My recent experience with GitHub regarding a security issue was not very positive either.[1] It turned out, unlike two vendors I notified that were affected, they just didn't care. And they didn't bother to even tell me that they didn't care.
It's a very edge-case issue in Enterprise SSO, so I wasn't really able to generate any blowback with disclosure either. But if you find an org with just the right setup it blows a huge hole into the SSO product, to the point of making it useless.
There also seems to be an asymmetry between the core product and everything else. GitHub Enterprise has issues that aren't even considered UX issues (i.e. notifications showing "3 of 0" notifications if no SAML session exists) that'd warrant bounties if they were in the core product.
I find these takes so silly. Bug bunties are a rounding error in the companies budgets, even if they paid out much more freely. There are many I think much more obvious reasons orgs are slow on issues - everything from figuring what is an issue, trying to chase down impacts and more.
I think it's not a matter of not wanting to pay, but not wanting to have your departments "we had to pay someone to fix your security bugs" metric go up.
That's also likely why issues in the core product are taken more seriously.
I'm sure the amount of stress I've been exposed to from being yelled at by my physician "that i need to change or die young" at my diagnosis is pretty on par with this decreased life expectancy.
Not to mention I now have a general dislike for doctors and avoid them as much as possible, because inevitably everything I'd complain about would be blamed on excess weight or trans broken arm.
Love to see how empathetic doctors affect life expectancy. I'd assume quite a lot.
In their defense, if you're very fat that's probably going to cause most of your issues. Perhaps after a while repeatedly diagnosing things with the same root cause is going to frustrate your doctor as well.
How about a little empathy for them? No need to lose weight, but also no need to bother them with it then. Which is essentially what you're doing, a net win for everyone :)
They call it "trans broken arm syndrome" because this shit includes things that are obviously NOT hormone/obesity related. Things anyone else would get an immediate MRI for.
Exactly the kind of thoughtless answer that presumes I'm just angry about being told the hard truth or something I needed.
Being obese does NOT IN FACT lower your risk of every disease (except apparently heart failure?) that is not caused by obesity. Obese people need doctors for non-obesity related issues too.
I asked you to try to think about it from your doctor's point of view and you just repeated that they're not doing what you want them to do. Yes, they probably made mistakes due to their own emotional state.
Responding to this from an entirely egocentric place is just going to make the problem worse. Why not approach such things with compassion; at least you may get somewhere with this person. It is hard to make diverse friends if you cannot do so.
Failing to treat me is a professional failing with severe adverse effects for me. And it's entirely based on the judgemental assholeness of such doctors. If you can't stop blaming people for their conditions, find another job. I'm not my GPs therapist.
I mean being obese affects so much of your body negatively that it's almost certain that fixing that will fix many of your underlying issues even if they don't appear to be because of obesity.
Well I’m sure once you’ve seen enough type II diabetics with chronic sores on their feet, bone infections, amputations, diabetic retinopathy, it can be hard not to warn people of the consequences of obesity.
Cursing at me and telling me I will literally die in 10 years (I survived the guy by at least 10 years by now) and assuming the shock from that will get lazy me off the couch or something just put me into an extremely anxious state loop that didn't help me whatsoever. I didn't need to be told to eat less, I needed any coping mechanism that wasn't overeating. And I needed coping mechanisms a lot back then, the anxiety just contributed to that. I went through life for almost a decade just accepting my imminent death because I couldn't fix it.
It sounds like you are maybe eating as a stress reaction. I think a therapist might be a better healthcare professional to help you than a GP. They can then also ascertain if you need to be referred to a psychologist so that you can get the proper medication to help with your anxiety related conditions.
The problem is with attribution of the problem to you directly.
People almost universally know that severe obesity is bad for them. You don't need to tell them.
There are many reasons people are obese. For me it was mostly a psychological issue. Doctors need better training in this regard, because telling someone to stop being lazy and eat well will almost never lead to them to improvement. Dieting, in the long term, it almost universally a failure. It just doesn't work. It doesn't address the right issues.
Yet, for doctors and those unaffected it seems like such a trivial thing that any deviation seems self-inflicted. They must be doing it willingly. They must be shamed. But it is never is that simple.
It is an attitude they constantly carry into conversations with patients. They need to take that attitude and throw it into the trash, because all it does is make the patient feel horrible about the lack of control they have over their condition that they supposedly should have, according to their doctor.
IKR? Like they can't get past that one thing. I think it even blinds them to help you with other things. Like they'll probably miss a cancer diagnosis.
Hah, yeah. I had a big AFH tumor on my hand. "Probably ganglion". Thankfully these things rarely turn into full blown cancer and I got someone to take it serious (but only after it started necrotizing) before it did.
PhotoDNA, but it requires a suite of lawyers since the material it uses to fingerprint is high res enough to make it identifiable again. Or create false positives.
This is my experience as well. Any tickets related to a11y, PHP code clean up/modernization, or security don't get the love JS-heavy tickets get.
Thumbs up to people as Sergey who triage issues and brought up some of the tickets. Drupal is sort of following the same way; if it's not related to the latest Drupal version or related to media uploads, editing experience, etc, those issues are lucky to picked up.
Wil is inside a reality distortion field. Someone got him with a low blow joke and he started reporting everyone from that instance (which was named after another joke of the type, bofa.lol)
Mastodon instances are not public spaces. Users can pick how much they want to engage in political discussions by picking their instance or, if they can, hosting their own. (The second part of the argument is flawed because most people can't just throw up a rails app and maintain it, be it cost or lack of knowledge)
What most people don't get about "bubbles", mostly because it doesn't affect them, is that sometimes, if your mere existence is political, getting some rest from it can be quite hard.
When they tell me I'm living in a bubble because I use an instance with rules and instance blocks, what they want is for the street preacher to be able to chase me down the sidewalk yelling fire and brimstone at me. "I wouldn't personally do that," they insist, "but people should be able to!"
They want to be able to harass people online the way they do offline, and on less advanced social networks. It's as ideological as all the opinions they reject as ideology.
One of the ways instance blocks are used, in practice, is to discourage other instances from enforcing boundaries. For example, one of the biggest and oldest Mastodon instances recently blocked an entire up-and-coming instance because they banned one person who has a trail of allegations that they solicited underage kids for sex. A number of other, smaller instances also block instances that ban another alleged serial rapist.
Does the functionality of blocking just a single user from an instance not exist with Mastodon?
This does bring up an important point however, in that the largest instances that will exist may not be the one that curates and manages the instance/ecosystem/users on the ecosystem as well or as reasonably, however creates a space (or bubble) of popular reaction - say being only "80%" compassionate vs. fully understanding. For example, what if a convicted rapist has done their prison time? I feel this would have very different responses based on the nation and culture and how much or how little actual rehabilitation and treatment people receive, if that society trusts the outcome of the system or not. I believe that keeping "unhealthy" people separate from "healthy" people will prevent them from learning - and of course has the potential to allow the unhealthy to learn further bad behaviours or reenforce ones they already have; this doesn't mean we should design for a free-for-all system like Twitter and Facebook are various degrees of. It comes down to compassion - which includes not dismissing or forgetting about people, even if they're not people we'd want as our friends or family.
In the case of a user who simply has a "trail" of accusations for unacceptable behaviour, do we foster "guilty until proven innocent" as an acceptable behaviour - blocking that user from society's online interactions - or should we foster more of a "innocent until proven guilty" - while perhaps keeping an eye on people who are accused of certain behaviour? If the a little girl accuses her brother of stealing the cookie from the cookie jar, however the boy claims it didn't happen - and there's no proof, it's not fair to me if to punish either child until there's proof: either the sister took the cookie and is lying, or the brother took the cookie and is lying; you could ban them from the kitchen with the cookie jar, though if they're ever left alone and there's no evidence like video to check back on, then either child could still take another cookie.
I then wonder though, if there become more trusted and larger instances that do put the effort (and cost) into curation and managing the community (the family of society), then smaller instances will and can tap into that network - however then not contributing or covering any of the cost. How does this imbalance balance out, or does it need to, even? Does it become a question as to whether people who want accountability are willing to pay a small amount to pay the costs of such moderation vs. people simply hoping someone else deals with it - a bystander effect?
I wonder if the Mastodon community or founder have any thoughts or beliefs to this? Likewise, what happens if you have a whole bunch of instances where people are in their bubble of communities, perhaps with less critical thinking time spent and more indoctrination, where then propaganda can easily be distributed without any potential to filter it out and protect the whole as easily; of course solid in-person, real-life community and connectedness is the only way to counter this, including developing deep trust with individuals who you trust are thoughtful and such.
I'm still not sold on that decentralized is the safest option, however it perhaps can help counter against bad actors who seek control of systems; in fact it could act as a canary if the powers that be attempt to make decentralized systems illegal - as part of an effort to control (and perhaps censor). However, so long as the community is educated as a whole, and is hyperaware of these characteristics and readies to counter it in full, to hold the line for peace and justice, then we're on the right path. In contrast to decentralization, if we look at Apple's ecosystem, trust and governance and good design, forethought, plays an important role in success - though everyone in that ecosystem is "paying their dues" via profit Apple receives. And contrasting that further to Facebook, whereby they profit off of the manipulative aspect of ads and with practically no vetting or oversight.
this is a huge wall of text and I haven't necessarily read it all because I'm tired (I'll bookmark this I swear) but the case mentioned is a person with repeated persistent confirmed-by-lots-of-people manipulative bad behavior with at least two independent rape accusations on top of that.
If you're building a purely general purpose instance or a free speech themed one it's fine to not block this sort of instance.
It's okay to have this "net split". It's a system of curation. It encourages smaller instances.
Mastodon is also heavily used by minority / LGBT communities that deal with abuse and harassment a lot, often for merely existing. And often a "free speech" instance or worse a "no moderation" instance will attract that sort of person.
While I guess there are arguments for not banning users just because they have a whole bunch of nasty accusations against them, or for requiring high standards of evidence to do so, that wasn't the actual justification from what I can tell. (Indeed, I think arguing that rape accusations shouldn't automatically be believed is probably a bannable offence on all the instances involved.) It's more like they don't think community insiders should be held to the same standards as other people, and reckon any outsiders who do so are so obviously in the wrong as to justify banning the entire instance.
I'm not only thinking about political bubbles here, but linguistic or cultural ones. For example, when I joined a server here, it was federated only with a few other small Japanese servers, resulting in a fairly miserable experience. Another set had multiple languages but was just devoted to art. It's incredibly difficult (or was a year ago) to find servers that are general purpose and federated with both Japanese and English servers.
It's actually kind of interesting that me mentioning bubbles resulted in an immediately political assumption; I guess it shows how out of touch I am with mainstream Twitter.
I think you use "federated with" in a different sense than most people do in these discussions.
A newly created Mastodon instance by default federates with everyone in that allows messages and following from and to every other instance.
But it's federated timeline has no posts from other instances, because that view only shows posts that the instance actually sees. It only shows what people on the same instance actually follow, because otherwise there is no reason for the posts to be sent to it.
That would explain a lot of things and also clears up a lot of things for me, too! Thank you. I guess a better phrase for what I'm trying to describe is a lack of discoverability, then.
I only know one instance (awoo.space) that does whitelisting instead of blacklisting. Mastodon can't even do it out of the box (although pleroma can).
My instance bans the sort of instance described in the sibling comment to yours, like qoto (who advertised their Mastodon as "free speech twitter"... on twitter ads)
I run deadinsi.de. I wrote some kubernetes definitions and they work, but in the end there was too much overhead, uncertainty about storage stability and cost to keep it running on k8s.
It includes a storage provider I wouldn't trust all too much yet and the docs are sparse, but you should be able to get it running if you know Kubernetes.
It's a very edge-case issue in Enterprise SSO, so I wasn't really able to generate any blowback with disclosure either. But if you find an org with just the right setup it blows a huge hole into the SSO product, to the point of making it useless.
There also seems to be an asymmetry between the core product and everything else. GitHub Enterprise has issues that aren't even considered UX issues (i.e. notifications showing "3 of 0" notifications if no SAML session exists) that'd warrant bounties if they were in the core product.
[1]: https://notes.acuteaura.net/posts/github-enterprise-security...