So this guy is now S3. All of S3

>>aendru+(OP)
Solution is also on the works like use /.well-known/, so this is more like funny, rather than a big problem.

Key to trick was to have bucket named "xrpc" and store a file there: https://s3.amazonaws.com/xrpc/com.atproto.identity.resolveHa...

There is also another funny thing in the image, the user posting about is sending one from "retr0-id.translate.goog", which is odd. Somehow he has got https://retr0-id.translate.goog/xrpc/com.atproto.identity.re... to redirect to his page, and gotten that handle as well.

>>Cianti+u2
Eh, it’s worse than just funny; it’s concerning, because they should have known about and easily avoided this kind of vulnerability, it’s standard stuff you have to think about. So what else have they missed?

>>chrism+F7
This is a private beta. Nobody is suggesting that any of this be used for anything serious just yet. Development happens out in the open, you can go find out what else they've missed by doing the work, or by waiting until others you trust have done so.

I myself have had an account for like a month now, but only started really using it a week ago, because that calculus changed for me, personally.

Like, it's not even possible to truly delete posts at the moment. This all needs to be treated as a playground until things mature.

This isn't even the first "scandal" related to this feature already!!!! There is another hole in what currently exists that allowed someone to temporarily impersonate a Japanese magazine a few weeks back.

>>stevek+c8
Okay, yes, but this indicates that they didn't read the ActivityPub before developing their own new shiny protocol.

>>YtvwlD+a9
I don't personally believe that one mistake indicates ignorance of an entire topic.

>>stevek+t9
In general - no, but this kind of fundamental mistake might.

>>seba_d+Ka
I hope I never work on software you folks use. The grand claims about something that is not even hard to fix is just wild to me.

>>stevek+Yb
What about the next 500 easy-to-fix bugs?

Is there a public test suite?

>>gowld+Pe
> Is there a public test suite?

The entire specification (which is admittedly incomplete) and implementation are open source.

I am not aware of a dedicated test suite for alternative implementations. It's too early, IMHO. I personally would much prefer the team to focus their time elsewhere for the time being.

>>stevek+sh
My instincts may be way off-base, but if I was developing a protocol at the core of my product vision, even if there was only one implementation, I would a want an authoritative test suite. I wouldn't trust myself not to integrate load-bearing idiosyncrasies (and bugs, honestly) otherwise.

>>Shroud+xt
I mean, I don't think you're incorrect, but I do think that like, semantics matters here. There is a test suite, of their implementation. Just because they have not extracted it and made it easily re-usable for alternative doesn't mean that they don't have checks to ensure regressions don't appear, you know?

They already build off of many related specifications, which have independent implementations, and a lot of the core protocol is RPC style, with schemas that they do publish. So there's already a lot of rigidity here for alternative implementations to use in a way that is extremely likely to be compliant.

I guess another way of putting it is "I don't exactly disagree with you but doing that takes work, and we're at the stage of this stuff where that work is being done, so expecting it right now feels premature to me." The spec isn't "released" or "done," it's in development.

zlacker