Gregory's ServerWe are planning to release new Mastodon security updates for versions 4.1, 4.2 and nightly this Thursday, Jul 04, at 15:00 UTC. It solves multiple security issues, including a major one. We encourage server administrators to plan for a timely upgrade to ensure their Mastodon server is protected.
 83 comments
  @MastodonEngineering Just saying, releasing a major security update on one of the biggest holidays per capita in the world is an interesting play. Edit: As feedback, please make it a policy to check the national holidays list for the top 5 deployed countries before scheduling important work. Don't deploy intoxicated, people! @ZacBelado @MastodonEngineering "One of the biggest holidays per capita." Not "The biggest". :blobcatcoffee: @shanie @MastodonEngineering I can't see that a US holiday is a reason to not release a security update. @ZacBelado I believe in having a holiday be a holiday. Just because maintaining a U.S.-based Mastodon instance (more in the US than anywhere btw) is not a "real job", doesn't mean it isn't an interruption to festivities with that two-day warning. It would be a kindness to check the national holiday chart of the top 5 countries where servers are operated, just saying.  @shanie @ZacBelado It’s an update for a major security flaw. I prefer to get it as soon as it has been tested properly, regardless of other people’s holiday plans. Updating a mastodon instance of moderate size is quite easy and updating a small instance in docker is just a ridiculously simple and quick task. Just set away time for an extended bathroom break with a tablet. @chris @ZacBelado Honestly, if it were urgent, they would have released it immediately as they have in the past. If it's not a known ITW attack, it can wait for a holiday. @shanie @MastodonEngineering @esther All while asking asking a group of volunteers that deserve some downtime to be sure to patch in a timely manner is tone deaf af @shanie @MastodonEngineering Members of U.S. Mastodon servers are about to find out whether their Admins have a life or not.  @benaryorg You missed the "one of the" just before "biggest holidays per capita in the world" but that's okay, I'm sure you see it now. @benaryorg I really don't care, I expect @MastodonEngineering to *also* be paying attention to anything from Chinese New Year to Oktoberfest, even if Oktoberfest doesn't hold a candle to the US's Independence Day. @benaryorg @MastodonEngineering Mostly because patching on Oktoberfest is extremely dangerous.  @shanie @MastodonEngineering if you don't count e.g., china (1.4billion people) or India (1.4 billion people) and their national holidays i guess? @4censord "One of the" includes India too, and China. Sure "if you don't count china" you're correct, but "one of the biggest holidays per capita in the world" still includes China, still includes India. I mean I'm not sure if you were trying to be nitpicky? The grammar holds up. I'm happy to say Oktoberfest is also one of the biggest holidays per capita, and far less people celebrate that. But I don't want a patch on Oktoberfest either, for obvious reasons. @shanie see, my confusion comes from the fact that i'd not have put "Independence Day in the USA" as one of the biggest holidays at all. We could argue that "Independence Day in general" is one of the biggest holidays, but every country seems to have it on different dates. Mostly, on the dates of their revolution. And about Oktoberfest: might be important for many people, but i would not have seen it as "one of the biggest" holidays either. @shanie fair. Though AFAIK all/most of the mastodon core devs are European, so i'd guess it wasn't actually on purpose.  I *think* there are more inhabitants in the world for whom this is an average day than there are for whom this is a holiday... @shanie But does that mean most users? :) The admins need to do the work, but the users are those that are impacted :) For we admins are nothing without our users. @jan My appologies if that's how it was taken, "one of the biggest holidays" simply intended it's a large holiday for many people. But you are correct; I would have simply hoped that Mastodon team would have checked the national holiday list for the top 5 countries before setting the date (United States, France, Germany, Japan, Finland). Maybe the 5th. Or the 3rd. I dunno, man, I just work here. @jan @shanie @billbennett that's a pretty safe bet if it's not a holiday in China and India.   @MastodonEngineering Don't expect a timely response in the United States. Much of the country will be off work and celebrating the Fourth of July.  @fennek @chockenberry The end of an era. Might want to celebrate with us, the next cycle might not be so hot. :blobCat_bounce: @fullStackRacc prepare the raccstack :raccoon_blob_peek: https://mastodon.social/@MastodonEngineering/112717731749830186 @MastodonEngineering "we want you to set aside time to do this major security update ASAP, which is why we're releasing it on the FOURTH OF GODDAMN JULY" @vantablack @MastodonEngineering I do understand that this is inconvenient and that it can be considered bad planning. Yet I would never get angry about a company not taking into account the national holidays of my country or expect that anyone even knows them. @chris @vantablack I mean the only thing exceptional here is that it's the #1 country as far as Mastodon server deployments are concerned, so I feel keeping the top 5 countries and their holiday schedules in mind is only beneficial. In reality, deploying on one of the largest holidays for their #1 deployed country, where most of the instances may not get the patch until the 5th and it's an open source project - is that not also dangerous? People do have lives outside their instance. @MastodonEngineering While I realize the U.S. isn't the entire world, the decision to release this information and update on a major U.S. holiday when many administrators may not be in a position to act promptly seems somewhat problematic.  @lauren @MastodonEngineering I suspect they think Mastodon is mostly run by amateurs, who have more time for admin on a bank holiday than on a workday? Either that, or they're German and forgot about UK General Election day (sorry). @cstross @MastodonEngineering There are amateurs with families who like, go out all day and do stuff on July 4. Please inform the Germans. Thank you.  @MastodonEngineering @jon You may want to bump that by a few days. 7/4 is a big American holiday.  @MastodonEngineering  @SmashToday@discuss.smash.today @MastodonEngineering@mastodon.social would you prefer to just wait around for someone malicious to get on it :neofox: @MastodonEngineering wow, way to intentionally fuck over all of your US-based admins. Uncool timing here. @MastodonEngineering @gutocarvalho apesar de eu imaginar que vc já esteja ligado nisso aí, tô marcando só pelo caso de vc não tiver visto @MastodonEngineering Reverse engineered exploits hitting on (US) Independence Day feels pretty on brand actually :eyeroll: @MastodonEngineering as long as the security issues lets me upload a virus to mastodon servers wirelessly using a PowerBook 5300, then it's perfectly on brand for independence day, and I don't know what the Americans are complaining about.   @smeg @MastodonEngineering And here I was just thinking, oh, July 4 is the day of the UK general election  @MastodonEngineering  LB 👆🏻 A good blockable collection of self-selected, self-important Americans in the replies, not one of which cares about this release being in the middle of the night for 🌏.  @futzle nobody told me that when I started running public services on a global network that sometimes I might have to deal with things at inconvenient times! I want to speak to the manager. (Have you done the calculation of what that translates to for us?) @MastodonEngineering Smoothly updated to v4.1.18 following to the GitHub release notes – thank you, Mastodon Engineering Team! |
@MastodonEngineering
#MastoAdmin