On October 2, 2013, GNU social developer MMN-o (Mikael Nordfeldth) published a blog piece announcing that they'd rolled out a change to their WebFinger implementation, adding backwards-compatible support for the RFC7033 version;
"Plus of course the former RFC6415 (Web Host Metadata), which StatusNet supports (but only XRD format)."
For those who don't know, masrodon.social was created to federate with #GnuSocial servers.
"That's the irony of what Blaine did when he created WebFinger. It was supposed to support multiple! It wasn't supposed to just be this is your fediverse address, it was supposed to be, here's how you find all the different account of information about me, and different things."
@rabble, 2025
https://wedistribute.org/podcast/s2e3-rabble-from-nos-social/
So ... WF is meant to facilitate something like Libravatar, where all roads lead back to a canonical profile? Hmm ...
Where is the #Fediverse "#handle" syntax, @name@example.com, formally defined? I don't see it in the W3C #ActivityPub spec, nor in #RFC7565, the #Webfinger 'acct' URI scheme spec. Is it a #Mastodon convention which became universal? I am writing software to study handles, and I would rather base it on a spec than a social convention.
Huge shoutout to two amazing contributors from Korea's #OSSCA program who've made excellent contributions to #Fedify!
@gaebalgom tackled a tricky terminal compatibility issue in PR #282, fixing the
fedify node
command's favicon display on terminal emulators without truecolor support (#168). His solution elegantly detects terminal capabilities and falls back to 256-color mode when needed—ensuring a great experience across different environments.
@joonnot enhanced Fedify's #WebFinger functionality in PR #281 by adding a configurable
maxRedirection
option to the lookupWebFinger()
function (#248). He transformed a hardcoded limitation into a flexible, user-customizable parameter while maintaining perfect backward compatibility.
Both delivered thoughtful, well-implemented solutions that showcase the quality of contributions coming from the OSSCA program. Welcome to the Fedify community!
Big thanks to @2chanhaeng for his first contribution to #Fedify! He implemented the new
fedify webfinger
command in PR #278, which allows isolated #WebFinger lookups for testing configurations. This addresses the need for developers to test WebFinger functionality without performing comprehensive object retrieval.
The contribution includes:
fedify webfinger <handle>
command that accepts @user@domain
format handles or URIsThis was originally filed as issue #260 and marked as a good first issue—perfect for newcomers to learn the codebase structure while contributing meaningful functionality. The PR has been merged and will be included in the upcoming Fedify 1.8.0 release.
We appreciate all first-time contributors who help make Fedify better for the entire #fediverse community. Welcome aboard, ChanHaeng!
@moderation Die allermeisten Kreisverbände von B90/Die Grünen nutzen Wordpress, das ihnen sehr oft von Verdigado zur Verfügung gestellt wird. Grüne-Kreisverbände könnte insofern ad hoc im Fediverse relevant werden. #ActivityPub und #Webfinger-Plugin installieren, fertig. Siehe auch https://chaos.social/@plinubius/114721884636312303
I'd love to know more about what you're thinking here.
I don't think we're replacing #Webfinger. I think we're trying to follow through on #WhatCorySaid at #FediForum (https://www.youtube.com/watch?v=7_Gs1t0qe78)
...which is basically: Let regular people take their account to a new server any time they want, without relying on awful XML/CSV import/export jobs. This would go a long way to solving Fediverse UX issues and preventing enshitification.
Is there more that I've missed?
Hi @j12t @tchambers @benpate,
isn't #discovery without #webfinger (hostnames and dns in essence) a #fallacy and thus #centralisation in disguise?
I mean DNS is the centralised infra we prbly can't do without anyway - why not stand on that shoulder and not add another global registry?
Moving may be done via redirects (like IRL).
@risottobias @tomgag @forgefed @meissa @forgejo @radicle
This morning I tooted about #Ayllu who just released v0.4 .. code #forge not federated (yet?), though the release adds #WebFinger support.
Pleroma Webfinger compatibility
Does anybody know what exactly Pleroma needs for a valid Webfinger check? I'm attempting to figure out why @jmtd@pleroma.debian.social
won't resolve in NodeBB, and it's because the webfinger call returns 400 Bad Request
.
NodeBB is calling https://pleroma.debian.social/.well-known/webfinger?resource=acct%3Ajmtd%40pleroma.debian.social
with User-Agent
and Content-Type
headers (curiously, it's not sending Accept
, but it also fails if that header is set, so that's irrelevant.)
Navigating to that webfinger url in the browser returns XML, which is but I'm not even getting that when NodeBB makes the call.
Fetching remote #ActivityPub objects or actors often involves handling #WebFinger lookups, content negotiation, and then parsing potentially untyped JSON.
With #Fedify, it's much simpler: use Context.lookupObject()
. Pass it a URI (e.g., https://instance.tld/users/alice
) or a handle (e.g., @alice@instance.tld
), and Fedify handles the lookup and content negotiation automatically.
The real power comes from the return value: a type-safe Activity Vocabulary object, not just raw JSON. This allows you to confidently access properties and methods directly. For example, you can safely traverse account moves using .getSuccessor()
like this:
let actor = await ctx.lookupObject("@alice@instance.tld");
while (isActor(actor)) {
const successor = await actor.getSuccessor();
if (successor == null) break;
actor = successor;
}
// actor now holds the latest account after moves
This is readily available in handlers where the Context
object is provided (like actor dispatchers or inbox listeners).
Focus on your app's logic, not protocol boilerplate!
Learn more: https://fedify.dev/manual/context#looking-up-remote-objects
@antoinnesterk Strictly speaking, #WebFinger is not #finger but is based on #finger.
Fun fact: the #Fediverse doesn’t just depend on #ActivityPub.
A good portion of it runs on #WebFinger. It’s why we’re able to find each other across different servers running vastly different software.
https://en.wikipedia.org/wiki/WebFinger
RE: https://atomicpoet.org/objects/6bc30357-bc44-4114-a036-1a6caaf3c42e
Have you ever asked yourself how the BSD Café Mastodon instance was built?
Stefano has written here what he has done. You should have at least rudimentary knowledge of what a jail is in order to follow everything and at least a simple manner.
In short a jail is much more efficient than a VM, uses much less resources and it's easier to control
If you take the time to Study all the subjects, you will be a will to build a freeBSD instance of Mastodon yourself; all the information necessary Is provided Here and Deep to very Deep details you can dig up yourself
https://wiki.bsd.cafe/bsdcafe-technical-details
#bash #sh #zsh #ksh #csh #tsh #programming #JavaScript #Mastodon #freeBSD #ngix #json #POSIX #SocialMedia #webfinger
I have had an account on an instance where the System Operator had to shut down because the operational costs were too high to sustain the node. All proper precautions were made and the operator gave us more than six weeks to get all of our followers moved somewhere else. He also made sure that everybody got the message by sending it multiple times also through email. I've made an account there because that place was bot Friendly {https://botsin.space/} and I was going to Create a bot on that instance
However, since I put so few toots out there, on that account I didn't even bother to download them. And since I'm quite aware of high internet costs, I also make sure that I have accounts on different places because in the end somebody is paying for it either in cash or paying for it by using Surplus bandwidth and surplus disc area space.
We as Fediverse Community users should realise that nothing is free apart from Air and Water; everything else cost either Time, Space_Time or Energy, often a combination of the latter two.
I've just checked and https://botsin.space/ still seems to be up as a read-only instance.
#bash #sh #zsh #ksh #csh #tsh #programming #JavaScript #Mastodon #freeBSD #ngix #json #POSIX #SocialMedia #webfinger
Make sure that you always think about the data that you divulge to big companies. Use the Easy Storage knowing that they will use your data also even your copyrighted photographs.
Within the Fediverse it's easy to own your data, very easy, always remember that and be thankful
#bash #sh #zsh #ksh #csh #tsh #programming #JavaScript #Mastodon #freeBSD #ngix #json #POSIX #SocialMedia #webfinger
In this article Stefano explains to you how to use a web finger system so that people can always find your address
An important message here is that _you should always own your data_. So do not rely on cloud or web services to maintain your data. Always remember that many of those massive conglomerates use your data and sell it, literally sell it, or the metadata off it, to the highest bidder
Within the Fediverse it's easy to migrate from one server to the next, your followers will automatically follow your new account
https://it-notes.dragas.net/2024/10/08/using-a-permanent-webfinger-address/
#bash #sh #zsh #ksh #csh #tsh #programming #JavaScript #Mastodon #freeBSD #ngix #json #POSIX #SocialMedia #webfinger
A Guide to Implementing ActivityPub in a Static Site (or Any Website) - Part 8 is out!
Follow the site here @blog or check the article here: https://maho.dev/2025/01/a-guide-to-implementing-activitypub-in-a-static-site-or-any-website-part-8/
#fediverse #activitypub #static-sites #hugo #azure #mastodon #web-development #social-web #webfinger #http #azure #azurefunctions
FedifyのWebFinger実装における脆弱性CVE-2025-23221に対するセキュリティアップデート(1.0.14、1.1.11、1.2.11、1.3.4)をリリースいたしました。すべてのユーザー様におかれましては、お使いのバージョンに応じた最新版への速やかなアップデートを推奨いたします。
脆弱性の詳細
セキュリティ研究者により、FedifyのlookupWebFinger()
関数において以下のセキュリティ上の問題が発見されました:
修正されたバージョン
変更内容
本セキュリティアップデートでは、以下の修正が実施されました:
アップデート方法
以下のコマンドで最新のセキュアバージョンにアップデートできます:
# npmユーザーの場合
npm update @fedify/fedify
# Denoユーザーの場合
deno add jsr:@fedify/fedify
この脆弱性を責任を持って報告していただいたセキュリティ研究者の方に感謝申し上げます。迅速な対応が可能となりました。
本脆弱性の詳細については、セキュリティ勧告をご参照ください。
ご質問やご懸念がございましたら、GitHub Discussions、Matrixチャットスペース、またはDiscordサーバーまでお気軽にご連絡ください。