Email or username:

Password:

Forgot your password?
Mastodon Engineering

We are planning to release new Mastodon security updates for versions 4.1, 4.2 and nightly this Thursday, Jul 04, at 15:00 UTC. It solves multiple security issues, including a major one. We encourage server administrators to plan for a timely upgrade to ensure their Mastodon server is protected.

83 comments
Shanie

@MastodonEngineering Just saying, releasing a major security update on one of the biggest holidays per capita in the world is an interesting play.

Edit: As feedback, please make it a policy to check the national holidays list for the top 5 deployed countries before scheduling important work. Don't deploy intoxicated, people!
#mastoadmin #independenceday

DELETED

@shanie @MastodonEngineering They released an update during Chinese New Year?

Shanie

@ZacBelado @MastodonEngineering

"One of the biggest holidays per capita."

Not "The biggest". :blobcatcoffee:

DELETED

@shanie @MastodonEngineering I can't see that a US holiday is a reason to not release a security update.

Shanie

@ZacBelado I believe in having a holiday be a holiday. Just because maintaining a U.S.-based Mastodon instance (more in the US than anywhere btw) is not a "real job", doesn't mean it isn't an interruption to festivities with that two-day warning.

It would be a kindness to check the national holiday chart of the top 5 countries where servers are operated, just saying.

chris@strafpla.net

@shanie @ZacBelado It’s an update for a major security flaw. I prefer to get it as soon as it has been tested properly, regardless of other people’s holiday plans.
I don’t want to wait to be hacked because someone has to get drunk and can’t be bothered.

Updating a mastodon instance of moderate size is quite easy and updating a small instance in docker is just a ridiculously simple and quick task. Just set away time for an extended bathroom break with a tablet.

Shanie

@chris @ZacBelado Honestly, if it were urgent, they would have released it immediately as they have in the past.

If it's not a known ITW attack, it can wait for a holiday.

Shanie

@Ville "one of the biggest holidays per capita in the world". It's US, but still true.

DELETED

@shanie @MastodonEngineering @esther All while asking asking a group of volunteers that deserve some downtime to be sure to patch in a timely manner is tone deaf af

Admin Jerry

@shanie @MastodonEngineering Members of U.S. Mastodon servers are about to find out whether their Admins have a life or not.

Katze

@shanie "biggest holidays per capita in the world"

you might wanna fact check that. IIRC 4th of July is only US, right? Anything happening in China or India is a bigger holiday per capita instantly. Like literally any holiday over there.

Edit: also Christmas and New Year's exist

Shanie

@benaryorg You missed the "one of the" just before "biggest holidays per capita in the world" but that's okay, I'm sure you see it now.

Katze

@shanie If you want me to create a list of the biggest holidays per capita and show you just how far the US centric ones are down that list, just ask.

Shanie

@benaryorg I really don't care, I expect @MastodonEngineering to *also* be paying attention to anything from Chinese New Year to Oktoberfest, even if Oktoberfest doesn't hold a candle to the US's Independence Day.

Shanie

@benaryorg @MastodonEngineering Mostly because patching on Oktoberfest is extremely dangerous.

4censord :neocat_flag_pan:

@shanie @MastodonEngineering if you don't count e.g., china (1.4billion people) or India (1.4 billion people) and their national holidays i guess?

Shanie

@4censord "one of the biggest holidays per capita in the world".

Yeah, don't worry, they're counted.

4censord :neocat_flag_pan:

@shanie then i don't seem to get what you mean.
Per capita => per number of people, right?

Earth has about 8.1 Billion people
The US has about 0.4 Billion people
=> Every ~27th person has the fourth of July as the USA Independence Day holiday
India has about 1.4 Billion people
=> Every ~6th person celebrates Indian Independence Day, but theirs is on the 15 of August

What am i missing?

@shanie then i don't seem to get what you mean.
Per capita => per number of people, right?

Earth has about 8.1 Billion people
The US has about 0.4 Billion people
=> Every ~27th person has the fourth of July as the USA Independence Day holiday
India has about 1.4 Billion people
=> Every ~6th person celebrates Indian Independence Day, but theirs is on the 15 of August

Shanie

@4censord "One of the" includes India too, and China. Sure "if you don't count china" you're correct, but "one of the biggest holidays per capita in the world" still includes China, still includes India.

I mean I'm not sure if you were trying to be nitpicky? The grammar holds up.

I'm happy to say Oktoberfest is also one of the biggest holidays per capita, and far less people celebrate that. But I don't want a patch on Oktoberfest either, for obvious reasons.

4censord :neocat_flag_pan:

@shanie see, my confusion comes from the fact that i'd not have put "Independence Day in the USA" as one of the biggest holidays at all. We could argue that "Independence Day in general" is one of the biggest holidays, but every country seems to have it on different dates. Mostly, on the dates of their revolution.

And about Oktoberfest: might be important for many people, but i would not have seen it as "one of the biggest" holidays either.

Shanie

@4censord Got it, that's understandable. Perhaps "One of the biggest holidays in the country that holds the most Mastodon instances" might have worked out better.

4censord :neocat_flag_pan:

@shanie fair. Though AFAIK all/most of the mastodon core devs are European, so i'd guess it wasn't actually on purpose.
Also, it seems that they commonly release on a Thursday, so i'D say coincidence

Shanie

@4censord That would make a lot of sense. Maybe I'll change my OP to make it feedback: to check holidays and adjust their policy to check for holidays in the top 5 deployed countries!

Jan ☕🎼🎹☁️🏋️‍♂️

@shanie

I *think* there are more inhabitants in the world for whom this is an average day than there are for whom this is a holiday...

Shanie

@jan Perhaps, but the US holds the #1 spot for most Mastodon instances, so that'd be my backup statement. :comfypopcorn:

Jan ☕🎼🎹☁️🏋️‍♂️

@shanie But does that mean most users? :)

The admins need to do the work, but the users are those that are impacted :) For we admins are nothing without our users.

Shanie

@jan My appologies if that's how it was taken, "one of the biggest holidays" simply intended it's a large holiday for many people.

But you are correct; I would have simply hoped that Mastodon team would have checked the national holiday list for the top 5 countries before setting the date (United States, France, Germany, Japan, Finland). Maybe the 5th. Or the 3rd. I dunno, man, I just work here.

Jan ☕🎼🎹☁️🏋️‍♂️

@shanie Yeah, i'm just being an ass. Sorry about that ;)

Tired and all :)

Shanie

@jan No worries, I just edited my OP to include that feedback. Thank you and the others for healthy conversation!

Leonardo Uieda

@jan @shanie @billbennett that's a pretty safe bet if it's not a holiday in China and India.

james

@shanie @MastodonEngineering

It also happens to be to day of the UK General Election 😬

Shanie

@james Typical UK, stealing all the US holidays! :sheeproll:

Craig Hockenberry

@MastodonEngineering Don't expect a timely response in the United States. Much of the country will be off work and celebrating the Fourth of July.

Shanie

@fennek @chockenberry The end of an era. Might want to celebrate with us, the next cycle might not be so hot. :blobCat_bounce:

:FediPact: vanta, the fedipact girl :FediPact:

@MastodonEngineering "we want you to set aside time to do this major security update ASAP, which is why we're releasing it on the FOURTH OF GODDAMN JULY"

chris@strafpla.net

@vantablack @MastodonEngineering I do understand that this is inconvenient and that it can be considered bad planning. Yet I would never get angry about a company not taking into account the national holidays of my country or expect that anyone even knows them.
#Exceptionalism is strange

Shanie

@chris @vantablack I mean the only thing exceptional here is that it's the #1 country as far as Mastodon server deployments are concerned, so I feel keeping the top 5 countries and their holiday schedules in mind is only beneficial.

In reality, deploying on one of the largest holidays for their #1 deployed country, where most of the instances may not get the patch until the 5th and it's an open source project - is that not also dangerous?

People do have lives outside their instance.

Lauren Weinstein

@MastodonEngineering While I realize the U.S. isn't the entire world, the decision to release this information and update on a major U.S. holiday when many administrators may not be in a position to act promptly seems somewhat problematic.

Charlie Stross

@lauren @MastodonEngineering I suspect they think Mastodon is mostly run by amateurs, who have more time for admin on a bank holiday than on a workday? Either that, or they're German and forgot about UK General Election day (sorry).

Lauren Weinstein

@cstross @MastodonEngineering There are amateurs with families who like, go out all day and do stuff on July 4. Please inform the Germans. Thank you.

indigo
You did a great job providing a security patch as soon as possible. I don’t get it that you guys get now issues. Why the hell should someone artificially delay a release of a critical security patch at all. I would always prefer having a patch available as soon as possible vs. keep people unnecessarily vulnerable. Not deciding to installing a patch because of ${reason} should be up to the operator and this shouldn‘t be the problem of the people working their asses off providing good software. Keep up the great work.
You did a great job providing a security patch as soon as possible. I don’t get it that you guys get now issues. Why the hell should someone artificially delay a release of a critical security patch at all. I would always prefer having a patch available as soon as possible vs. keep people unnecessarily vulnerable. Not deciding to installing a patch because of ${reason} should be up to the operator and this shouldn‘t be the problem of the people working their asses off providing good software. Keep...
Aaron :apple_inc: :isles:

@MastodonEngineering @jon You may want to bump that by a few days. 7/4 is a big American holiday.

Smash Today

@MastodonEngineering
Yes, I'm sure your american server admins don't have any family obligations at that time.

peter hessler @openbsd

@MastodonEngineering wow, way to intentionally fuck over all of your US-based admins. Uncool timing here.

Inácio Medeiros

@MastodonEngineering @gutocarvalho apesar de eu imaginar que vc já esteja ligado nisso aí, tô marcando só pelo caso de vc não tiver visto

Laura Lis Scott

@MastodonEngineering Reverse engineered exploits hitting on (US) Independence Day feels pretty on brand actually :eyeroll:

Edd

@MastodonEngineering as long as the security issues lets me upload a virus to mastodon servers wirelessly using a PowerBook 5300, then it's perfectly on brand for independence day, and I don't know what the Americans are complaining about.

Alex Conner

... @MastodonEngineering kind of a crappy day to do a critical release...

smeg

@MastodonEngineering

I'm convinced security patches are always timed to coincide with US holidays

soaproot

@smeg @MastodonEngineering And here I was just thinking, oh, July 4 is the day of the UK general election

nichu42

@MastodonEngineering
Bad timing. That may be the last time that the U.S. can celebrate being a united and free country.

Deborah Pickett

LB 👆🏻 A good blockable collection of self-selected, self-important Americans in the replies, not one of which cares about this release being in the middle of the night for 🌏.

Peter

@futzle Wow, so many people so excited to double down on being jerks.

Mike, First of His Name

@futzle nobody told me that when I started running public services on a global network that sometimes I might have to deal with things at inconvenient times! I want to speak to the manager.

(Have you done the calculation of what that translates to for us?)

seekraft

@MastodonEngineering Smoothly updated to v4.1.18 following to the GitHub release notes – thank you, Mastodon Engineering Team!

github.com/mastodon/mastodon/r

Go Up