@Stefan Bohacek Another thing where Hubzilla, (streams) and Forte truly shine, by the way.

First of all, Hubzilla distinguishes between a "contact" (someone has sent you a connection request) and an "approved contact" (either you've confirmed the connection request, thus creating what's a mutual follower/followed connection on Mastodon, or you've requested a connection request, and it has been confirmed). It's much like on Facebook. This distinction also exists in permissions: You can give certain permissions to contacts or only to approved contacts.

On (streams) and Forte, the concept of a non-approved contact doesn't exist; unless the connection request is confirmed, it doesn't count as a contact, and it doesn't have the privileges of a contact. This means that nobody can acquire certain permissions simply by following you.

Next, even if someone is a contact of yours, doesn't mean that they're always permitted to send you their posts. You can configure your channel in such a way that you can only allow certain contacts of yours to send you posts. I've actually done that.

Also, on all three, being notified when someone who isn't a contact mentions you is off by default and has to be activated manually. Even then, it only works if their post that mentions you makes it onto the server that you're on. This isn't even a case of "they mention you, your channel receives the message, but you aren't notified". This is a case of "they mention you, but your channel outright rejects the message, and if no other channel on your server accepts it, the whole server rejects it".

This means the whole attack vector does not work, especially not against neatly configured channels. By default, you won't see any non-contact mention you out of the blue. And even if someone requests a connection, and you approve it and thereby establish a full, mutual connection, that doesn't mean that you have to endure what they post.

Oh, by the way: Hubzilla, (streams) and Forte understand Mastodon's "followers only" as "public" because it doesn't come with limited permissions, because Mastodon doesn't have a permissions system. And al three have had quote-posts since their inception. This gives you the power to fight back by quote-posting the offending post in a DM to the admin of the offender's home instance. And on Hubzilla, (streams) and Forte, the quote in a quote-post is not a reference by link; it's a dumb copy of the original, inserted into the quoting post with a link to the original post and to the original poster, that cannot be altered by the original poster after the fact in any way.

Lastly, you can raise the shields even further, namely against harassment by DM. You don't have to accept DMs from non-contacts. You don't even have to accept DMs from all your contacts. You can literally cherry-pick those contacts from whom you want to receive DMs.

CC: @Mastodon Migration

#Long #LongPost #CWLong #CWLongPost #FediMeta #FediverseMeta #CWFediMeta #CWFediverseMeta #Mastodon #Hubzilla #Streams #(streams) #Forte #QuotePost #QuotePosts #QuoteTweet #QuoteTweets #QuoteToot #QuoteToots #QuoteBoost #QuoteBoosts #QuotedShares #Harassment #Permissions #FediverseSafety #FediverseSecurity

@silverpill @Julian Fietkau In the background, yes.

At first, I expected this implementation to be exactly like Misskey and require this line in plain sight in the content so that the quoted post is rendered dynamically. Which has never been the case in Mike's software family.

#Long #LongPost #CWLong #CWLongPost #FediMeta #FediverseMeta #CWFediMeta #CWFediverseMeta #Friendica #Hubzilla #Streams #(streams) #Forte #QuotePost #QuotePosts #QuoteTweet #QuoteTweets #QuoteToot #QuoteToots #QuoteBoost #QuoteBoosts #QuotedShares #FEP_e232

@silverpill @Julian Fietkau In the background, yes.

At first, I expected this implementation to be exactly like Misskey and require this line in plain sight in the content so that the quoted post is rendered dynamically. Which has never been the case in Mike's software family.

#Long #LongPost #CWLong #CWLongPost #FediMeta #FediverseMeta #CWFediMeta #CWFediverseMeta #Friendica #Hubzilla #Streams #(streams) #Forte #QuotePost #QuotePosts #QuoteTweet #QuoteTweets #QuoteToot #QuoteToots #QuoteBoost #QuoteBoosts #QuotedShares #FEP_e232

@Julian Fietkau I don't know if translating the absence of a FEP-044f quote policy as “not quotable” was the right decision. Maybe it wasn't.
If you use server software that has quote-posts implemented with no quote policy, I think it's rather safe to assume that you're okay with being quote-posted.

I mean, if you're on Misskey, complaining about being quote-posted is like complaining about emoji reactions, MFM shenanigans or the overall genki feeling. Misskey is not Mastodon with 3,000 characters; deal with it. And I haven't even mentioned "Speak as Cat" yet that's popular around the Forkeys.

You might have seen my comment in the forum thread on a way to make it easier for platforms like Friendica to signal a free-for-all quoting permission.
I was just about to say that this goes doubly for those server applications where quote-posts are an integral part of the communication culture.

Seriously, if you're on one of these, but you don't want anyone to quote-post you, and you still insist in always posting in public, you're doing something wrong. And just as seriously, unlike Mastodon, especially the Friendica/Hubzilla/(streams)/Forte family won't mollycoddle you. If you come to stay, we expect you to know what you're doing and why.

#Long #LongPost #CWLong #CWLongPost #FediMeta #FediverseMeta #CWFediMeta #CWFediverseMeta #Mastodon #Misskey #Forkey #Forkeys #Friendica #Hubzilla #Streams #(streams) #Forte #QuotePost #QuotePosts #QuoteTweet #QuoteTweets #QuoteToot #QuoteToots #QuoteBoost #QuoteBoosts #QuotedShares #FEP_044f

@Julian Fietkau I don't know if translating the absence of a FEP-044f quote policy as “not quotable” was the right decision. Maybe it wasn't.
If you use server software that has quote-posts implemented with no quote policy, I think it's rather safe to assume that you're okay with being quote-posted.

I mean, if you're on Misskey, complaining about being quote-posted is like complaining about emoji reactions, MFM shenanigans or the overall genki feeling. Misskey is not Mastodon with 3,000 characters; deal with it. And I haven't even mentioned "Speak as Cat" yet that's popular around the Forkeys.

You might have seen my comment in the forum thread on a way to make it easier for platforms like Friendica to signal a free-for-all quoting permission.
I was just about to say that this goes doubly for those server applications where quote-posts are an integral part of the communication culture.

Seriously, if you're on one of these, but you don't want anyone to quote-post you, and you still insist in always posting in public, you're doing something wrong. And just as seriously, unlike Mastodon, especially the Friendica/Hubzilla/(streams)/Forte family won't mollycoddle you. If you come to stay, we expect you to know what you're doing and why.

#Long #LongPost #CWLong #CWLongPost #FediMeta #FediverseMeta #CWFediMeta #CWFediverseMeta #Mastodon #Misskey #Forkey #Forkeys #Friendica #Hubzilla #Streams #(streams) #Forte #QuotePost #QuotePosts #QuoteTweet #QuoteTweets #QuoteToot #QuoteToots #QuoteBoost #QuoteBoosts #QuotedShares #FEP_044f

@Julian Fietkau I'm surprised to read that (streams) allegedly has FEP-e232 implemented. As I happen to have two (streams) channels myself, and as (streams) allows me to have a look at the whole source code of any activity (whereas Hubzilla only shows me that of the content), I've checked a fairly recent post of mine that includes a link. And while it does define the hashtags just like Mastodon and Hubzilla, it does not define links in a way that conforms to FEP-e232. Either that, or (streams)' implementation of FEP-e232 is newer than the software was when I sent that post.



Next, I wanted to see if (streams) had its way of quote-posting changed in the last seven years or so of development and forking. I expected it to quote-post like Hubzilla, namely by turning a BBcode short code into a dumb copy of the original upon sending, but I wanted to see proof. As (streams) is a fork of a fork of three forks of a fork (of a fork) of Hubzilla that's still maintained by Hubzilla's own creator, I would have been surprised if he had changed the way (streams) quote-posts at some point on the way.

So I quote-posted my own post on (streams) just to see what happens. And (streams) acted exactly like Hubzilla and not at all like described in FEP-044f on the surface. It still inserts a dumb copy.

Good thing I have access to the full source code of any message on (streams). So here's what happened, namely what I expected to happen: (streams) quote-posts like Hubzilla.

First of all, when I clicked the "Share" button, this short code was inserted into the post editor:

[share⁠=1198713][/share]

The number, by the way, is the running number of the message to quote-post on the server.

Upon sending the post, (streams) automatically "expanded" the short code into the dumb copy I had expected.

[⁠share author='Jupiter+Rowland' profile='https://hub.netzgemeinde.eu/channel/jupiter_rowland' portable_id='_moYLN61-o3FbP3jyThygMDf-bjF2cApXgkrwlAE77iKy19xM1_6F06V4b71eTkqqNaTUjGiN0lfw2dyn5nXRw' avatar='https://streams.elsmussols.net/xp/6b50efa4bb804860f6128bba791b74fab4a0a5e09dbcbee8d8ca77cee00f0330-6' link='https://hub.netzgemeinde.eu/item/0a1cdda5-eb1c-4a33-9574-ddd896977b4f' auth='true' posted='2025-09-21 19:42:56' message_id='https://hub.netzgemeinde.eu/item/0a1cdda5-eb1c-4a33-9574-ddd896977b4f'] ...(the source code of the original message goes here)... [/share]

Both Hubzilla and (streams) render this the same way, namely with a header line above the copy that includes the profile picture of the original author, the name of the original author with a Zot/Nomad-type link to their channel/account and a Zot/Nomad-type link to the original of the post ("Zot/Nomad-type" means that [zrl][/zrl] is used rather than [url][/url] which means that the ID of an observer on Hubzilla/(streams)/Forte is attached to the link for OpenWebAuth identity recognition purposes.)

At the same time, curiously, (streams) includes the line "rel": "https://misskey-hub.net/ns#_misskey_quote" and a line that starts with "name": "RE: and continues with the URL of the original message into the code for the link to the original message. The latter is identical to what Misskey and all Forkeys have in quote-posting notes in plain sight, only that (streams) only reveals it in the source code rather than in the content as well.

So this part of FEP-044f is implemented, albeit concealed from most people and only happening in the code.



Now, looking at the quote policy part, that looks like it could be possible to add to the Fediverse's permission champions Hubzilla, (streams) and Forte. After all, they already have comment controls with no FEP backing it (and if GoToSocial's quote policy can be made into an FEP, maybe so can (streams)' and Forte's comment controls so that they actually do blank out reply buttons on the farther ends of the Fediverse if the software on the farther ends implement support for that FEP).

This could be done at three levels again. I'll illustrate this with (streams) and Forte because they're quite a bit less complex than older Hubzilla.

At channel level, quote-posting (and maybe quoting as well) could be set as usually, namely to semi-public (= everyone in the Fediverse = no quote policy), restricted (= only your contacts) and only yourself. (Seriously, you don't want random passersby with no accounts to quote-post you. Even though you can allow them to comment on your posts if you dare.)

"Only yourself" could be overridden at contact level by permitting certain contacts to quote-post (and maybe quote) your messages. This is actually standard behaviour on (streams) and Forte.

And then there is the per-post level which would be similar to (streams)' and Forte's comment controls. These allow you to limit who may comment on a post to only your contacts and those who have already participated in the same conversation, and they allow you to turn off comments altogether.

Quote authorisation would not be much different in handling from manually moderating comments from those who technically aren't permitted to comment (only that spammers don't quote-post, at least not yet, and they probably never will because that simply makes no sense). So that'd be nothing really new.

Of course, this would have some limitations which come from how Hubzilla, (streams) and Forte work and from their conversation architecture.

The first limitation is that you could only give certain contacts permission to quote-post your posts if you didn't give it to the whole Fediverse. Channel-wide permissions are always inherited by contact-specific permissions, and this cannot be overridden. So you couldn't generally allow everyone to quote-post your posts except for one certain contact of yours.

The second limitation is that you can only control the permissions of contacts, but not of non-contacts. So you can't disallow some stranger whom you aren't connected to to quote-post your posts while everyone else is allowed.

Then again, FEP-044f doesn't make either of these two possible either. It can only define who is permitted to quote-post a post, not who isn't.

The third limitation is that, on Hubzilla, (streams) and Forte, comments always have the same permissions as the post that they belong to because comments always have the same owner as the post that they belong to. Basically, if FEP-044f was to be defined for each comment individually, it would have a chance of clashing with conversation containers as per FEP-171b.

Here on Hubzilla, as well as from (streams)' point of view, everyone's comments in this thread are owned by me because I've started the thread. And the permissions on all these comments are defined by my post. I've seen my share of permission clashes whenever someone on Mastodon replied to a public post or a public comment with a DM, and Hubzilla overrode this by forcing the permissions of the post on that reply.

In practice, this means that the quote policies of all comments would be the same as that of the post. At least that's how Hubzilla, (streams) and Forte would understand them because the concept of comments having different permissions than the post is alien to them. So if you say that I'm not permitted to quote-post your comment, but I say that anyone can quote-post my post, Hubzilla and (streams) override the quote policy that you've given your comment on Mastodon with the quote policy that I've given my post on Hubzilla, and I can quote-post you.

So the actually difficult part would be to implement an exception in how Hubzilla, (streams) and Forte handle comment permissions for quote policies and make them individual for each comment rather than making comments inherit them from the post.

Well, and lastly, if you permitted all your contacts to quote-post a post of yours, and you had a few more contacts, the "canQuote" section would end up monstrous. (A bit less so if you could cherry-pick those who are allowed to quote-post you on a per-post base, just like you can cherry-pick those who are allowed to see the post in the first place.) Also, I'm wondering just how well policies as per FEP-044f (and their implementations in various server applications) will work with DIDs as per FEP-ef61 which (streams) and Forte use, and I guess, so does Mitra now.

#Long #LongPost #CWLong #CWLongPost #FediMeta #FediverseMeta #CWFediMeta #CWFediverseMeta #Fediverse #Misskey #Forkey #Forkeys #GoToSocial #Hubzilla #Streams #(streams) #Forte #Mitra #QuotePost #QuotePosts #QuoteTweet #QuoteTweets #QuoteToot #QuoteToots #QuoteBoost #QuoteBoosts #QuotedShares #Permission #Permissions #FEP_044f #FEP_171b #FEP_e232 #FEP_ef61