Technical Discussion

Your Home Feed is the inbox of an ActivityPub actor — in particular YOUR ActivityPub actor.

there is currently a #Piefed Hackathon going on if anyone is interested in partaking. There are groups working on spanish, german, french and japanese translations, and a bunch of other things.

I have deeply mixed feelings about #ActivityPub’s adoption of JSON-LD, as someone who’s spent way too long dealing with it while building #Fedify.

I dream of being able to store my online social presence, identity, and history just as — an (organized) set of static files.

On stage now, @django — arguing for widespread adoption of ActivityPub client-server (C2S) protocol.

Just learned from @quillmatiq that @msonnberger is working on #FediSky, a new project "that adds an #ActivityPub instance sidecar to a PDS"

After months of struggling with the “zombie post” issue on Hackers’ Pub—where deleted posts wouldn’t disappear from remote servers—I had a sudden hypothesis today. As I dug into it, I realized it’s a structural issue with Fedify’s MessageQueue system: Create(Note) and Delete(Note) activities can be delivered out of order, causing remote instances to receive Delete(Note) before Create(Note).

Cryptographic public-keys are one way that one can have an identity (on the Fediverse, and elsewhere) while also having privacy — through a pseudonymous identity.

While working on #Fedify, I noticed something about how #Misskey handles #ActivityPub object access. When a remote server requests a followers-only post or DM with a valid HTTP Signatures (draft-cavage) from an authorized actor, Misskey still returns 404 instead of the content. It seems Misskey only checks the visibility field (public/home) without verifying the signature at all.

Hi @mayel@sunbeam.city, does Bonfire utilise the sharedInbox value?

@elaine is building a new #fediverse server called #EchoCrateap.elaine.is/users/elaine/stat#ActivityPub #fedidev

@silverpill@mitra.social (and others) reference this line from the spec re: delivery:

Hi @pfefferle@mastodon.social, I was trying to figure out something else (which I’ll ask in a separate topic), and then went down a rabbit-hole when I discovered I could no longer find @notiz.blog (:point_left: see, no link!)

I’ve seen hints of backfill working really well, but hadn’t seen good examples until recently. As more and more instances upgrade to the newer versions of Mastodon that support context, backfill from Mastodon instances will improve across the board.

Threaded applications often have the need to move and remove content between groups/communities for curation purposes (i.e. resolving miscategorization, spam, etc.)

[Fedify] is a #TypeScript framework for building #ActivityPub servers that participate in the #fediverse. It reduces the complexity and boilerplate typically required for ActivityPub implementation while providing comprehensive federation capabilities.

According to @tchambers@indieweb.social’s *My 2026 Open Social Web Predictions*:

Found this helpful resource by Ben Boyter (@boyter@honk.boyter.org): a collection of sequence diagrams explaining how #ActivityPub/#WebFinger works in practice—covering post creation, follows, boosts, deletions, and user migration.

A ReDoS (Regular Expression Denial of Service) vulnerability has been discovered in Fedify’s HTML parsing code. This vulnerability could allow a malicious federated server to cause denial of service by sending specially crafted HTML responses.

For context:

A while back I mentioned the idea of “Fedify Studio”—a web-based toolkit for #ActivityPub debugging and development. I’ve been quietly working on shaping that idea into something more concrete.

Hey pfefferle@mastodon.social nutomic@lemmy.ml, I’m looking to integrate support for postingRestrictedToMods

NodeBB federates out the Announce activity in two ways.