This is a security release, as I was alerted to an issue where edits to local-only posts were being federated. This has been an issue since Hometown v1.1.0, the big Mastodon v4 update (which is listed in version strings as v4.0.2+hometown-1.1.0).

This also contains a fix to how to username autocomplete works on servers that don't have full-text search enabled.

The security issue

In the previous Hometown version v1.1.0, when a user makes a local-only post, that post does not federate. Which is good. But if a user edits the local-only post, a message gets sent out into the fediverse saying: "post X, which is local-only, was edited, and here is the new content of the post".

What happens, at least on Mastodon servers that receive this edit message, is the server goes looking for the original post to modify, sees it doesn't exist, and throws away the message. This means that at least on Mastodon or Hometown servers, the leaked content was not rendered in any user-facing timelines, but an admin who happened to be checking their rejected messages queue might have seen the leaked content. And it is likely that any non-malicious server out there also similarly rejected the messages out of hand.

I am really sorry about this error. I should have caught it, I didn't, and I thank the admin who pointed this out to me.

The fix to autocomplete

There is a Mastodon bug that I submitted a fix for where autocompletion for user names would suggest popular users before people you follow. This only applied to servers that don't have elasticsearch enabled. I fixed that issue, and it will be fixed in a future Mastodon release, but Hometown users get it a bit early.

Upgrade steps

This is a very small update, and there are no changes to the frontend so you don't even need to recompile your assets.

• git remote update && git checkout v4.0.2+hometown-1.1.1
• Restart all Mastodon processes