Join 3,572 readers in helping fund MetaFilter (Hide)


Typical pre-alpha bugginess, or embarrassing beginner mistakes?
September 17, 2010 8:10 AM   Subscribe

Late yesterday the much-hyped "privacy aware, personally controlled" Diaspora social network platform (discussed previously) published its open-source developer release. "Feel free to try to get it running on your machines and use it," the team urged, "but we give no guarantees. We know there are security holes and bugs, and your data is not yet fully exportable." The Register's initial report is less than rosy: Code for open-source Facebook littered with landmines
posted by The Winsome Parker Lewis (58 comments total) 5 users marked this as a favorite

 
It's a developer release of a brand-new, large-scale project by a relatively small and young team. Isn't one of the points of open-sourcing to find and fix bugs quickly without needing the deep pockets of a corporation?
posted by middleclasstool at 8:14 AM on September 17, 2010 [15 favorites]


I can see both sides of this: this group really wants to get something out there quickly to encourage enthusiasm and community involvement. The real important bits are the server-to-server communication, federation of profile data, and data formats. The other, possibly more important part, is security.

Really, if they don't show the sort of professional coding approach to the infrastructure of the code that's necessary in regard to security and scalability, they're going to crash into the ground and contributors are going to wonder where their money went.

All that said, complaining that the code is vulnerable to widespread database server attacks is bullshit because that's not an issue with this project, it's an issue with pretty much anything.
posted by mikeh at 8:17 AM on September 17, 2010 [2 favorites]


Wait, you mean a pre-alpha code release of an open-source software project has holes that random security experts interested in the project point out how to fix? The developers are probably pretty happy about this.
posted by demiurge at 8:19 AM on September 17, 2010 [6 favorites]


Seems like The Register is taking pot shots at an easy (and already admittedly early release project) target.
posted by mathowie at 8:20 AM on September 17, 2010 [11 favorites]


seconding middleclasstool - the desired outcome of a pre-alpha "release" is to have a larger team find and maybe help fix stuff.

The wisdom of doing a "public" developer release at this point is of course questionable. I would have opted for a more limited test cycle at this point... but maybe this way will get more fixed, faster, while still maintaining some buzz about the project.
posted by Artful Codger at 8:24 AM on September 17, 2010 [1 favorite]


The problem was that they announced the project with much fanfare earlier this year, thus setting expectations that the release (which, to their credit, happened around the time they said they would) would be something huge and momentous.

If they had kept quiet and suddenly, unexpectedly released this ambitious platform out of the blue, rough edges would be par for the course and they wouldn't have any hype to live up to.

(I wish the Diaspora team nothing but the best of luck, and plan on checking out the code as soon as I have some spare moments.)
posted by usonian at 8:27 AM on September 17, 2010 [2 favorites]


In fairness, as the OP, I agree that only good can come from open-sourcing the project and inviting security pros to poke holes in it. I'm not a security pro (or a Ruby developer) so all I can do is parrot what the real experts are saying. And that seems to be that Diaspora's security flaws aren't exactly deep, arcane weaknesses, but rather freshman-level basics. Not that they can't be fixed, but with all the hype and fundraising behind this project I expected something a little more overtly security-oriented by this stage. They kept telling everyone that the project design was oriented with those concerns at its core, which doesn't seem to jibe with what's been released.

Anyway, I desperately want the project to be successful and remain optimistic that all this scrutiny will tighten the bolts a good deal.
posted by The Winsome Parker Lewis at 8:28 AM on September 17, 2010 [4 favorites]


It's a pre-alpha developer release, not general availability. The Register piece is out of line and really nothing but snarkbait. I know the Reg loves skewering sacred cows, but this was more like kicking a puppy.

I would much rather have the developers release early and often, let the public see the code in development warts and all, than encourage them to seal themselves off until it's somebody's definition of perfect ... and risk never getting anything out at all.

To everyone except the Register and a few must-always-be-contrarian pundits, this is how the OSS development cycle is supposed to work. A couple of people hack away and produce something and toss it to the slavering masses, who tear it apart. They take the resulting feedback and hack on it some more, and try again — hopefully letting it survive in the wild a little longer. Rinse, repeat ... until you get to a point where the cycle of exploit-discovery is slow enough to allow people to use the software meaningfully before each version needs to be upgraded.

I'm frankly quite impressed that the Diaspora guys have managed to turn out anything at all. I was feeling like there was a big risk that they'd soak up all that funding and go into Duke Nukem Forever Sonic X-Treme mode.
posted by Kadin2048 at 8:29 AM on September 17, 2010 [7 favorites]


It's a developer release of a brand-new, large-scale project by a relatively small and young team. Isn't one of the points of open-sourcing to find and fix bugs quickly without needing the deep pockets of a corporation?

Yeah. But these guys ended up becoming so high-profile thanks to the $200k they raised. They should have used the money to hire real developers. Oh well. If they'd raised the $10k they were asking for, I don't think they'd be getting much flack.

I'm interested in reading some sort of rundown about how the system actually works, though. If it's a suitable basis to expand, that could be good.
posted by delmoi at 8:30 AM on September 17, 2010


The wisdom of doing a "public" developer release at this point is of course questionable. I would have opted for a more limited test cycle at this point

And how exactly would that have worked with an OSS platform?
posted by delmoi at 8:32 AM on September 17, 2010


Diaspora team, if you are listening, please stop all focus on the user interface and put your energy into facebook integration (pull data out!, embrace and extend!) and the general mechanics of the diaspora network.

Let the ecosystem develop the GUI. It's just a facebook knockoff anyways, and I'm sure there are plenty of people out there chomping at the bit who can write a decent interface in a weekend.

Also, If I can yell at you a bit more, don't innovate upon the current social networking paradigm. Your efforts are better spent on turning out server code.
posted by kuatto at 8:33 AM on September 17, 2010 [11 favorites]


The success or failure of a social network isn't necessarily found in how secure it may be, it's in how popular it is. Given this is supposed to be a developer release, and not one intended for regular users, the security flaws may not be fatal assuming they're gone by the time it goes into public beta. Still, it's not the kind of debut you want given their intentions.
posted by tommasz at 8:36 AM on September 17, 2010 [1 favorite]


For a moment, I thought it was one of Orlowski's "freetard"-bashing pieces. He seems to be the Bill O'Reilly of technology journalism.
posted by acb at 8:38 AM on September 17, 2010


Don't write it off yet. I'm not sure that it's going to work out, since people tend to flock to the social network with the most of their friends on it. Video phone dilemma and all that. And I hate to say it, but I don't think anyone outside of tech-savvy people really think about security of what they upload to social networks. They just don't appreciate that there's marketers and engineers on the other side playing with their data, and that they're being used as a vector to make money even though they haven't spent money.

But still, it's silly to criticize something so new. Early versions of everything sucks (with the notable exception of Minecraft). Then, via Sturgeon's Law, 90% of things tend to continue to suck.

And even if it does end up being a network for nerds, that's still a pretty good social network in my book.
posted by mccarty.tim at 8:42 AM on September 17, 2010 [1 favorite]


TWPL: They kept telling everyone that the project design was oriented with those [security] concerns at its core, which doesn't seem to jibe with what's been released.

Their concern is more about privacy than security. They're engineering a system that doesn't inherently hand over all your data to a single entity, so it's still a big win in that regard, even if the security is weak. Obviously "privacy" doesn't do you much good in the security is so bad that it's trivially easy to steal your data, but a lack of security reflects a lack of technical expertise, not a lack of commitment to the stated goals of the project.
posted by shponglespore at 8:45 AM on September 17, 2010 [3 favorites]


Also, the interest generated by this project in hacker society is a good indication that the balance of social capitol is straining heavily at its bonds. It's only a matter of time before this project or something like it makes itself known.
posted by kuatto at 8:45 AM on September 17, 2010 [1 favorite]


I just realized the developer release wasn't yesterday, it was the day before. I seem to have lost an entire day in the craziness of work yesterday. Sorry for the inaccuracy, carry on.
posted by The Winsome Parker Lewis at 8:48 AM on September 17, 2010


Call me old-fashioned, but I like to see some semblance of specification or documentation (and perhaps like, community involvement?) on a system that's supposed to replace the Web.
posted by RobotVoodooPower at 8:49 AM on September 17, 2010 [1 favorite]


As someone who has developed web apps, I can vouch for new sites tending to be full of holes when they start off with. I once worked on a team developing a web application, which we thought was reasonably secure. Then we called in a penetration testing team, and they found holes one could drive a lorry through. (Mostly things like inputs not being validated and allowing malicious users to inject JavaScript into a page.) Having said that, closing those holes was fairly straightforward.

Anybody who expected the pre-alpha Diaspora code to be secure enough for actual use (which the developers have not set it up for) is probably unfamiliar with the realities of software development.
posted by acb at 8:53 AM on September 17, 2010 [3 favorites]


The Register is a tabloid. It's yellow journalism at its most goldenrod. Citing them is like citing Drudge.
posted by fatbird at 8:55 AM on September 17, 2010 [5 favorites]


Welp, their pre-alpha OSS isn't perfect and is vulnerable to the vulnerabilities of its dependencies! Unbelievable. Time to pack it all up and move onto the next big thing.
posted by Threeway Handshake at 9:03 AM on September 17, 2010 [2 favorites]


> Yeah. But these guys ended up becoming so high-profile thanks to the $200k they raised. They should have used the money to hire real developers.

Spoken by someone who hasn't done real development, I assume!

$200K will get you about two developer-years - and that's assuming they work cheap hoping for IPO money later. It's not just that "real" developers cost over $100K a year in raw salary, but then you have to give them servers, infrastructure and perhaps even a place to work.

I thought this project was overhyped, but now I'm impressed that they have reasonable code to show so quickly - I don't know Ruby (even more, I wish they'd written in Python) but word is that the design is reasonable.

Get it out, get people to beat on it, redesign. Find the horrible errors as early as possible before you put concrete over them. Short iterations!
posted by lupus_yonderboy at 9:13 AM on September 17, 2010 [2 favorites]


It's not even a freakin' alpha, just a dev branch. Of course it has holes. The Register is the most braindead tech site on the planet.
posted by unSane at 9:19 AM on September 17, 2010 [4 favorites]


Also, If I can yell at you a bit more, don't innovate upon the current social networking paradigm.

People love Facebook. Not out of any fondness for the people behind it; simply because, privacy issues etc aside, it works and it's easy and there's already gazillions of people out there who "get it". So anything that's going to replace it has got to start here, with no excuses, no qualifications.

As for diaspora, count me in with the "want it to be a success" crowd, albeit with one big concern. It seems very strange that this thing would start as a hype (that is, some twenty-somethings with no particular track record saying, "Hey, we're gonna do this amazing thing that everybody wants done, buy our t-shirts."), versus what usonion said ...

If they had kept quiet and suddenly, unexpectedly released this ambitious platform out of the blue, rough edges would be par for the course and they wouldn't have any hype to live up to.

So my paranoid mind says: "Facebook is probably behind this in some secret, nefarious way, a deliberate failure that will only send folks running back to them."

Whereas my pronoid says: "Someone far cooler than Diaspora is behind Diaspora. They want this wobbly, kids stuff to stumble around, do embarrassing things, get noticed, and in doing so raise the notion that Facebook is not a be-all end-all. Meanwhile, the Real Thing is being developed deep, deep in the hacker underground, such that the first most of us actually hear about it, it will be a kickass, hard-as-nails dragonslayer ... maybe set for serious BETA around the time that Facebook movie gets nominated for 14 Academy Awards."
posted by philip-random at 9:29 AM on September 17, 2010 [1 favorite]


It's not just that "real" developers cost over $100K a year in raw salary, but then you have to give them servers, infrastructure and perhaps even a place to work.

Heatlh care, operations, etc. Plus who wants to work for a startup with only $200k? I think the best way to approach this is do all you can then figure out what sections of the project will take a lot of time, then dole out contracts based on that. If you can define the problem well enough, it should be easy to figure out what an experienced developer would be able to tackle.

I have to disagree with not putting effort into the UI. For 99% of open source projects this is absolutely true, but they're just creating a peer-to-peer client and copying the Facebook design. These things are known quantities, a terrible user experience will absolutely sink this product. There's no incentive to put up with bad design.

If they really wanted this take off, they'd design it so you could easily share files. Just use Pirate Bay or an existing tracker and make incredibly simple for you to not only see, but download your friend's music, movies, etc. Don't bundle it in the official release, but if you make it possible it'll show up somewhere else. Have this sitting atop a lightweight torrent client and you're golden. Most people don't know or care about the underlying technology, they just know it as the application you can use to find movies your friend's like.

Also Ruby? I didn't think Ruby did well under heavy loads? Didn't Twitter have a ton of problems? Maybe it is not such a big deal and if it takes off someone smart will just rewrite it.
posted by geoff. at 9:33 AM on September 17, 2010 [1 favorite]


It seems very strange that this thing would start as a hype (that is, some twenty-somethings with no particular track record saying, "Hey, we're gonna do this amazing thing that everybody wants done, buy our t-shirts."), versus what usonion said ...

They're trying to do something that simply cannot be done without hype. There are some mildly interesting technology issues to be worked out with Diaspora. But that's nothing compared to the tremendous network effects that Facebook enjoys.

For Diaspora to succeed- at all- it needs mindshare, even more than it needs technology.
posted by Jpfed at 9:41 AM on September 17, 2010 [1 favorite]


So my paranoid mind says: "Facebook is probably behind this in some secret, nefarious way, a deliberate failure that will only send folks running back to them."

Except that there is nowhere to run back from. Diaspora is not yet an online destination, but merely a chunk of code one can examine.
posted by acb at 9:50 AM on September 17, 2010 [1 favorite]


For Diaspora to succeed- at all- it needs mindshare, even more than it needs technology.

but won't the mindshare be dead in the water more or less immediately if the tech is a washout? I agree that come the right moment, Diaspora must have it's hype in place. But this hype started way before this moment. I mean, it's not as if there weren't any number of people already saying "We need an open source Facebook" when Diaspora made it's announcement. I was saying it and I have a hard time configuring my email. But for something to be genuinely open source, it needs to be, for lack of a better word, "organic". And any grower of anything will tell you, the most important part of any plant's life is the part we never see, the part that goes on underground before we ever see the first sprouts.
posted by philip-random at 9:53 AM on September 17, 2010


geoff. Concerning Ruby: it's fast enough, if designed reasonably well. Rails as a framework wasn't designed for the usecase that twitter presented: a massive message passing and queuing system. That's why Twitter, originally built on the rails framework, had such scaling problems.

Mongodb, their datastore is plenty fast, which is really where most of the time spent processing a web request typically happens, for applications such as diaspora. In any event though, this is not the moment for speed optimizations nor security hardening, this is the moment for proving out the basic functionality. The Register can eat a whole bucket full of their least favorite genitalia for their "security concerns".
posted by Freen at 10:00 AM on September 17, 2010 [1 favorite]


As someone on hacker news said about this, they should focus on developing the HTTP protocol of social networking, not the Apache web server.

I notice this demo-centricity in my professional life, and I think it's harmed this project just as much as it harms real world projects. UI is pretty and flashy and everyone can understand it, so it's understandable that they would pursue it in the face of the frothing hordes of internet tough guys saying they'd better not let their donors down, but ultimately, if you are doing UI first, you're going to have to compromise your system in order to support it. When the server software represents such a crucial part of the product, as it does in this case, that can be a fatal mistake.
posted by feloniousmonk at 10:15 AM on September 17, 2010 [2 favorites]


Speaking of which, it looks like Diaspora is built on Rails, but these days, Rails is significantly faster, and better suited to a wider variety of use cases.
posted by Freen at 10:20 AM on September 17, 2010


I always got diaspora confused with these guys. Same concept—at least as far as I understand it.
posted by thsmchnekllsfascists at 10:26 AM on September 17, 2010


This graph is essentially the reason why opensource is fantastic, and why the Register's concerns are baseless.
posted by Freen at 10:34 AM on September 17, 2010


But for something to be genuinely open source, it needs to be, for lack of a better word, "organic". And any grower of anything will tell you, the most important part of any plant's life is the part we never see, the part that goes on underground before we ever see the first sprouts.

I'm not sure how this analogy coheres or relates to Diaspora. Could you please rephrase it? With its current phrasing, it sounds like the most important part of something being genuinely open source is the part of the project before its source is made public, which I can't really understand. It may very well be that the part of a project before its source is made public is the most important determiner of its eventual quality for end-users (I don't know) but I don't know how that part could possibly be the most important part of it being genuinely open source.
posted by Jpfed at 10:42 AM on September 17, 2010 [1 favorite]


Just wanted to chime in that those thinking $200k would pay for "professional" developers are dreaming. $200k will get you half a dozen part time volunteers. They would have been better off with $0. Write some protocol specs and built an OSS team.
posted by blue_beetle at 10:57 AM on September 17, 2010


But for something to be genuinely open source, it needs to be, for lack of a better word, "organic". And any grower of anything will tell you, the most important part of any plant's life is the part we never see, the part that goes on underground before we ever see the first sprouts.

You have some strange ideas about open source. What you're describing there is closed source with user modifications allowed.
posted by echo target at 11:16 AM on September 17, 2010


I'm talking about the kernel (the seed), not developed in total private but definitely out of the glare of the public spotlight. There is a difference between open source and "in public", isn't there?
posted by philip-random at 11:30 AM on September 17, 2010


As someone who does web programming and security, this is BAD and unless they're planning on rewriting the backend from scratch, it makes it MUCH harder to ever secure.

They're making mistakes that a Jr. web programmer shouldn't and that reflects a lack of understanding that I suspect will drag down the project. You don't trust unvalidated input. EVER. You clean data that comes from the users, from their cookies, from the database, from partner websites.

Yes, bugs can be fixed, but its so very much easier if you design the system to be secure from the start rather than trying to glue it on afterwords. Picture giving a bunch of college engineers money to build a car who have never done so before. Is it easier to design a system with brakes and and airbag if you include them in the design from the get-go or if you build a chassis with an engine and steering system, turn it over to design majors to add a pretty shell, and then try to add them?
posted by Candleman at 11:31 AM on September 17, 2010 [1 favorite]


Maybe the short term value of this release is that many people believe (implicitly or explicitly) that the web == facebook will hear that an alternative is possible. The community has effectively spoken out about the deficiencies of the system. Longer term, Diaspora must corral some of the energy into fixing/rewriting it.
posted by dgran at 12:05 PM on September 17, 2010


Seems pretty neat... but I've gotta be honest, I'm not sure I get it. Anyone wanna take a shot at explaining?
posted by ph00dz at 12:20 PM on September 17, 2010


Anyone wanna take a shot at explaining?

Decentralized Facebook.
posted by Threeway Handshake at 12:36 PM on September 17, 2010


Call me old-fashioned, but I like to see some semblance of specification or documentation (and perhaps like, community involvement?) on a system that's supposed to replace the Web.
posted by RobotVoodooPower at 10:49 AM on September 17 [+] [!]


This is about replacing Facebook, not the web. I really, really hope those two aren't the same in people's minds...
posted by Jpfed at 12:48 PM on September 17, 2010


phoodz: Facebook is a Really Big Thing. If it were a country, it would be the third-most populated in the world. There are over 500 million users, more than half of whom use the site every day. It's the second-most visited site on the internet, after Google.

This past May, Wired posted an article summarizing many of the most egregious problems with Facebook. The site is a hotbed of privacy outrage, where users have increasingly little control over who has access to their information (the creator of Facebook even recently admitted to calling users of the site "dumb fucks" for blindly trusting him).

Because of all the controversy, there's been a large push to create the "next Facebook." Diaspora is probably the effort that's gotten the most press so far. Shortly after the Wired article I mentioned started making waves, this group of college buddies announced that they had a plan to make a social network that was like Facebook, only...A couple days ago, the Diaspora team announced that their initial work was done and put it on the web for all interested parties to try out and look for bugs. This was not a formal release — it's not for the general public to sign up and start using like Facebook. Instead, it's just for developers to play around and start working together to make it harder, better, faster, stronger.

The point of this FPP is, it turns out maybe there were a bunch of embarrassing mistakes the team made that reek of amateur hour. Everybody got their hopes up that this was going to be secure by design (or at least showing promise for real security), but what's been released has vulnerabilities you could drive the Titanic through. Simple stuff that real programmers shouldn't have been able to overlook.

It's not the end of the road for Diaspora though. There's still lots of hype and a community of open-source programmers tackling those vulnerabilities as fast as they can. Now that the weak patches have been identified, there's hope and plenty of time to get them fixed up before actually launching anything for mass consumption. Our faith has been shaken a bit by the abilities of the core Diaspora team, but that's not a death sentence for the project. It's definitely worth keeping an eye on still, as it continues to evolve.
posted by The Winsome Parker Lewis at 1:18 PM on September 17, 2010 [2 favorites]


The big, hard problem of writing Diaspora is not building the front-end. It is not even writing something that's inherently completely secure against all attacks.

It is solving the problem that the name of the project references: spreading out everywhere instead of relying on one central point.

Now, Diaspora is far from the first set of people to tackle this. I know that's one of the things Brad Fitzpatrick (creator of LJ) has been working on since going to Google, for instance. In other discussion of Diaspora I saw someone linking to four or five projects I'd never heard of that aimed in pretty much the same thing.

And ideally, that's what this pre-alpha should be demonstrating - I don't care if it's insecure, I care if it's demonstrating that I could set up a Diaspora node, friend someone running their own node, and have his updates seamlessly show up when I look at my node. In seconds. And when our mutual friend who's less technical looks at their account on the larger node being run by the Diaspora kids, or by their ISP, or the one that came installed on their smartphone, or whatever. (Obviously those last two are in the future where Diaspora actually works and takes over from Facebook.)

Does it do this? I'm not sure, I haven't seen many people addressing this instead of the places there's a horrible hack-job hopefully marked "oh god this is a mess fix this later". And my own attempt to set up a Diaspora node yesterday ended after it trashed its database harder than I was willing to figure out how to recover from. I might try again this weekend, might even set up a virtual machine somewhere in the cloud that I can run a Diaspora node on for a few days to see if it does its Biggest Problem at all yet, then flush, because, well, security holes.
posted by egypturnash at 2:14 PM on September 17, 2010 [2 favorites]


Yeah... see... "decentralized facebook" sounds... well... like something that would pop out of one of those random buzzword generator sites.

So, therein lies my question -- how the heck will a "distributed facebook" solve problems? Am I wrong to think the whole crux of facebook's success lies in its non-distributed nature, everyone is on one platform which is reliably accessible from any other part?
posted by ph00dz at 2:18 PM on September 17, 2010


Just reviewing some of the comments I saw yesterday and digging about a bit, it looks like they have made two big mistakes, in series.

First, and most serious, is that they are not concentrating on the protocol to the degree it should be. The protocol is everything here. I cannot emphasize that enough. Before a single line of code is written a protocol ought to have been developed and then had a lot of smart people try to blow it up. Hell, start with some dumb people and then work your way up to asking for help from smart people. The entire project is about communication. If your protocol sucks, you will pay for it forever. This is why spam is an emergent property of SMTP.

Version 0.0.1 of the protocol ought to be on the website for people to casually examine and take swipes at. Eventually, you take $50,000 and you ask Bruce Schneier to try to blow it apart. Maybe spread another $50,000 around at other security people.

The second mistake is the code, which sounds like it contains a metric copulationton of dependencies. And not rock solid OS-level dependencies. I'm talking about packages out the wazoo. I'm not sure how it works but one of my personal metrics in examining new open source projects for investigation includes the number of dependencies involved. If you need Apache and mysql, no biggie. If you require a very specific version of Perl and dozens of specific packages and then some Tomcat oh and you have to install this other thing ... it isn't looking good. It's not a pure lock but the more components you must install that are not in the default, the more fragile something tends to be and the harder it is to get it running in the first place. If the continue to ignore the protocol, then the install must be fast and not prone to blowing up or failing to restart.

This just is not looking great so far, which is a shame, because I want something to make Facebook at least work a bit harder, if not die.
posted by adipocere at 2:48 PM on September 17, 2010 [7 favorites]


Am I wrong to think the whole crux of facebook's success lies in its non-distributed nature, everyone is on one platform which is reliably accessible from any other part?

Only a little wrong. Interoperability (I can see my friend's info, no matter where I am and no matter where they are) is not the same as having a single owner/controller of the data. You might wonder "how could interoperability be achieved (seamlessly and securely) without having a single owner/controller of the data?", and you'd be right to- it's not trivial. But it would be really great if it were merely nontrivial rather than impossible, because if we can have separate datacenters that still interoperate, then if one of them does something that pisses you off, you can migrate your data to a different datacenter.
posted by Jpfed at 3:07 PM on September 17, 2010 [1 favorite]


Yes, yes, it's a developer release.

Which a good number of people are going to download, set up, invite some slightly-less-technical friends, who will invite their friends, and they'll all put private information in there, and...so on. Viral spread can be not so good too.

And then it gets a bad name, which is a pity. If it raises security awareness that'd be some good of it, I guess.
posted by RikiTikiTavi at 3:11 PM on September 17, 2010


At this point what these kids need more than anything are some strong mentors who can help guide the project. They got 200K because everyone wants this to work. They have a lot on their side, but experience ain't one of them—it would be a shame to see all that hope (expressed through ca$h) come to naught just because they're young.
posted by wemayfreeze at 4:57 PM on September 17, 2010 [1 favorite]


I was initially a bit upset when Diaspora got so much attention when other groups have been laboring in relative anonymity for so long. It was hyped out of all proportion, so it was inevitable the public would be a little disappointed with the release. Still, good on them for making it to the end, I look forward to browsing the source.

Also, about it being written in Rails in particular - the hard part of software is coming up with the model for your problem. If you do that well, it doesn't matter what language or technology stack you're in - you can always port it to something else.

Other open-source social efforts include One Social Web and Apache Shindig.
posted by heathkit at 9:52 PM on September 17, 2010


I think the key thing that's missing from the explanation is what the "distributed" part actually means. Essentially they want Diaspora to work like Wordpress or Moveable Type. You can install it on your server and have your own social network, and like Wordpress publishes your blog in RSS that a bunch of other clients understand, Diaspora aims to make parts of your social network available to other Diaspora servers. Presumably there will also be the Diaspora equivalent of wordpress.com, which is kind of contrary to the spirit of the thing, but hey, capitalism.
posted by feloniousmonk at 10:26 PM on September 17, 2010


adipocere totally has it. The dependencies were what stopped me busting out Xcode and building it. I looked at them and thought -- fuck that. But the much bigger point is the protocol. At some point a truly open social protocol will emerge, and Diaspora will have played its part -- even if it's only a bit part -- in defining that, if only by omission. The notion that your information is a node which you control in every respect, and that a network of these nodes is a defacto social network which communicates via a set of open protocols, is a very powerful one and will outlast Diaspora.
posted by unSane at 10:37 PM on September 17, 2010 [3 favorites]


At some point a truly open social protocol will emerge, and Diaspora will have played its part -- even if it's only a bit part -- in defining that, if only by omission. The notion that your information is a node which you control in every respect, and that a network of these nodes is a defacto social network which communicates via a set of open protocols, is a very powerful one and will outlast Diaspora.

I agree.
posted by philip-random at 11:03 PM on September 17, 2010


Ok, and just because I spent all night reading up on this stuff, here's my opinion of the competition

AppleSeed - Very similar project to Diaspora, but started in 2005, I think by a lone coder. It's strikes me as a php-based content management system that can link with other nodes to form a network. Unfortunately, documentation is sparse and the Demo Site has almost nothing on it, so I have no idea what features it has. Doesn't seem to be going anywhere.

Apache Shingdig - The reference implementation of Google's OpenSocial protocols. This isn't social networking software like Appleseed or Diaspora. Rather, it's a platform and set of standards that operators of social networks can use so that the same app can run on multiple platforms. So, for example, the same clone of Farmville could run on Orkut and Myspace. Interesting for application developers, but not really to the end user.

OneSocialWeb - I hate the name, but this seems like the closest thing to implementing Diaspora's goals. It was started by Vodaphone's R&D group. They built the platform on top of XMPP (an open source IM protocol), which I think is an excellent choice. They already have a server, web client, and android client available here.

Of these, I think OSW is the most compelling (though i hate the name). I really wish the Diaspora guys had spent their time, money, and visibility working on an awesome web front end for OSW and pushing it along. It's possible that Diaspora could grow into a Facebook killer, but I doubt it. I'd strongly encourage any developers interested in Diaspora to take a look at OneSocialWeb's github.
posted by heathkit at 11:54 PM on September 17, 2010 [2 favorites]


to delmoi and the others saying "well, this is how OSS works":

Open-source development does NOT necessarily mean doing your laundry in public. It's not unreasonable to expect a certain level of professionalism in what's designated a "release", especially something that can end up in the public's hands.

Likewise, unless there's some massive pressure to show something/anything right NOW, there's no excuse to release something riddled with n00b mistakes or a totally rough UI. There are tens of thousands of garden-variety programmers around (like me) who have already solved all the stupid little mistakes like input validation a thousand times over. It shouldn't be that hard to find some mentors, or recruit a UI team to handle that part.

I also agree with adipocere - the magic in diaspora is going to be defining the protocol and coding up the engine that implements it.

I'm less worried about dependency-hell at this early stage It does suggest something slapped together, but it's OK at the proof-of-concept stage, as long as it gets cleaned up immediately after success as a proof-of-concept.
posted by Artful Codger at 8:06 AM on September 18, 2010


adipocere speaks to my heart here.

The whole key to this is the protocol. In some sense, it's irrelevant if their first client is slow and insecure if the underlying protocol is strong, because then people can write better client/servers. It's a shame that they apparently haven't hit the target on that one.

I hadn't realized that they simply aren't sanitizing their inputs at all, rather than doing it badly. That's a real shame.

Even as pre-alpha, they should pass everything through a sanitizer that, right now, does nothing at all - how long would that take to write, an evening if that? As people need more out of it, they'll add more "do nothing" code to it - then later they can write the real part. As it is, every line of code written that gets any variable from from user adds to their technical debt and increases the later chore they have.

And those dependencies. :-( Terrible, terrible idea. Each new package means some amount of extra work on every single person downloading the system, and some fraction of those attempts to install that package will fail. Getting rid of dependencies can be easy, though, if you're careful to design it that way in advance.

On rethinking this, I also think the choice of Ruby is poor and shows a certain blindness. If I were an expert Ruby programmer and writing software for my company, great! But if this open source program is to fly, they must inspire other developers to work on it - so the question of how many developers program in that language is quite relevant.

Now, using a high-quality modern language is of course even more important - or they'd be doing this in PHP.

But frankly, they should be doing this in Python - it's not just that there are two to four times as many Python programmers as Ruby programmers, but that there's strong support for Python "out of the box" on Windows, Mac and *nixen, it's a mature language.

Both Python and Ruby are advanced, modern languages, as a pure language you could make convincing arguments for either of them.

Yet I still think that this is how open source should work. They haven't put a lot of their lives into it yet and a lot of smart people can immediately tell them where they're going wrong. If we scotch it early, then great, these developers are released to the rest of the world.
posted by lupus_yonderboy at 11:21 AM on September 18, 2010 [1 favorite]


I just found this follow-up from yesterday, which goes into more detail than the Register article originally posted. It's rather scathing: "The team is manifestly out of their depth with regards to web application security, and it is almost certainly impossible for them to gather the required expertise and still hit their timetable for public release in a month." This thread's about done, but I'll just leave this here for posterity.
posted by The Winsome Parker Lewis at 9:26 AM on September 23, 2010


I just came here to post the followup, TWPL; it's a pretty effective rebuttal to all the hope-over-reality posts slamming The Register for being big mean poopy heads. Thos a breathtaking, funamental problems at the base of the code, and no amount of ad-hom or wishful thinking will make them go away.

A shame, really.
posted by rodgerd at 2:11 AM on September 27, 2010


« Older Dark Patterns...   |   Concerns for the safety... Newer »


This thread has been archived and is closed to new comments