#hollo — Public Fediverse posts

Bon aller avec la v0.8.0 de #Hollo on peut enfin vider le cache ... 40go a vider, il me reste encore la moitié à faire, j'ai vider l'autre moitié hier soir pour tester la feature et ça vide bien ​:nko_okay:​

AI policy for #hollo

https://github.com/fedify-dev/hollo/commit/c3cf527d1c8cd78e37a69fbc29d35d42f2a0e1df

Not sure why, but after migrating from IOC.exchange to a selfhosted #snac instance and then to #hollo, less than 250 of my originally 980 followers have moved over with me. A bit susprised since account migration has been a basic feature on #Mastodon for several years now. @hollo

#fediverse #mastoadmin

Not sure why, but after migrating from IOC.exchange to a selfhosted #snac instance and then to #hollo, less than 250 of my originally 980 followers have moved over with me. A bit susprised since account migration has been a basic feature on #Mastodon for several years now. @hollo

#fediverse #mastoadmin

Hello Hollo! Voice From fedihollo.org ! :linux: :fediverse:

#hollo #fedify #fediverse

Looks like Hollo's media folder is overflowing and I'm out of disk space.
Unfortunately, it seems impossible to clear the cache at the moment?
So, I'm going to have to shut down the instance until there's a solution.

Edit :

Here's the disk space usage for the assets folder ​:pikasob:​ Hollo seriously needs an option to clear the media cache or just a straight-up remote media option.

$ du -hs /home/hollo/hollo/assets/
38G     /home/hollo/hollo/assets/

Hmm : 330 / 330 items processed (132 successful, 198 failed) :pikathinknothappy:

#Hollo

I'm testing the import into Hollo again and it seems to be working

#Hollo

So Hollo gets stuck after 10 minutes and this is all I have left all I have left in the logs:

mars 04 23:48:19 hollo pnpm[3640]: 22:48:19.853 INF fedify·federation·http: 'OPTIONS' '/api/v1/timelines/home?limit=20': 204
mars 04 23:48:35 hollo pnpm[3640]: 22:48:35.110 INF fedify·federation·http: 'OPTIONS' '/api/v1/timelines/home?limit=20': 204
mars 04 23:48:50 hollo pnpm[3640]: 22:48:50.251 INF fedify·federation·http: 'OPTIONS' '/api/v1/timelines/home?limit=20': 204
mars 04 23:49:05 hollo pnpm[3640]: 22:49:05.584 INF fedify·federation·http: 'OPTIONS' '/api/v1/timelines/home?limit=20': 204
mars 04 23:49:19 hollo pnpm[3640]: 22:49:19.747 INF fedify·federation·http: 'OPTIONS' '/api/v1/timelines/home?limit=20': 204
mars 04 23:49:34 hollo pnpm[3640]: 22:49:34.867 INF fedify·federation·http: 'OPTIONS' '/api/v1/timelines/home?limit=20': 204
mars 04 23:52:40 hollo pnpm[3640]: 22:52:40.282 INF fedify·federation·http: 'OPTIONS' '/api/v1/timelines/home?limit=20': 204

Hmm, Hollo's frozen again. The server's still running, but it's impossible to reach it.
I should take the time to go check the logs, but I think I saw a message saying it failed because it ran out of RAM ​:pikaomo:​

#Hollo

A couple days ago, I got a DM from a #Bonfire user. I happily replied and sent a follow request—but the Accept never came back, even though they hadn't enabled manuallyApprovesFollowers. My DM reply probably never arrived either. Classic interop bug.

I checked out the Bonfire source and dug in. Turns out Bonfire hasn't implemented RFC 9421 yet, so it was silently discarding any activity signed with it. That alone would be workable, except for one more issue: Bonfire was responding 200 OK even when signature verification failed, instead of 401 Unauthorized.

This matters because Fedify implements a double-knocking mechanism—if a request signed with RFC 9421 fails, it retries with the older draft cavage signature. But since Bonfire returned 200 OK on the failed first knock, #Fedify had no reason to send a second one.

I filed two issues on the Bonfire #ActivityPub repo—one requesting RFC 9421 support, and one about returning 401 on invalid signatures. For the latter, I also sent a PR, which got merged pretty quickly: bonfire-networks/activity_pub#9.

That said, individual Bonfire instances won't pick up the fix until they actually deploy it. So in the meantime, I patched Hollo and Hackers' Pub to use draft-cavage-http-signatures-12 as the firstKnock, so Bonfire instances can at least understand the first request.

One last thing: Fedify caches whether a given server supports RFC 9421, and the Bonfire servers I'd already talked to were cached as “supports RFC 9421”—because they'd been returning 200 OK. I had to manually clear that cache on both hollo.social and hackers.pub before everything finally worked.

After all that, the mutual follow went through and my DM reply landed. Worth it.

#fedidev #fediverse #Hollo #HackersPub

A couple days ago, I got a DM from a #Bonfire user. I happily replied and sent a follow request—but the Accept never came back, even though they hadn't enabled manuallyApprovesFollowers. My DM reply probably never arrived either. Classic interop bug.

I checked out the Bonfire source and dug in. Turns out Bonfire hasn't implemented RFC 9421 yet, so it was silently discarding any activity signed with it. That alone would be workable, except for one more issue: Bonfire was responding 200 OK even when signature verification failed, instead of 401 Unauthorized.

This matters because Fedify implements a double-knocking mechanism—if a request signed with RFC 9421 fails, it retries with the older draft cavage signature. But since Bonfire returned 200 OK on the failed first knock, #Fedify had no reason to send a second one.

I filed two issues on the Bonfire #ActivityPub repo—one requesting RFC 9421 support, and one about returning 401 on invalid signatures. For the latter, I also sent a PR, which got merged pretty quickly: bonfire-networks/activity_pub#9.

That said, individual Bonfire instances won't pick up the fix until they actually deploy it. So in the meantime, I patched Hollo and Hackers' Pub to use draft-cavage-http-signatures-12 as the firstKnock, so Bonfire instances can at least understand the first request.

One last thing: Fedify caches whether a given server supports RFC 9421, and the Bonfire servers I'd already talked to were cached as “supports RFC 9421”—because they'd been returning 200 OK. I had to manually clear that cache on both hollo.social and hackers.pub before everything finally worked.

After all that, the mutual follow went through and my DM reply landed. Worth it.

#fedidev #fediverse #Hollo #HackersPub

A couple days ago, I got a DM from a #Bonfire user. I happily replied and sent a follow request—but the Accept never came back, even though they hadn't enabled manuallyApprovesFollowers. My DM reply probably never arrived either. Classic interop bug.

I checked out the Bonfire source and dug in. Turns out Bonfire hasn't implemented RFC 9421 yet, so it was silently discarding any activity signed with it. That alone would be workable, except for one more issue: Bonfire was responding 200 OK even when signature verification failed, instead of 401 Unauthorized.

This matters because Fedify implements a double-knocking mechanism—if a request signed with RFC 9421 fails, it retries with the older draft cavage signature. But since Bonfire returned 200 OK on the failed first knock, #Fedify had no reason to send a second one.

I filed two issues on the Bonfire #ActivityPub repo—one requesting RFC 9421 support, and one about returning 401 on invalid signatures. For the latter, I also sent a PR, which got merged pretty quickly: bonfire-networks/activity_pub#9.

That said, individual Bonfire instances won't pick up the fix until they actually deploy it. So in the meantime, I patched Hollo and Hackers' Pub to use draft-cavage-http-signatures-12 as the firstKnock, so Bonfire instances can at least understand the first request.

One last thing: Fedify caches whether a given server supports RFC 9421, and the Bonfire servers I'd already talked to were cached as “supports RFC 9421”—because they'd been returning 200 OK. I had to manually clear that cache on both hollo.social and hackers.pub before everything finally worked.

After all that, the mutual follow went through and my DM reply landed. Worth it.

#fedidev #fediverse #Hollo #HackersPub

A couple days ago, I got a DM from a #Bonfire user. I happily replied and sent a follow request—but the Accept never came back, even though they hadn't enabled manuallyApprovesFollowers. My DM reply probably never arrived either. Classic interop bug.

I checked out the Bonfire source and dug in. Turns out Bonfire hasn't implemented RFC 9421 yet, so it was silently discarding any activity signed with it. That alone would be workable, except for one more issue: Bonfire was responding 200 OK even when signature verification failed, instead of 401 Unauthorized.

This matters because Fedify implements a double-knocking mechanism—if a request signed with RFC 9421 fails, it retries with the older draft cavage signature. But since Bonfire returned 200 OK on the failed first knock, #Fedify had no reason to send a second one.

I filed two issues on the Bonfire #ActivityPub repo—one requesting RFC 9421 support, and one about returning 401 on invalid signatures. For the latter, I also sent a PR, which got merged pretty quickly: bonfire-networks/activity_pub#9.

That said, individual Bonfire instances won't pick up the fix until they actually deploy it. So in the meantime, I patched Hollo and Hackers' Pub to use draft-cavage-http-signatures-12 as the firstKnock, so Bonfire instances can at least understand the first request.

One last thing: Fedify caches whether a given server supports RFC 9421, and the Bonfire servers I'd already talked to were cached as “supports RFC 9421”—because they'd been returning 200 OK. I had to manually clear that cache on both hollo.social and hackers.pub before everything finally worked.

After all that, the mutual follow went through and my DM reply landed. Worth it.

#fedidev #fediverse #Hollo #HackersPub

A couple days ago, I got a DM from a #Bonfire user. I happily replied and sent a follow request—but the Accept never came back, even though they hadn't enabled manuallyApprovesFollowers. My DM reply probably never arrived either. Classic interop bug.

I checked out the Bonfire source and dug in. Turns out Bonfire hasn't implemented RFC 9421 yet, so it was silently discarding any activity signed with it. That alone would be workable, except for one more issue: Bonfire was responding 200 OK even when signature verification failed, instead of 401 Unauthorized.

This matters because Fedify implements a double-knocking mechanism—if a request signed with RFC 9421 fails, it retries with the older draft cavage signature. But since Bonfire returned 200 OK on the failed first knock, #Fedify had no reason to send a second one.

I filed two issues on the Bonfire #ActivityPub repo—one requesting RFC 9421 support, and one about returning 401 on invalid signatures. For the latter, I also sent a PR, which got merged pretty quickly: bonfire-networks/activity_pub#9.

That said, individual Bonfire instances won't pick up the fix until they actually deploy it. So in the meantime, I patched Hollo and Hackers' Pub to use draft-cavage-http-signatures-12 as the firstKnock, so Bonfire instances can at least understand the first request.

One last thing: Fedify caches whether a given server supports RFC 9421, and the Bonfire servers I'd already talked to were cached as “supports RFC 9421”—because they'd been returning 200 OK. I had to manually clear that cache on both hollo.social and hackers.pub before everything finally worked.

After all that, the mutual follow went through and my DM reply landed. Worth it.

#fedidev #fediverse #Hollo #HackersPub

Hi #fediverse and #ActivityPub developers!

I'm currently working on interoperability testing for #Hollo and #Fedify, and I need a #Bonfire account to test federation with their implementation.

Since there aren't many open public Bonfire instances available, I was wondering if any Bonfire instance admins out there would be willing to grant me a test account? It would be a huge help for improving interop! Let me know if you can help. Thanks!

#fedidev #BonfireNetworks

Did you know there's a community space for #Fedify, #Hollo, #BotKit, and other Fedify ecosystem projects?

Whether you have questions, want to share what you're building, or just want to hang out with fellow fediverse developers—come join us!

• Matrix: #fedify:matrix.org
• Discord

Did you know there's a community space for #Fedify, #Hollo, #BotKit, and other Fedify ecosystem projects?

Whether you have questions, want to share what you're building, or just want to hang out with fellow fediverse developers—come join us!

• Matrix: #fedify:matrix.org
• Discord

Did you know there's a community space for #Fedify, #Hollo, #BotKit, and other Fedify ecosystem projects?

Whether you have questions, want to share what you're building, or just want to hang out with fellow fediverse developers—come join us!

• Matrix: #fedify:matrix.org
• Discord

Did you know there's a community space for #Fedify, #Hollo, #BotKit, and other Fedify ecosystem projects?

Whether you have questions, want to share what you're building, or just want to hang out with fellow fediverse developers—come join us!

• Matrix: #fedify:matrix.org
• Discord

Did you know there's a community space for #Fedify, #Hollo, #BotKit, and other Fedify ecosystem projects?

Whether you have questions, want to share what you're building, or just want to hang out with fellow fediverse developers—come join us!

• Matrix: #fedify:matrix.org
• Discord

Hollo 0.7.0 🎉

#Hollo

Avec Hollo ça fonctionne bien visiblement pour le moment je vois pas de problème 👍

#Hollo #Mitra

セキュリティアップデート: Hollo 0.6.19 リリース

FedifyのHTMLパースコードにおけるセキュリティ脆弱性に対応したHollo 0.6.19をリリースしました。

この脆弱性 (CVE-2025-68475) は ReDoS (正規表現によるサービス拒否) の問題であり、攻撃者がフェデレーション操作中に特別に細工されたHTMLレスポンスを送信することで、サービス停止を引き起こす可能性があります。悪意のあるペイロードは小さい (約170バイト) ですが、Node.jsのイベントループを長時間ブロックする可能性があります。

すべてのHollo運営者の皆様には、直ちにバージョン 0.6.19 へのアップグレードを強くお勧めします。

#Hollo #セキュリティ #fediverse #ActivityPub

보안 업데이트: Hollo 0.6.19 릴리스

Fedify의 HTML 파싱 코드에서 발견된 보안 취약점을 수정한 Hollo 0.6.19를 릴리스했습니다.

이 취약점(CVE-2025-68475)은 ReDoS(정규 표현식 서비스 거부) 문제로, 공격자가 연합 작업 중 특수하게 조작된 HTML 응답을 보내 서비스 장애를 유발할 수 있습니다. 악성 페이로드는 작지만(약 170바이트), Node.js 이벤트 루프를 장시간 차단할 수 있습니다.

모든 Hollo 운영자분들께 즉시 버전 0.6.19로 업그레이드하실 것을 강력히 권고드립니다.

#Hollo #보안 #페디버스 #연합우주 #ActivityPub

보안 업데이트: Hollo 0.6.19 릴리스

Fedify의 HTML 파싱 코드에서 발견된 보안 취약점을 수정한 Hollo 0.6.19를 릴리스했습니다.

이 취약점(CVE-2025-68475)은 ReDoS(정규 표현식 서비스 거부) 문제로, 공격자가 연합 작업 중 특수하게 조작된 HTML 응답을 보내 서비스 장애를 유발할 수 있습니다. 악성 페이로드는 작지만(약 170바이트), Node.js 이벤트 루프를 장시간 차단할 수 있습니다.

모든 Hollo 운영자분들께 즉시 버전 0.6.19로 업그레이드하실 것을 강력히 권고드립니다.

#Hollo #보안 #페디버스 #연합우주 #ActivityPub

보안 업데이트: Hollo 0.6.19 릴리스

Fedify의 HTML 파싱 코드에서 발견된 보안 취약점을 수정한 Hollo 0.6.19를 릴리스했습니다.

이 취약점(CVE-2025-68475)은 ReDoS(정규 표현식 서비스 거부) 문제로, 공격자가 연합 작업 중 특수하게 조작된 HTML 응답을 보내 서비스 장애를 유발할 수 있습니다. 악성 페이로드는 작지만(약 170바이트), Node.js 이벤트 루프를 장시간 차단할 수 있습니다.

모든 Hollo 운영자분들께 즉시 버전 0.6.19로 업그레이드하실 것을 강력히 권고드립니다.

#Hollo #보안 #페디버스 #연합우주 #ActivityPub

Security Update: Hollo 0.6.19 Released

We have released Hollo 0.6.19 to address a security vulnerability in Fedify's HTML parsing code.

This vulnerability (CVE-2025-68475) is a ReDoS (Regular Expression Denial of Service) issue that could allow an attacker to cause service unavailability by sending specially crafted HTML responses during federation operations. The malicious payload is small (approximately 170 bytes) but can block the Node.js event loop for extended periods.

We strongly recommend all Hollo operators upgrade to version 0.6.19 immediately.

#Hollo #Security #Fediverse #ActivityPub

早晩間(조만간) 몇 個月(개월)만의 새 #Hollo 마이너 릴리스(v0.7.0)이 나올 것 같다.

It looks like a new minor release of #Hollo (v0.7.0) will be out soon, the first in several months.

#Hollo 0.7 brings a redesigned #notification system with much better performance. We've moved from generating #notifications on-demand to storing them as they happen, which makes the notifications endpoint about 60% faster. We've also added response compression (though if you're using a reverse proxy, you probably had this already).

More notably, Hollo 0.7 implements Mastodon's v2 grouped notifications API. Notifications like favorites, follows, and reblogs targeting the same post or account are now grouped together server-side, reducing clutter. Clients that support the new API (introduced in #Mastodon 4.3) will show cleaner, more organized notifications automatically.

Hollo 0.7 is still in development, but we're excited to share it with you when it's ready!

Hollo 0.6.14 🎉

#Hollo #Fediverse

Holloをお使いの方は、できるだけ早く0.6.12バージョンにアップデートしてください。DMが公開投稿ページで露出する深刻なセキュリティ脆弱性が修正されました。

https://hollo.social/@hollo/0199aaaf-7979-7da3-9509-73c9e487de05

#Hollo #セキュリティ #脆弱性

#Hollo 쓰시는 분들은 可能(가능)한 限(한) 빨리 0.6.12 버전으로 올리시기 바랍니다. DM이 公開(공개) 揭示物(게시물) 페이지에서 露出(노출)되는 深刻(심각)한 保安(보안) 脆弱點(취약점)이 패치되었습니다.

https://hollo.social/@hollo/0199aaaf-7979-7da3-9509-73c9e487de05

#보안 #취약점

If you're running #Hollo, please update to version 0.6.12 as soon as possible. A critical #security #vulnerability has been fixed where direct messages were being exposed on public post pages.

https://hollo.social/@hollo/0199aaaf-7979-7da3-9509-73c9e487de05

Security update: Hollo 0.6.12 is now available

We've released #Hollo 0.6.12 to fix a critical privacy #vulnerability where direct messages were being exposed in the replies section of public posts. Please update your instances immediately to ensure your private conversations remain private.

#security

Fedify 프레임워크의 #보안 #취약점을 해결하기 위해 #Hollo 보안 업데이트를 릴리스했습니다 (0.4.12, 0.5.7, 0.6.6). 이번 업데이트는 CVE-2025-54888을 수정하는 최신 Fedify 보안 패치를 포함합니다.

모든 Hollo 인스턴스 관리자분들께서는 가능한 한 빨리 해당 릴리스 브랜치의 최신 버전으로 업데이트하시기를 강력히 권장합니다.

업데이트 방법:

• Railway 사용자: 프로젝트 대시보드에서 Hollo 서비스를 선택하고, deployments의 점 세 개 메뉴를 클릭한 후 “Redeploy”를 선택하세요
• Docker 사용자: docker pull ghcr.io/fedify-dev/hollo:latest로 최신 이미지를 받고 컨테이너를 재시작하세요
• 수동 설치 사용자: git pull로 최신 코드를 받은 후 pnpm install을 실행하고 서비스를 재시작하세요

🚨 보안 업데이트: Hollo 0.6.5 릴리스

CVE-2025-53941 #보안 취약점을 해결하는 #Hollo 0.6.5를 릴리스했습니다. 연합 게시물의 HTML 주입 취약점이 수정되었습니다.

피싱 및 XSS 공격으로부터 인스턴스를 보호하기 위해 즉시 업데이트해 주세요.

업데이트 방법:

• Railway: 배포 탭 → 점 세 개 클릭 → Redeploy
• Docker: docker pull ghcr.io/fedify-dev/hollo:latest 후 재시작
• 수동: git pull origin stable && pnpm install 후 서버 재시작

#업데이트

Тестируется новый клиент феди под iOS: #fedicat
Из списка инстансов при запуске я узнал, что существуют не только мастодон,
но ещё и #Snac, #Takahe, #NeoDB, #Hollo, #FediBird - инстансы уже прописаны для логина.
Прям впечатляющий список.

Тестируется новый клиент феди под iOS: #fedicat
Из списка инстансов при запуске я узнал, что существуют не только мастодон,
но ещё и #Snac, #Takahe, #NeoDB, #Hollo, #FediBird - инстансы уже прописаны для логина.
Прям впечатляющий список.

Тестируется новый клиент феди под iOS: #fedicat
Из списка инстансов при запуске я узнал, что существуют не только мастодон,
но ещё и #Snac, #Takahe, #NeoDB, #Hollo, #FediBird - инстансы уже прописаны для логина.
Прям впечатляющий список.