyone!

SiliconBeest v1.0.0 공개

마스토돈 API 호환을 목표로 하는 Cloudflare 엣지 컴퓨팅 기반 서버리스 연합우주 소프트웨어, SiliconBeest v1.0.0을 공개하게 되어 기쁩니다.

I'm pleased to announce SiliconBeest v1.0.0, a serverless fediverse software project built on Cloudflare edge computing, aiming for Mastodon API compatibility.

설명 (Description)

ko

• SiliconBeest는 Cloudflare Workers 환경에서 동작하는 연합우주 프로젝트입니다.
• Cloudflare 장애가 발생했을 때 다수의 연합우주 서버가 함께 접속 불가 상태가 되는 것을 보며, 연합우주 역시 Cloudflare 인프라에 상당히 의존하고 있다는 점에 착안했습니다.
• 그렇다면 아예 Cloudflare 위에서 동작하는 연합우주 소프트웨어를 만들어보자는 생각에서 시작했습니다.
• Cloudflare Inc.에서 개발했던 Wildebeest 프로젝트의 아이디어와 일부 코드를 참고했습니다.
• 프로젝트 이름은 제 닉네임인 silicon(sjang) 이랑 Cloudflare의 Wildebeest를 조합해 SiliconBeest로 정했습니다.
• 적은 사용자 수와 작은 규모의 연합을 기준으로는 Cloudflare 무료 플랜에서도 운영할 수 있도록, 조금 더 큰 규모의 연합에서는 월 $5 플랜으로도 감당할 수 있도록 만드는 것을 목표로 하고 있습니다.
• API 측면에서 SiliconBeest의 목표는 Mastodon 및 Misskey API와의 호환입니다. 다만 이론적으로 가능한 것과 실제 구현은 별개의 문제이기 때문에, 해당 부분은 아직 개발 중이며 장기적인 목표로 보고 있습니다.

en

• SiliconBeest is a fediverse project designed to run on Cloudflare Workers.
• After seeing many fediverse servers become unavailable when Cloudflare had outages, I realized that the fediverse already relies heavily on Cloudflare infrastructure.
• So I thought: why not build fediverse software directly on top of Cloudflare?
• This project was inspired by Cloudflare Inc.’s Wildebeest project, and it also references some of its ideas and code.
• The project name, SiliconBeest, comes from my nickname silicon(sjang) combined with Cloudflare’s Wildebeest.
• I’m still working on making it as inexpensive to run as possible. For now, the goal is to support a small number of users with a small federation footprint on the free plan, and a medium federation footprint on the $5 plan.
• From an API perspective, SiliconBeest aims to be compatible with both Mastodon and Misskey APIs. However, as many people know, full compatibility is difficult in practice, so this remains a long-term goal rather than something fully implemented today.

아직은 초기 버전이라 구현되지 않은 부분도 많지만, Cloudflare Workers, D1, R2, Queues 등 Cloudflare의 서버리스 인프라 위에서 연합우주 소프트웨어를 얼마나 가볍고 저렴하게 운영할 수 있는지 실험하고 있습니다.

This is still an early version, and many parts are not implemented yet. However, SiliconBeest is an experiment in how lightweight and affordable fediverse software can be when built on top of Cloudflare’s serverless infrastructure, such as Workers, D1, R2, and Queues.

현재 v1.0.0에서는 기본적인 구조와 핵심 기능을 먼저 정리하는 데 집중했으며, 앞으로 Mastodon API 호환성, federation 안정성, 관리 도구, 문서화 등을 점진적으로 개선해나갈 예정입니다.

In v1.0.0, I focused on organizing the basic architecture and core functionality first. Going forward, I plan to gradually improve Mastodon API compatibility, federation stability, admin tooling, and documentation.

관심 있으신 분들은 GitHub 저장소를 확인해주시고, 이슈나 피드백도 언제든 환영합니다.

If you’re interested, please check out the GitHub repository. Issues, feedback, and suggestions are always welcome.

https://github.com/SJang1/siliconbeest

설치 및 배포 방법 (Installation and Deployment)

SiliconBeest는 GitHub 템플릿과 Cloudflare를 이용해 비교적 간단하게 배포할 수 있습니다.

1. GitHub 템플릿에서 새 저장소를 생성합니다.
2. Cloudflare에서 필요한 리소스와 환경을 설정합니다.
3. Cloudflare API 토큰과 필요한 환경변수를 GitHub Secrets에 저장합니다.
4. GitHub Actions를 통해 자동 배포를 진행합니다.
5. 배포가 완료되면 인스턴스 설정을 마무리합니다.

아직 설치 과정은 계속 다듬고 있으며, 개선사항이 많음을 알고 있습니다. 추후 보강해 나갈 예정이며, 이에 대한 PR도 환영입니다.

SiliconBeest can be deployed relatively easily using a GitHub template and Cloudflare.

1. Create a new repository from the GitHub template.
2. Set up the required resources and environment on Cloudflare.
3. Store the Cloudflare API token and required environment variables in GitHub Secrets.
4. Deploy automatically using GitHub Actions.
5. Once deployment is complete, finish configuring your instance.

The installation process is still being refined, and I’m aware that there is plenty of room for improvement. I plan to keep improving the documentation and deployment flow over time, and related PRs are always welcome.

Today I gave a guest lecture at KAIST CS350 Introduction to Software Engineering. Slides are up.

Nobody's job, everybody's problem: F/OSS in the age of AI: F/OSS basics, the commons problem, how maintainers get funded, and how projects like Zig, Ghostty, and Fedify are handling AI contributions differently.

I finally deleted #Threads recently because their algorithm is annoying, they gave up on #fediverse support, and their app is loaded with UX dark patterns.

I still use #Instagram because the people I meet in person do, and organizing https://photostroll.nyc kinda requires it.

Fedi is the only place I really feel good about posting on, because I know where data lives and how it's distributed, it's community-run, and usually it's by the type of people I'd want running my virtual social space.

과학기술정보통신부 및 정보통신산업진흥원(NIPA)에서 주최하는 오픈 소스 컨트리뷰션 아카데미 (OSSCA) 참여형 프로그램 멘티를 모집합니다. OSSCA는 평소 오픈 소스에 관심은 있었지만 어떻게 참여해야 할 지 막막하셨던 분들께 몇 개월에 걸쳐 구체적으로 참여하는 요령을 알려드리는 프로그램입니다. 실제로 이 과정을 계기로 오픈 소스 프로젝트의 메인테이너들과 교류하게 되고, 본격적으로 오픈 소스 기여를 시작하게 되는 분들도 많습니다.

저희 Fedify 프로젝트도 작년에 이어 올해도 OSSCA에서 만나보실 수 있는데요, 작년에 멘티셨던 권지원 님(@z9mb1), 이재열 님(@kodingwarrior), 이찬행 님(@2chanhaeng)이 저와 함께 멘토로 참여하게 되었습니다. 세 분 모두 작년 OSSCA를 통해 Fedify에 본격적으로 참여하게 된 케이스입니다. 여러분도 이런 식으로 평소 관심만 있던 오픈 소스에 실제로 기여도 하고, 아예 본격적으로 참여하실 수도 있습니다.

제가 멘토라서 하는 얘기가 아니라, 정말 좋은 기회라고 생각합니다. 학생·직장인 무관하게 지원 가능하니, 관심 있는 분들의 많은 참여 부탁드립니다! → 참가 신청

@silverpill

So, Fedify returns a string and delegates the decision to the user?

Yes, more accurately, it returns a URL object which is a scalar value.

@trwnh @protocol

BotKit security updates: 0.3.2 and 0.4.1

If you use BotKit, update to a patched release now. A private network protection bypass affects Fedify's remote document loading code, and it also affects BotKit which depends on Fedify.

The validatePublicUrl() function in Fedify, which ensures resources aren't fetched from private or loopback addresses, failed to correctly identify certain IPv6 literals. Specifically, URLs with private IPv4 addresses encoded as IPv4-mapped IPv6 literals (e.g., http://[::ffff:127.0.0.1]/) could bypass the check.

This vulnerability could allow an attacker to provide a malicious URL that bypasses security checks, potentially allowing them to make the bot fetch internal resources or interact with services on the private network that should not be accessible from the public internet.

All versions of BotKit up to 0.3.1 (in the 0.3.x branch) and 0.4.0 (in the 0.4.x branch) are affected. Patched releases are 0.3.2 and 0.4.1.

For BotKit 0.4.x, update @fedify/botkit:

npm  update  @fedify/botkit
yarn upgrade @fedify/botkit
pnpm update  @fedify/botkit
bun  update  @fedify/botkit
deno update  @fedify/botkit

For BotKit 0.3.x, update @fedify/botkit:

npm  update  @fedify/botkit@0.3.2
yarn upgrade @fedify/botkit@0.3.2
pnpm update  @fedify/botkit@0.3.2
bun  update  @fedify/botkit@0.3.2
deno update  @fedify/botkit@0.3.2

If you use other BotKit-related packages (e.g., @fedify/botkit-sqlite), update them as well. After updating, redeploy.

Thanks to Changkyun Kim (@me) for the report and responsible disclosure.

If anything is unclear, feel free to ask on GitHub Discussions or Matrix.

the 90 day disclosure policy is dead https://lobste.rs/s/qxkdgl #security
https://blog.himanshuanand.com/2026/05/the-90-day-disclosure-policy-is-dead/

You Need AI That Reduces Maintenance Costs https://lobste.rs/s/fy4spr #vibecoding
https://www.jamesshore.com/v2/blog/2026/you-need-ai-that-reduces-your-maintenance-costs

Mythos finds a curl vulnerability via @andrewnez https://lobste.rs/s/am7evd #ai #security
https://daniel.haxx.se/blog/2026/05/11/mythos-finds-a-curl-vulnerability/

Hollo security updates: 0.7.15 and 0.8.3

If you run Hollo, update to a patched release now. A private network protection bypass in Fedify, the ActivityPub framework Hollo depends on, affects remote document loading. URLs with private IPv4 addresses encoded as IPv4-mapped IPv6 literals, such as http://[::ffff:7f00:1]/, could pass URL validation even though they refer to private or loopback addresses.

Hollo uses Fedify to fetch remote ActivityPub documents and related resources. An attacker who can make your Hollo instance fetch an attacker-controlled URL may be able to bypass the private address checks that are intended to reduce SSRF (Server-Side Request Forgery) risk.

All Hollo versions up to and including 0.7.14 and 0.8.2 are affected. Patched releases are 0.7.15 for the 0.7.x series and 0.8.3 for the 0.8.x series. For full technical details of the underlying vulnerability, see the Fedify security announcement.

For 0.7.x deployments, update to 0.7.15:

docker pull ghcr.io/fedify-dev/hollo:0.7.15

For 0.8.x deployments, update to 0.8.3:

docker pull ghcr.io/fedify-dev/hollo:0.8.3

After pulling the new image, restart your Hollo container. If you deploy from source, pull the corresponding release tag and restart.

Thanks to Changkyun Kim (@me) for the report and responsible disclosure to the Fedify project.

If anything is unclear, ask below.

Fedify security updates: 1.9.10, 1.10.9, 2.0.16, 2.1.12, and 2.2.1

If you use Fedify, update to a patched release now. A private network protection bypass affects Fedify's remote document loading code. URLs with private IPv4 addresses encoded as IPv4-mapped IPv6 literals, such as http://[::ffff:7f00:1]/, could pass validatePublicUrl() even though they refer to private or loopback addresses.

Fedify uses validatePublicUrl() when fetching remote ActivityPub documents and related resources. An attacker who can make a Fedify server fetch an attacker-controlled URL may be able to bypass the private address checks that are intended to reduce SSRF risk.

All versions up to and including 2.2.0 are affected. Patched releases are 1.9.10, 1.10.9, 2.0.16, 2.1.12, and 2.2.1.

For Fedify 1.x, update @fedify/fedify:

npm update @fedify/fedify
yarn upgrade @fedify/fedify
pnpm update @fedify/fedify
bun update @fedify/fedify
deno update @fedify/fedify

For Fedify 2.x, update both @fedify/fedify and @fedify/vocab-runtime:

npm update @fedify/fedify @fedify/vocab-runtime
yarn upgrade @fedify/fedify @fedify/vocab-runtime
pnpm update @fedify/fedify @fedify/vocab-runtime
bun update @fedify/fedify @fedify/vocab-runtime
deno update @fedify/fedify @fedify/vocab-runtime

After updating, redeploy. If you run other Fedify-based servers, update those too.

Thanks to Changkyun Kim (@me) for the report and responsible disclosure.

If anything is unclear, ask below.

@kodingwarrior 떡볶이를 또 드셨다고요…!?

I'm here at PyCon Busan 2026! I'm manning the Hackers' Pub community booth with @kodingwarrior and @2chanhaeng. Stop by and we'll give you some Hackers' Pub stickers!