Ech
I do not save memes often, but this one cracked me up. That’s goin’ in the archive.
Was working retail in an area that had a local bag ordinance that required businesses to charge customers for bags. A man came up to the register and when I asked him if he wanted a bag for a few cents extra, he looked at me like I was crazy and was like, “You charge for bags?” I explained that it was required by the government and he just kinda scoffed. I thought that was it, but as he opened his wallet to pay, he flashed what turned out to be a police badge at me from another city some ways away, gave me a look, and said something along the lines of “I think I know what the law is.” I just finished up the transaction and got him going asap, blown away at the insecurity displayed. It was such a bizarre powermove over what was only a few cents extra for something completely optional.
That’s a vivid metaphor.
Instances running 18.2 should be fine, and as far as I understand it (with no dev qualifications to speak of, fwiw), these exploits only affected the local instance - they weren’t permeating through other instances viewing the exploits through Activitypub. That’s all to say, as long as your instance is running 18.2 or higher (the 18.2-rc’s should have in progress patches, as well), I believe you should be fine.
This is (most likely) a case of poor or absent instance administration, and it looks like it’s being managed well enough, but I do wonder what recourse there is against bad actors setting up their own instance, populating it with bots, and using them outside the influence of anyone else. For one, how do we tell which instances are just bot havens? Obviously we can make inferences based on active users and speed of growth, but a smart person could minimize those signs to the point of being unnoticeable. And if we can, what do we do with instances that have been identified? There’s defederation, but that would only stop their influence on the instances that defederated. The content would still be open to voting from those instances, and those votes would manifest on instances that haven’t defederated them. It would require a combined effort on behalf of the whole Fediverse to enforce a “ban” on an instance. I can’t really see any way to address these things without running contrary to the decentralized nature of the platform.