perfect 🐰 foreveri was linked to this post and feel the need to write about it directly.
https://computerfairi.es/users/maple/statuses/101436332290985254
the defect is not in Pleroma, nor is Pleroma doing anything to respect or disrespect blocks placed against it: the enforcement of blocks in an ActivityPub implementation is controlled by the server which initiated the block.
unfortunately, ActivityPub has major security flaws, such as not requiring authentication to fetch objects from remote servers.
when combined with the thread reconstruction features of fediverse software, this allows for instances that you have blocked to gain copies of objects that exist on your instance.
both Mastodon and Pleroma have thread reconstruction features and have the same behavior in this regard.
the only difference is that Pleroma has publicly visible shared timelines and Mastodon requires you to use a third-party viewer, but the posts are there on both.
if you want to blame something for this design fault, i suggest blaming the W3C for ratifying a specification where security is non-normative, when security is non-normative and non-specified, it should be nobody’s surprise that objects get leaked to servers you don’t want them leaking to.
turbo outbun :bot: :amicheck: (@[email protected])
quick admin psa from my charging station, if you are domain blocking any pleroma servers make sure to deny any requests from their domains in your server's firewall as well because pleroma does not honour blocks and will still be able to see your instance's posts and boost them
Abstract Muscles