Search that specification for "private." You'll find precisely one reference to it...
It might be better to look for what the article mentions: "manuallyApprovesFollowers", and it is explicit about what to do when that value is set to true. I don't understand how you're confused by it.
Regardless, two wrongs don't make a right, and I found the description of how to properly handle a security issue as discussed in the article to be appropriate. For example, collaborating with administrators of large instances.
The "security issue" is created on Mastodon's side
Are we reading the same article? I realize this isn't the first time you implied this, but I thought I must have been mistaken.
From the original post: "Importantly, your Mastodon or GoToSocial instance isn’t handing your private posts to any random server, just because it asks."
Mastodon is behaving. Pixelfed was not. Pixelfed fixed the security issue because it was their issue...
I looked at your comment before reading this article, and you make several bold statements that the article dispels
A fork of Mastodon created a new abstraction for "private posts"
The author of the article links to the official specification which was made for ActivityPub. This does not appear to simply be "some fork of Mastodon", but if it is, please provide a citation.
they're trying to blame Pixelfed for not adopting their homemade standard
See previous comment
It's fixed in 1.12.5
The article also goes into great lengths about how the security update was handled poorly, with inappropriate communication along the way. It contrasts this with a correct update.
Back when Samsung saw Android as a legitimate threat to their business model, and they made alternate apps to every Google offering, I think they did have a better ecosystem. I think that has waned in recent years, though.
And I say that as someone who loved Samsung phones at least until 2020, when they gave up on the SD card and started giving up on camera quality. I still think they make the best devices out of the box (between screen and camera output, and not overheating) but they've been lazy at the top
It might be better to look for what the article mentions: "manuallyApprovesFollowers", and it is explicit about what to do when that value is set to true. I don't understand how you're confused by it.
Regardless, two wrongs don't make a right, and I found the description of how to properly handle a security issue as discussed in the article to be appropriate. For example, collaborating with administrators of large instances.
Are we reading the same article? I realize this isn't the first time you implied this, but I thought I must have been mistaken.
From the original post: "Importantly, your Mastodon or GoToSocial instance isn’t handing your private posts to any random server, just because it asks."
Mastodon is behaving. Pixelfed was not. Pixelfed fixed the security issue because it was their issue...