What client apps do you use with #Hollo ?

We're excited to announce Hollo 0.6.0, a significant release that brings enhanced security, better user experience, and important infrastructure improvements to your single-user microblogging setup.Enhanced OAuth Security with Modern Standards

This release prioritizes security with comprehensive OAuth 2.0 improvements that align with current best practices. We've implemented several critical RFC standards that significantly strengthen the authorization process:

OAuth 2.0 Authorization Code Flow with Access Grants — We've overhauled the OAuth implementation to properly separate authorization codes from access token issuance, providing better security isolation throughout the authentication process.

RFC 7636 PKCE (Proof Key for Code Exchange) Support — Hollo now supports PKCE with the S256 code challenge method, which prevents authorization code interception attacks. This is particularly important for public clients and follows the latest OAuth 2.0 security recommendations outlined in RFC 9700 (OAuth 2.0 Security Current Best Practices).

RFC 8414 OAuth Authorization Server Metadata — We've added support for OAuth Authorization Server metadata endpoints, allowing clients to automatically discover Hollo's OAuth capabilities and configuration. This makes integration smoother and helps clients adapt to your server's specific OAuth setup.

Enhanced Profile Scope Support — The new /oauth/userinfo endpoint and expanded profile scope support provide applications with standardized ways to access user profile information, improving compatibility with a wider range of OAuth-compliant applications.

These OAuth improvements not only make Hollo more secure but also position it at the forefront of federated social media security standards. We encourage other fediverse projects to adopt these same standards to ensure the entire ecosystem benefits from these security enhancements.

Special thanks to Emelia Smith (@thisismissem) for spearheading these critical OAuth security improvements and ensuring Hollo stays ahead of the curve on authentication best practices.

We've significantly improved how Hollo handles media storage configuration, making it more flexible and future-ready:

New Environment Variables — The storage system now uses STORAGE_URL_BASE (replacing the deprecated ASSET_URL_BASE) and FS_STORAGE_PATH for local filesystem storage (replacing FS_ASSET_PATH). These changes provide clearer naming and better organization.

Improved Security Requirements — The SECRET_KEY environment variable now requires a minimum of 44 characters, ensuring sufficient entropy for cryptographic operations. You'll need to update your configuration if your current secret key is shorter.

Network Binding Control — The new BIND environment variable lets you specify exactly which network interface Hollo should listen on, giving you more control over your server's network configuration.

Thanks to Emelia Smith (@thisismissem) for leading these infrastructure improvements.

Customizable Profile Themes — You can now personalize your profile page with different theme colors. Choose from the full range of Pico CSS color options to make your profile uniquely yours.

Enhanced Administration Dashboard — The dashboard now displays the current Hollo version at the bottom, making it easier to track which version you're running. You can also sign out directly from the dashboard for better session management.

Improved Post Presentation — Shared posts on profile pages now have better visual separation from original content, and the sharing timestamp is clearly displayed. This makes it much easier to distinguish between your original thoughts and content you've shared from others.

Better Image Accessibility — Alt text for images is now displayed within expandable details sections, improving accessibility while keeping the interface clean.

Syntax Highlighting — Code blocks in Markdown posts now feature beautiful syntax highlighting powered by Shiki, supporting a comprehensive range of programming languages. This makes technical discussions much more readable.

Enhanced Character Limit — The maximum post length has been increased from 4,096 to 10,000 characters, giving you more space to express your thoughts in detail.

Thanks to RangHo Lee (@rangho_220) for the version display feature and Okuto Oyama (@yamanoku) for the image accessibility improvements.

EXIF Metadata Removal — Hollo now automatically strips EXIF metadata from uploaded images before storing them, protecting your privacy by removing potentially sensitive location and device information.

Public API Endpoints — Following Mastodon's approach, certain API endpoints are now publicly accessible without authentication, making Hollo more compatible with various client applications and improving the overall federation experience.

Thanks to NTSK (@ntek) for the privacy-focused EXIF metadata stripping implementation.

Node.js 24+ Requirement — This release requires Node.js 24.0.0 or later. We've also upgraded to Fedify 1.5.3 and @fedify/postgres 0.3.0 for improved performance and compatibility.

Test Coverage & Quality Assurance — The codebase now includes comprehensive testing infrastructure and test coverage. We're committed to expanding this coverage and integrating testing more deeply into our development and release workflows. This also provides an excellent opportunity for first-time contributors to get involved by writing tests.

Cross-Origin Request Support — OAuth and well-known endpoints now properly support cross-origin requests, aligning with Mastodon's behavior and improving client compatibility.

Cleaner Token Endpoint — The scope parameter is now properly optional for the OAuth token endpoint, clarifying that it only affects client credentials flows (not authorization code flows, where it was already ignored).

This release represents a major step forward in making Hollo not just a great single-user microblogging platform, but also a leader in federated social media security standards. The OAuth improvements we've implemented should serve as a model for other fediverse projects.

We're particularly excited about the OAuth security enhancements, which demonstrate our commitment to staying ahead of security best practices. As the federated web continues to evolve, we believe these standards will become increasingly important for maintaining user trust and ensuring secure interactions across the fediverse.

Upgrading to Hollo 0.6.0 is straightforward, but there are a few important considerations:

1. Go to your Railway dashboard
2. Select your Hollo project and service
3. In the deployments tab, click the three-dot menu and select Redeploy

1. Pull the latest image: docker pull ghcr.io/fedify-dev/hollo:latest
2. Stop your current container
3. Start with the new image using your existing configuration

1. Pull the latest code: git pull
2. Install dependencies: pnpm install
3. Restart the service: pnpm run prod

Environment Variables: Update your configuration if you're using deprecated variables:

• Replace ASSET_URL_BASE with STORAGE_URL_BASE
• Replace FS_ASSET_PATH with FS_STORAGE_PATH
• Ensure your SECRET_KEY is at least 44 characters long

Session Reset: Due to the OAuth security improvements, existing user sessions may be invalidated during the upgrade. You'll likely need to log in again through your client apps (like Phanpy, Moshidon, etc.) after upgrading. This is a one-time inconvenience that ensures you benefit from the enhanced security features.

Thank you to everyone who contributed to this release, and to the community for your continued support. Hollo 0.6.0 brings significant improvements to security, usability, and the overall experience of running your own corner of the fediverse.

輪読会に対するアンケート
#FediLUG では今、manコマンド（コマンドに対するマニュアル）の輪読会を行なっています。その輪読会をこれまで平日夜に開催していましたが、土日に移すか検討しています。
輪読会は土日か平日開催どちらが参加しやすいか投票を行いたいと思います。ご回答お願いいたします。

Nate Berkopec on X: "jemalloc mystery resolved: jemalloc has moved to the official Facebook github organization https://t.co/DgFNMhv4lz" / X
https://x.com/nateberkopec/status/1930010446410723533

> This repository was archived by the owner on Jun 2, 2025. It is now read-only.
ほえー

jemalloc/jemalloc
https://github.com/jemalloc/jemalloc

#oscnagoya #技術書典18 のご参加ありがとうございました。
​​ のブースや本、ステッカー、セミナーなどは楽しんでいただけましたでしょうか？次のFediLUGイベントは6月22日の第９回勉強会です！！ご興味がある方はぜひご参加ください。
また、OSC名古屋及び技術書典18リアル会場で頒布した『自分だけのフェディバースのマイクロブログを作ろう！』と『Thinking Penguin Magazine Vol.0』は技術書典18のオンライン通販で全国から購入可能です！この際にぜひご検討ください。

同人誌販売： https://techbookfest.org/organization/7JepZT0g3C6qbddiLmkAwp
第9回勉強会: https://fedilug.connpass.com/event/357642/

第9回勉強会開催のお知らせ
#FediLUG は第9回勉強会を2025年6月22日（日）の13:00から開催します！！会場はいつものJitsiMeetです！
詳細（申込)： https://fedilug.connpass.com/event/357642/

#技術書典18 設営完了しました〜
#FediLUG は『お06』でお待ちしています！