This is the discussion thread for the draft FEP-baf5: Administrator Collection
> This FEP introduces a mechanism for discovering the administrators of an ActivityPub instance. It extends the "Group Moderator" pattern from [FEP 1b12][1b12] and the "Application Actor" concept from [FEP 2677][2677] by defining an OrderedCollection of administrators referenced from the instance's application actor.
I received a security vulnerability report regarding NodeBB's handling of Update and Delete activities.
tl;dr
Update and Delete activities as valid if the activity's actor and the object's attributedTo differ but the origins are identical.@[email protected] is allowed to federate Delete(Note) on @[email protected]'s Note.Are they right?
I responded that FEP fe34 allows for this behaviour because we do not have ready access to an instance's admin or moderator list. By conducting same-origin checks and allowing Update and Delete through for same-origin (but different identifier), we allow for moderators to federate their actions across instances.
Their response:
> I respectfully disagree that FEP-fe34 permits this behavior. Below are direct quotes from the specification that contradict your assessment. > > 1. ActivityPub spec (quoted in FEP-fe34 Rationale, Section 7.3 Update Activity): > > ▎ "The receiving server MUST take care to be sure that the Update is authorized to modify its object. At minimum, this may be done by ensuring that the Update and its object are of same origin." > > Note: "at minimum" means same-origin is the floor, not the ceiling. Authorization must still be verified. >2. FEP-fe34 — Authorization > Ownership: > > ▎ "The actor that creates an object MUST be its owner." > ▎ "The owner of an object is permitted to modify and delete it." > ▎ "Update and Delete activities, and objects indicated by their object property are expected to have the same owner." > > "Same owner" means the same specific actor — not any actor on the same domain.
I responded back with the following:
> "The actor that creates an object MUST be its owner."
>
>
> Correct, the creator must be an owner, no impersonation allowed.
>
>
> "The owner of an object is permitted to modify and delete it."
>
>
> A strict reading of this does not preclude the ability of a same-origin moderator to modify and delete the object. This is my argument.
>
>
> "Update and Delete activities, and objects indicated by their object property are expected to have the same owner."
>
>
> Again, "expected to" does not rise to the level of MUST.
>
> I agree out of principle that the security implications exist, but if you follow through with the exploit, it requires a non-compliant server to allow users to publish Update and Delete for other users on the same instance, and even then the exposure is limited to users of that origin only (e.g. your server cannot arbitrarily delete my posts). This is the foundation of the Origin-based security model.
So we are at an impasse as to whether my strict reading of the FEP is adherent to the spirit of the FEP itself. Here's where you come in... do you agree with me, or the reporter?
Directly tagging @[email protected] (as FEP author), @[email protected] and @[email protected] (both subject matter experts) for their thoughts.
Hi @[email protected] I've got a question about Activity Intents!
I'm implementing it now (as you noticed) and have run into an interesting issue. The wording of 3b86 suggests that the intents are distinct between users. That is, the end user inputs their handle, the handle is queried via webfinger, and supported Intents are returned.
However, the intents themselves don't really distinguish between users.
So I could have a localStorage session with multiple handles registered (e.g. [email protected], [email protected]), etc. — this works fine.
But if I had two handles with the same domain, [email protected] and [email protected], then my intents can't be targeted, can they... I just fire off the request (or rather, I have the end user's browser navigate) to the intent URL and whatever account is logged in will be the actor.
Did I miss something, or was there a way to distinguish actors in Activity Intents?
P.S. I find it highly amusing that you had to click through to activitypub.space to read my whole post, but because I don't support Activity Intents yet, you can't reply properly :rolling_on_the_floor_laughing:
@[email protected] I have a question for you... I'm seeing in Are we HS2019 yet? that Peertube and Misskey both use your package: @peertube/http-signature
NodeBB currently rolls its own cavage-12 support but and I did some preliminary research into updating to the latest HTTP Signatures draft, but quickly got overwhelmed.
For a variety of reasons, but mainly to avoid NIH, I'd consider switching to a dependency.
My question is: does your library support verification for non-hs2019 signatures, or will I need to invoke your library in front, and fall back to existing cavage-12 verification otherwise?
I suppose, same question re: double-knocking.
Hey @[email protected], now that I'm tracking errors encountered, I've got a bit more visibility into things that normally would've just been caught and ignored.
Today I received a Delete(Object) from Catodon associated with a user from catodon.rocks.
Two things:
Its object referenced an item outside of catodon.rocks, and so it failed NodeBB's actor-object match check. Normally people can't delete other peoples' posts, so I think this might be a mistake?
The activity's audience matches the activity's attributedTo. While you're certainly allowed to put anything you want in there, threadiverse software uses it to point to a group actor. Wondering if this was intentional.
Thanks!
Fill out the survey here:
Hi @[email protected] I am looking to debug some potential federation issues between NodeBB and Peertube and I am wondering if there is a test server I can federate against.
Thanks!
I was talking to my marketing guy about integrating a tags-based onboarding workflow for freshly installed forums.
The gist of it is, the forum admin adds a couple tags for the forum to globally follow, and achieves this via fedibuzz relay or tags.pub. Auto-categorization rules are automatically added and the forum starts receiving new (highly relevant!) posts through the magic of hashtag+federation ✨
He then asked whether it was possible to suggest related tags (e.g. add guitar suggest acousticguitar, electricguitar, etc.) for the admin to also add, to which I replied in the negative "for now".
But that got me thinking, is this something fedibuzz or tags.pub could achieve/offer in its API? It would require a bit of data analysis, to match up common hashtag usage, but doable maybe?
cc @evan [@evan@cosocial.ca](https://activitypub.space/user/evan%40cosocial.ca) @[email protected]
Reposting to the threadiverse
Original credit @[email protected]
Even more original credit: https://xkcd.com/2501/
NodeBB federates out Note or Article depending on the length of the content. While this by-and-large works, the article logic does not encourage as much discussion as expected because a summary is generated so as to provide something for microblog-style software to show (otherwise, it would only show the title (name) and a URL to the forum.)
That summary is limited to a maximum or 500 characters, ending at the last full detected sentence.
When composing a long topic, 500 characters may not be enough to fully introduce the topic and engage users. This lowers click-through rates.
I expressed my frustration about this online to @thisismissem and suggested that I might just revert back to sending the entire post content in summary. This would violate FEP b2b8's recommendation that summary be a maximum of 500 characters:
> It should be a maximum of about 500 characters; a few sentences; or a short paragraph.
After consultation with Matt Baer of Writefreely (@[email protected]), he suggested the following changes:
[...] at the end of the truncated content to signal that there is additional content that is not seenThat seems like a good compromise for me, where concerns from power users like myself would be addressed, while not overly complicating the interface for users who do not need to know about this.
Pinging @evan ([@evan@cosocial.ca](https://activitypub.space/user/evan%40cosocial.ca)) for his thoughts.
In other news, nobody has complained about federation jank from a nodebb instance lately!
I post this to tempt fate. Come at me karma.
@[email protected] mentioned in another thread that the way Hubzilla and threadiverse software handle group discussions is incompatible.
It got me thinking about whether that is true. At its core both FEPs (171b and 1b12, respectively) rely on a central "distributor" node to send activities to recipients.
@[email protected] did further comparisons in thr text of 171b itself:
> Announce activity is used instead of Add. Conversation and related activities are synchronized between participants, but conversation backfilling mechanism is not specified.
The questions here are:
Add in addition to Announce, would that satisfy basic synchronization (not backfill) requirements laid out by 171b?Announce could not be used to facilitate private federated group discussions as well? Assuming visibility maintains scoped to addresses, I don't see any immediate reason why not...Hi @[email protected], does Bonfire utilise the sharedInbox value?
I noticed this come through my nginx logs today:
128.140.127.206 - - [21/Jan/2026:19:58:04 +0000] "POST /uid/1/inbox HTTP/1.1" 500 128 "-" "https://btfree.social/ - Bonfire ActivityPub federation" "-"
/uid/1/inbox is an endpoint specified in my user's inbox, but that actor also sends "endpoints":{"sharedInbox":"https://activitypub.space/inbox"}, so wanted to double-check that Bonfire uses it. It should, it helps reduce the number of requests to send if multiple users belong to the same server :smile:
If I post something to a remote community, Mastodon people reply directly to me, and it doesn't make it to the remote community. 👎
If I snuck in a mention to the community (but not in text), Mastodon would prefill the community mention and it would propagate correctly. 👍
Tell me this is a bad idea.......
So, this meme.
tl;dr Mastodon users occasionally spam mentions and Lemmy (and probably Piefed) ingests them all and makes the post across all of the mentioned communities.
Sucks, right, because on the theadiverse, you're not actually able to do that so easily.
Basically, it's because Mastodon mixes mentions with addressing. Every mentioned person gets addressed, even though sometimes you don't mean for it to go into that community.
So what if Lemmy, Piefed, Mbin, and NodeBB made it so that only the first matching community gets the post? We can already tell which posts come from threadiverse software and which don't (because we use audience, Mastodon doesn't.)
Just an idea, I can't speak for the other softwares.
On ActivityPub.Space, I started adding links out to various implementors' development announcements.
I wanted to add one for Piefed, but the only community I know of is this one, piefed_meta. Anyone can post there, so I was wondering if there was a dedicated community just for Piefed announcements.
Check this out: https://nooki.me/
Looks like someone's built a Reddit-like on top of ATProto. Would be really interesting to see whether it could interact with the threadiverse through something like BridgyFed, which currently only works with microblogs (I think?)
Opportunity? Existential threat? You decide...
Check this out: https://nooki.me/
Looks like someone's built a Reddit-like on top of ATProto. Would be really interesting to see whether it could interact with the threadiverse through something like BridgyFed, which currently only works with microblogs (I think?)
Opportunity? Existential threat? You decide...