Following on from today's earlier PR to @hollo, I've gone ahead and implemented PKCE for OAuth in Hollo

So now they too can have more security for OAuth authorization code grant flows.

(Also added a tonne of extra test coverage)

https://github.com/fedify-dev/hollo/pull/155

So I was getting really misleading code coverage results from c8 / tsx in the tests for @hollo, so after some discussion, we decided to migrate to vitest, and now we have accurate code coverage output!

But my gosh that was a sizeable chunk of work!

https://github.com/fedify-dev/hollo/pull/154

Just ended up implementing much greater test coverage for @hollo as well as access token revocation: https://github.com/fedify-dev/hollo/pull/147

Sometimes I end up doing more than expected in pull requests 🙃

HolloとかFedifyのお話おもしろかったのだ

우리의 코드를 찾아서 – 2막. 민희님과 Fedify & Hollo 알아보기 https://youtu.be/sqxR8zscSDo?si=nQRxPyV7kjplqy01

Hollo is one of the coolest self-hosting options for federated microblogging. If I was self-hosting, I’d be spoiled for choice.

Mastodon is all fun and games until you realise it can become a very heavy and hungry piece of software.

If you're thinking about spinning your own fediverse instance, take a look at GoToSocial, Hollo or Snac.

GoToSocial, for example, is a very secure, privacy-minded alternative and can run without complications in a very cheap VPS with only 512 MB of RAM and a database file (SQLite).

#FediAdmin

If you're wondering why I'm doing tonnes of OAuth implementation work in @hollo, it's because it allows me to more quickly ship prototypes of things like:
- Client ID Metadata Documents
- Expiring Access Tokens & Refresh Tokens
- Public Clients

Both of those are planned for Mastodon, but I'm still waiting on funding & needing to make upstream dependency changes or write entirely new dependencies.

By implementing in Hollo, I can get these features in the hands of downstream client developers like @cheeaun to have them test out and prepare for supporting these features. (They're all discoverable via OAuth Authorizatiob Server Metadata)

Like does a Mastodon API-like server support these things? Check the OAuth Authorization Server Metadata for client_id_metadata_documents_supported (or something) and check if grant_types_supported has refresh_grant and scopes has offline_access, or something like that.

And then that tells you how to interact with that Mastodon API-like server, e.g., do you need to dynamically register a client (current) or can you use Client ID Metadata Documents (future)

Getting these things into Mastodon can take significantly longer because of complex dependencies and extensive test coverage and other interesting issues. And then longer into developers hands due to release cadence & ease of development deployments

In between working on FIRES yesterday, I also finished up a rather substantial contribution to @hollo that I'd been working on.

https://github.com/fedify-dev/hollo/pull/130

It's an OAuth thing, which to end users shouldn't really change anything, but internally it helps pave the way for supporting PKCE and Device Code Authorization Grant Flow, the first shipped in Mastodon 4.3, the second I want to land in a future version of Mastodon (it's a low priority on the oauth roadmap but just because of a dependency issue)

This also increases the test coverage of Hollo too, which is neat.

Admittedly we're able to take some shortcuts in Hollo, like only supporting Bearer tokens and not access_token query parameter, because the latter really shouldn't be used.

We do currently only support client_secret_post as a client authentication mechanism, not client_secret_basic and none, so those need to be added too, to be more compatible.

ブログを書いた。
おひとり様ActivityPub実装Holloを始めた

We're pleased to announce that #Hollo has been included in the Nivenly Fediverse Security Fund program!

The @nivenly Foundation has launched a security bounty fund to support contributors who identify and help fix #security vulnerabilities in popular #fediverse software. Both Hollo and @fedify are among the selected projects that meet their responsible security disclosure requirements.

This program will run from April–September 2025, with bounties of $250–$500 USD for high and critical security vulnerabilities.

We're honored to be recognized alongside other established fediverse projects like Mastodon, Misskey, and Lemmy. This further encourages our commitment to maintaining strong security practices.

If you're interested in contributing to Hollo's security, please follow our responsible disclosure process outlined in our SECURITY.md file.

Learn more about the program:

https://nivenly.org/blog/2025/04/01/nivenly-fediverse-security-fund/

おひとり様サーバーで見るHolloとMitra :: rettuce
rettuce.page/posts/fediverse-hollo-and-mitra/
3ヶ月くらいあたためていた日記を書きました

We just released Hollo 0.5.6, a patch release after a month, which fixes a minor bug and updates Fedify.

@nakkaa Holloのイシュートラッカーに機能追加リクエストのイシューを作成していただければ、前向きに検討させていただきます！

自宅サーバーにぼっちMastdon (Hollo) を建てた。SNSの終焉 - ハッカーと漫画家

https://www.kbaba1001.com/posts/202504152005_the-end-of-sns/

포인트리스 연합우주 소프트웨어 호스팅 서비스
- 완전 관리형: 구독기간 중 업그레이드를 포함한 서버 유지보수가 무료입니다.
- 데이터베이스와 웹서버를 분리한 구조로 성능이 높습니다.
- 마스토돈, 미스키, Hollo 를 지원합니다.
- 방화벽: Cloudflare Zero Trust 를 구성해드립니다.
수익금은 포인트리스 서버비로 사용됩니다.

Holloとかかな＞お一人様インスタンス
https://docs.hollo.social/ja/

해커스 펍이 왕성한 이 때, 혼자 조용히 저는 @hollo 가 좋아요 ㅎㅎ

I just discovered why some of my followers from larger #Mastodon instances (like mastodon.social) would mysteriously unfollow me after a while!

A pull request was just merged in Mastodon that fixes a critical bug in their follower synchronization mechanism.

Turns out Mastodon implements the FEP-8fcf specification (Followers collection synchronization across servers), but it expected all followers to be in a single page collection. When followers were split across multiple pages, it would only see the first page and incorrectly remove all followers from subsequent pages!

This explains so much about the strange behavior I've been seeing with #Hollo and other #Fedify-based servers over the past few months. Some people would follow me from large instances, then mysteriously unfollow later without any action on their part.

Thankfully this fix has been marked for backporting, so it should appear in an upcoming patch release rather than waiting for the next major version. Great news for all of us building on #ActivityPub!

This is why I love open source—we can identify, understand, and fix these kinds of interoperability issues together. 😊

#fediverse #fedidev

最近はHolloってお一人様向け特化のActivityPub実装もあるらしい 絵文字も使えてmisskeyとかより低スペックでも動くとかなんとか（建てたことないので詳しく知らない https://docs.hollo.social/

Security Update: Hollo v0.3.10, v0.4.11, v0.5.5 Released

We've released security patches for Hollo in versions v0.3.10, v0.4.11, and v0.5.5. These updates address important security vulnerabilities, and we strongly recommend all users update immediately.

Docker users can update with:

docker pull ghcr.io/fedify-dev/hollo:0.5.5
# Or your current version series: 0.4.11, 0.3.10

For manual installations:

git fetch
git checkout 0.5.5 # Or 0.4.11, 0.3.10
pnpm install

For complete installation instructions, please visit our docs.

Thank you for using Hollo and helping keep our community secure.