hollo

<p>A couple days ago, I got a DM from a <a href="/tags/bonfire/" rel="tag">#Bonfire</a> user. I happily replied and senta follow request—but the Accept never came back, even though they hadn&#x27;tenabled manuallyApprovesFollowers. My DM reply probably never arrived either. Classic interop bug.</p><p>I checked out the Bonfire source and dug in. Turns out Bonfire hasn&#x27;t implemented <a href="https://www.rfc-editor.org/rfc/rfc9421" rel="nofollow">RFC 9421</a> yet, so it was silently discarding any activity signed with it. That alone would be workable, except for one more issue: Bonfire was responding 200 OK even when signature verification failed, instead of 401 Unauthorized.</p><p>This matters because <a href="https://fedify.dev/manual/send#double-knocking-http-signatures" rel="nofollow">Fedify implements</a> a <a href="https://swicg.github.io/activitypub-http-signature/#how-to-upgrade-supported-versions" rel="nofollow">double-knocking mechanism</a>—if a request signed with RFC 9421 fails, it retries with the older draft cavage signature. But since Bonfire returned 200 OK on the failed first knock, <a href="/tags/fedify/" rel="tag">#Fedify</a> had no reason to send a second one.</p><p>I filed two issues on the Bonfire <a href="/tags/activitypub/" rel="tag">#ActivityPub</a> repo—one requesting <a href="https://github.com/bonfire-networks/activity_pub/issues/7" rel="nofollow">RFC 9421 support</a>, and one about <a href="https://github.com/bonfire-networks/activity_pub/issues/8" rel="nofollow">returning 401 on invalid signatures</a>. For the latter, I also sent a PR, which got merged pretty quickly: <a href="https://github.com/bonfire-networks/activity_pub/pull/9" rel="nofollow">bonfire-networks/activity_pub#9</a>.</p><p>That said, individual Bonfire instances won&#x27;t pick up the fix until they actually deploy it. So in the meantime, I patched <a href="https://github.com/fedify-dev/hollo/commit/a883fd1b2158463b1ceb7894e2084d598bfaabc4" rel="nofollow">Hollo</a> and <a href="https://github.com/hackers-pub/hackerspub/commit/02de643c709984b016bc92c4a18c1c284a59c49a" rel="nofollow">Hackers&#x27; Pub</a> to use draft-cavage-http-signatures-12 as the <a href="https://fedify.dev/manual/federation#firstknock" rel="nofollow">firstKnock</a>, so Bonfire instances can at least understand the first request.</p><p>One last thing: Fedify caches whether a given server supports RFC 9421, and the Bonfire servers I&#x27;d already talked to were cached as “supports RFC 9421”—because they&#x27;d been returning 200 OK. I had to manually clear that cache on both hollo.social and hackers.pub before everything finally worked.</p><p>After all that, the mutual follow went through and my DM reply landed. Worth it.</p><p><a href="/tags/fedidev/" rel="tag">#fedidev</a> <a href="/tags/fediverse/" rel="tag">#fediverse</a> <a href="/tags/hollo/" rel="tag">#Hollo</a> <a href="/tags/hackerspub/" rel="tag">#HackersPub</a></p>

<p>New compatibility table at funfedi.dev: JSON-LD @context</p><p><a href="https://funfedi.dev/support_tables/generated/context/" rel="nofollow" class="ellipsis" title="funfedi.dev/support_tables/generated/context/"><span class="invisible">https://</span><span class="ellipsis">funfedi.dev/support_tables/gen</span><span class="invisible">erated/context/</span></a></p><p>6 out of 9 implementations accept any @context value. But Mastodon, Hollo and Friendica reject activity entirely if <a href="https://www.w3.org/ns/activitystreams" rel="nofollow"><span class="invisible">https://</span>www.w3.org/ns/activitystreams</a> is not included in @context. Mastodon probably does this for no reason, but what about <a href="/tags/friendica/" rel="tag">#Friendica</a> and <a href="/tags/hollo/" rel="tag">#Hollo</a>?</p><p><a href="/tags/activitypub/" rel="tag">#ActivityPub</a> specification, section <a href="https://www.w3.org/TR/activitypub/#obj" rel="nofollow">3. Objects</a>:</p><p><p>Implementers SHOULD include the ActivityPub context in their object definitions. Implementers MAY include additional context as appropriate.</p></p><p>ActivityPub context is recommended, but not required.</p>

<p>Security Update: Hollo 0.6.19 Released</p><p>We have released Hollo 0.6.19 to address a security vulnerability in Fedify&#x27;s HTML parsing code.</p><p>This vulnerability (CVE-2025-68475) is a ReDoS (Regular Expression Denial of Service) issue that could allow an attacker to cause service unavailability by sending specially crafted HTML responses during federation operations. The malicious payload is small (approximately 170 bytes) but can block the Node.js event loop for extended periods.</p><p>We strongly recommend all Hollo operators upgrade to version 0.6.19 immediately.</p>FieldDetailsCVE<a href="https://github.com/fedify-dev/fedify/security/advisories/GHSA-rchf-xwx2-hm93" rel="nofollow">CVE-2025-68475</a>SeverityHigh (CVSS 7.5)ActionUpgrade to Hollo 0.6.19<p><a href="/tags/hollo/" rel="tag">#Hollo</a> <a href="/tags/security/" rel="tag">#Security</a> <a href="/tags/fediverse/" rel="tag">#Fediverse</a> <a href="/tags/activitypub/" rel="tag">#ActivityPub</a></p>

<p>Hi <a href="/tags/fediverse/" rel="tag">#fediverse</a> and <a href="/tags/activitypub/" rel="tag">#ActivityPub</a> developers!</p><p>I&#x27;m currently working on interoperability testing for <a href="/tags/hollo/" rel="tag">#Hollo</a> and <a href="/tags/fedify/" rel="tag">#Fedify</a>, and I need a <a href="/tags/bonfire/" rel="tag">#Bonfire</a> account to test federation with their implementation.</p><p>Since there aren&#x27;t many open public Bonfire instances available, I was wondering if any Bonfire instance admins out there would be willing to grant me a test account? It would be a huge help for improving interop! Let me know if you can help. Thanks!</p><p><a href="/tags/fedidev/" rel="tag">#fedidev</a> <a href="/tags/bonfirenetworks/" rel="tag">#BonfireNetworks</a></p>