Posting to raise awareness of this behavior with kbin. Maybe it’s something Ernest can address in the ActivityPub rewrite, maybe it’s something that doesn’t need to be (or can be) addressed at all.

On Mastodon, if you don’t like your instance or it’s in the process of shutting down, you can migrate your account to another instance. I was aware of this feature, but I hadn’t considered how such a move federates to kbin, until now.

I had blocked a user of a niche Mastodon instance, and then they migrated to a larger instance. After the migration, I started seeing their posts again, with my blocklist only containing the old account, not the new one.

Now to my knowledge, this feature of Mastodon is not a standard component of ActivityPub. I think it’s a great feature actually, but I’m concerned that enables a sort of harassment whereby an attacker can harass someone, get blocked, migrate to another instance, and continue harassing their target. This feature being non-standard, I don’t know how it gets broadcast to other instances, let alone if/how kbin should handle it.

Should kbin automatically update blocklists with the newly migrated account name and instance name? That feels like the ideal solution, but I don’t know how feasible it is. Just wanted to open this up for discussion and awareness.