this post was submitted on 24 Dec 2023
10 points (91.7% liked)

Mastodon

4849 readers
13 users here now

Decentralised and open source social network.

https://joinmastodon.org/

GitHub

founded 4 years ago
MODERATORS
dirtfindr@lemmy.ml
testman@lemmy.ml
10
I came across this on Artifact (justingarrison.com)
submitted 9 months ago* (last edited 9 months ago) by dameoutlaw@lemmy.ml to c/mastodon@lemmy.ml
5 comments fedilink hide all child comments
 

I came across this blogpost regarding Mastodon. I would love to get you guys thoughts. This is from earlier in the year, the authors thoughts may have changed but not likely. Some points make sense others not so much.

you are viewing a single comment's thread
view the rest of the comments
[–] JoYo@lemmy.ml 4 points 9 months ago (1 children)

It’s only a matter of time until there will be a CVE found in the official Mastodon software which will leave a vast majority of instances vulnerable.

PoC or shut your fucking face.

[–] wander1236@sh.itjust.works 4 points 9 months ago

The cool thing about software is that it can be updated, so if someone finds a vulnerability and follows the proper CVE disclosure process, instance admins can just update immediately when it's disclosed.

I guess it's a little trickier because open source software can't really say "fix a vulnerability that hasn't been disclosed yet" in a commit message without disclosing the bug, and instances can't just be silently updated before disclosure, but I'm sure there are other ways to handle CVEs that don't rely on information obfuscation.