Follow

Mastodon/glitch-soc privacy issue PSA 

Since v2.8.0, boosting your private toots (“boost to original audience”) actually widens their audience if your default posting privacy is not set to “private”! If your default posting privacy is set to “private”, you're safe.

This is fixed in the development version of Mastodon (no release includes the fix yet) and glitch-soc, but it will not retroactively make your previously publicly-boosted-private-toots unreachable, so be careful!

This is because v2.8.0 added the ability to set the visibility of the boost independently to the visibility of the original status (the main use case being to privately boost public statuses), but making the visibility of the boost default to your default toot privacy, thus allowing public boosts of private toots. Public boosts of private toots might make sense if specifically requested, but that's certainly not what was going on, so for now, the fix is to not allow public/unlisted boosts of toots with stricter privacy settings.

Mastodon/glitch-soc privacy issue PSA 

@Thib woooow

re: Mastodon/glitch-soc privacy issue PSA 

@Thib c'est moi ou même la modification n'était pas indiquée dans le changelog de la 2.8.0 ? -.-
ça fait un peu chier en tout cas, j'ai plein de trucs qui ont fuité du coup...

re: Mastodon/glitch-soc privacy issue PSA 

@Thib This is very worrying :/

Mastodon/glitch-soc privacy issue PSA 

@Thib
feels like there should have been a tiered boost permission system

you can boost with a privacy setting lower, but privacy settings higher are not allowed (because why would a person toot an unlisted toot and then be okay with someone publicly tooting it)

re: Mastodon/glitch-soc privacy issue PSA 

@calm the issue is about boosting your own toots, there is no permission involved here.

I don't know how much a tiered boost permission system would make sense.

A wider idea of flexible permission systems is being investigated though, even if it's not quite there yet.

Sign in to participate in the conversation
Mastodon (instance perso)

This is a small personal instance running on a couple small ARM servers at home.