This is an interesting and highly relevant explainer, especially given its prominence re: the whole Threads situation. I really appreciate it being broken down like this because I think it's pretty important for anyone invested in the fediverse to understand its access controls. But I really really appreciate how they've upfronted the date and version applicability in the post. I'm sure everyone here understands the pain of researching functionality of software with a long history and trying to figure out the relevance of published information. This is a huge help. If you write about software, please do this!

This is mostly smoke, since it's trivial for the banned bad server to fetch through a nondescript neutral server.

Bad actors will always find ways around anything. This is ideal for keeping good actors with conflicting moderation policies from picking up posts they shouldn't.

Every well behaved server already puts their hostname in user-agent when making a request. The requirement that they also sign the request is just extra overhead.

Why is the server hosting the content responsible for enforcing the moderation policy of the server requesting it?

It's funny how Mastodon keeps crawling in the direction of more balkanization.

In general I find it strange how the people most drawn to the Fediverse at the moment are those who seem to have the most desire for central authority and an active dislike for, well, federation. People who left Twitter because it was no longer exercising as tight a grip over people's speech as they'd like, for some reason fled to a platform where people are more able to choose their own masters, and are now surprised that it's functioning as designed and they aren't able to control everyone else's speech. And that if you put something on the public internet... then it can be read by anyone on the internet

If Medium server can see good servers content but not bad server. Bad server can fetch medium server who follows good server. What's the goal of hiding from bad server? Spam reduction?

people are going to get the content if they want it.

if you start requiring authentication for API access, then they will just scrape the HTML, which will just put more of a strain on your servers. best solution I have seen to this issue is just allow anonymous requests, but rate limit them. but please dont go idiotic like Instagram/Twitter, who rate limit in some cases to 9 posts a day.

In what?

It would be ironic if Mastodon admins copied Elon Musk's Twitter mismanagement by enabling those options.