
Trouble with Diaspora - brettbender
http://blog.steveklabnik.com/trouble-with-diaspora
======
ohyes
This code was written by a bunch of undergraduate college students.

This is hiring a bunch of interns (with near zero experience) to implement
your product, giving them three months, and then being shocked -- SHOCKED,
when the code is not professional grade quality.

I was shocked when everyone and their brother was willing to shell out money
to a group of completely unproven college students to produce a distributed
open source 'Facebook Clone', that is also 'private'. My inclination is that
the 'distributed' and 'private' parts of the description push it into the
oxymoron tier of product specifications. I would have expected this alone to
give people pause about what the architecture would be (somehow it didn't).

Honestly, at least they have produced something, and for the most part, it
works. Hopefully they haven't burned through too much of the $250,000 that
they started with. 3 months of development time is honestly nothing.

Presumably, they could get comments on this, throw the entire thing away, re-
write while fixing the various issues, and be well beyond where they are now
in another three months. (If this is as bad as Steve says, I hope this is the
case). Presumably the development will go faster because previously they were
learning and developing at the same time (presumably).

Hacking together a prototype that you then throw away is a perfectly
reasonable development model. I'm impressed (and pleased) that they have
produced anything.

~~~
alabut
" _Hopefully they haven't burned through too much of the $250,000 that they
started with._ "

They mention at least two large cost items - luxr (basically consulting by
Janice Fraser, it says around $10k on the company page) and pivotal labs.
Pivotal is the huge one, I once got a quote from them on a project I was
working on and they basically said they don't do less than 6 figures. So
unless they got some kind of insider discount, the back-of-the-napkin math
says at least half of their cash is gone.

Whether it was worth it or not is a separate matter. As a resume builder for a
young team: sure, why not, you could do a lot worse. As a product for end
users: you might support their cause, it depends on whether you're 1) a
Facebook-hating neckbeard-sporting privacy nut - excuse me, _libertarian_ , or
2) willing to cut them slack on an early release because there's some
interesting technical challenge they're tackling.

For everyone else: no thanks, Facebook's fine and we'll stick with the real
thing.

~~~
steveklabnik
According to a post in a thread yesterday, they just worked at Pivotal's
office, they weren't consulting for them.

------
cilantro
This code was released to developers as an incomplete preview. I'm not sure
why people are holding it to the same standards as a finished product that's
being released to end users. Seems like a pretext to talk trash.

~~~
patio11
Their product is released to end users, because the first thing every early
adopter is doing with their shiny new host-you-own federated social network is
sending out invites.

~~~
daleharvey
So they should develop the whole thing behind closed doors because some people
are going to have to suffer the embarassment of having someone post "hahaha
disregard that ... " on their mini facebook wall?

Their code is out there, they have openly said it is full of bugs and they now
have a hell of a lot of eyes, They will get a massive benefit from this being
opened early and it really isnt their problem if people refuse to ignore all
their and everyone elses advice and give out their banks password

~~~
carbon8
Basic authorization for resource access isn't the kind of thing you add later.
This isn't just an issue of bugs or being in development, it's a fundamental
issue with their development process.

Furthermore, one of the primary goals of the project was to make something
_more_ privacy-conscious than Facebook, and so far they show they have a
development process that pays less attention to access control than any Rails
app I'm aware of.

~~~
nickbw
For brand new/"experimental" projects with both user permissions and a non-
trivial set of features, built by a small team, I've always found it easiest
to work like this:

1\. Build features, ignoring permissions entirely.

2\. When the feature set is relatively stable, default to disallowing
everything.

3\. Re-enable one feature at a time as you add appropriate permissions checks.

Step 1 looks horribly irresponsible if you don't know 2 is coming. But if you
do, it avoids a false sense of security from half-finished permissions in
rapidly changing code, and it keeps up early motivation since you're rolling
out "exciting" features right away. And counting on step 2 ensures you're
always checking whether something is allowed, instead of foolishly checking
whether something _isn't_ allowed.

Whether this scenario applies to Diaspora at all ... I don't know. Time and
another release will tell. But I do think there are valid situations where
authorization is "the kind of thing you add later" for appropriate values of
"later".

------
cies
"Release early, release often" (an open source mantra). Here on HN i also find
the 'getto launch' being preached -- "if you not embarrest by your product at
lauch-time, you should have released earlier".

Judging from the noise their release makes here on HN i think the diaspora
guys did well opening up their repo 'early'.

And to steve: i think you hold 'professional programmers' (which i interpret
as programmer that get paid) waaay too high..

~~~
patio11
There are a few reasons why this is worse: first, they are launching to media
attention and a rabid community. BCC sucked at launch, but no one saw it, so
yay. (And by sucked, I mean looked ugly, not "Anyone can delete all your
documents at will.") Diaspora has thousands of end users already. Some seeds
have 200+. They are launched. Not prealpha. _Launched._

Their entire reason for existing is "Facebook but private". At the moment,
they are delivering on that like ROT13Snap delivers on secure backup. And due
to a programming bug, ROT13 was applied twice, and indexes are on in Apache.
It is a cluster flop.

~~~
dabent
"BCC sucked at launch, but no one saw it"

Strange thing is, the advantage Facebook had is that it launched to a small
audience initially with very limited functionality.

------
mattmanser
I've seen 'really, really bad' code. This ain't it.

Yeas, it's made some rookie mistakes. Yes, there's a load of things they
shouldn't be trusting on postback (silly things like not checking the owner of
an object on 'delete' commands).

That's not bad code, that's a bad implementation. That's not knowing what to
trust and what not trust cause they've never been screwed up the ass by it
yet.

But bad code? No.

The implementations are problems, they need this shit pointed out to them.
That is all.

Steve and Patio11 are doing some serious damage to a good project for no
apparent reason apart from self promotion. I want to call them nasty names, I
really, really do.

~~~
Mod_daniel
I'm worried that this is going to be one of those group think exercises where
people are simply going to key off of their opinions without even looking at
the code. Or, worse, reiterate their claims on other forums. I don't think, at
least in Patio11's case, that this is gross self-promotion, I think its simply
arrogance.

------
steveklabnik
Please see the discussion from last night:
<http://news.ycombinator.com/item?id=1699641>

Rather than type a bunch of replies to everyone, here's some random thoughts:

1\. Release early, release often is great. But when your product's main focus
is "a private social network where you control your data" and other people can
do anything they'd like with your account...

2\. If this was just unpolished, I wouldn't say anything. But like patio11 is
saying, this has been covered by major news outlets, and many non-technical
people are getting involved. This is a plea to pay attention to the fact that
it's pre-alpha software.

3\. The mistakes are beyond amateur. This isn't "omg it's not perfect," this
is "I can't believe they didn't even apply the basics." The reason that this
matters is that it doesn't bode well for the future of the project. If they
can't even get this correct, how am I supposed to trust them later?

4\. I only complain because I care. I want this project to succeed, and I
really like a lot about the interface, actually. But that doesn't mean I won't
call a spade a spade.

~~~
Maro
"The mistakes are beyond amateur."

Can you pinpoint them? I don't think it makes sense not to at this point..

~~~
steveklabnik
Since I've already brought this up on Reddit...

For example:
[http://github.com/diaspora/diaspora/blob/master/app/controll...](http://github.com/diaspora/diaspora/blob/master/app/controllers/photos_controller.rb#L63)

There's no check to see if this is your photo or not. And before you mention
it, the before_filter only checks if they're logged in, not permissions.

There are many, many similar things to this. Check out lib/encryptor.rb and
shudder. I'm no security expert, but...

~~~
Maro
How is that a fundamental problem? It takes two lines of code to fix.

This is an alpha release. People shouldn't be using it, that's all. They
should've put in an artificial limitation like max. 2 users with max. 2 pics
each per server to avoid people using it.

The whole thing being in Rails is much more of a turn-off for me.

~~~
ianb
If I saw "# FIXME: check perms" in that code I'd have said, sure, it's alpha,
no biggie. But without any acknowledgement of what should be a totally obvious
security hole, it makes one question what other holes there might be, and
_maybe_ they can all be reviewed away... but it can also lead to a lot of pain
for a long time. But maybe the visibility of the project will help get that
review done.

Realistically, though, so long as they don't get clever it might be fine. If
they do clever things then review becomes very hard.

------
com
There's a lot of negativity and "I told you so" snickering floating around
Diaspora on Hacker News.

I'm putting it down to envy: these guys have shipped some pre-alpha code
that's interesting to a large number of people.

Excellent marketing in the open source community for developer eyeballs,
perhaps not so good in terms of end-user experiences, but that's not the point
at this stage, numbers will be low and the perceptions of the dumb early-
adopters (of pre-alpha distributed social networking code, ffs) shouldn't leak
too badly into the mainstream.

However, people are now eating the dogfood, and I expect to see fairly rapid
improvements in the code: not unexpected for an alpha drop in my experience.

To the people who are moaning, would you like others to see _your_ alpha code
and laugh bitterly about you being a young (or old for that matter) upstart?

------
agentultra
The trouble is that they were so ambitious but lacked any experience from
which to chart those ambitions. They're just a bunch of young twenty-
somethings just getting out of school. They haven't built any large-scale
real-world security-hardened software yet.

More than the fact that the code isn't production ready (by a long shot it
seems), I'm just surprised the released anything at all. Perhaps spending all
that money on those consultants was a good thing for them. I doubt they
would've been able to get by on their own given what was released and the hype
they set in motion. It's a lot to live up to. They made some really bold
claims.

Just goes to show that you can't just talk the talk and watch your dreams come
true.

~~~
Volscio
What were these kids thinking, starting some ambitious software project from
scratch without much of a clue how to do it? This is unheard of on the
internet!

~~~
agentultra
I don't see what point you're trying to make.

My point is that their problem is other peoples' expectations. Their ambition
set the bar before they'd written a single line of code. Had they been more
humble and waited to ask for a handout afte they had released what they have
now I don't think there would be half as many articles hitting HN about how
crappy their software is.

I think that they released something is great. I would never put some one down
for having ambitions and aspirations to follow them. I would simply advise
that they keep those ambitions to themselves and let their actions speak for
them.

~~~
Volscio
I think the "ambitions" you're ascribing to them are based on your own
interpretation of events. They sought a little seed money (what was it? $4k?)
to try to do something pretty cool. They happened to do it at just the right
time and rode a wave of publicity and enthusiasm. Now people like you are
saying, well they should have planned it better. Well, they should have
released a more mature project before begging for handouts. Well, they should
have let security experts do it.

They didn't plan this. But they're giving it a shot.

Haters gon' hate.

------
chegra
Ok... I'm no clearer on what the problem is than when I started reading the
article.

All I got from it was they have security problems. What exactly? where
exactly?

"Really, Really, Really Bad" is really subjective. When stating a problem try
to be concrete and objective and give examples. For instance, if you think
someones cooking is a bit off and you are a chef, say you need a little more
salt or pepper or whatever the case maybe. A chef can't simply say it is
really, really, really bad, leave such comments to amateurs who don't know
what exactly they are experiencing and how exactly to fix it.

If you don't really have the time to address each particular concern then give
them a reference to some security books that are essential when developing
something like this.

As it stands the community is no better off before than when you wrote this.
You should have written an article about "10 security books that are a must
read to prevent diaspora mistakes".[I would appreciate it if someone who is
knowledge about this wrote something like this]

~~~
natrius
The vague references to security bugs are an act of charity.

------
EGreg
Okay first of all, I'm glad that a bunch of undergrads from my school were
able to raise $200k, get a lot of press, and build something. This alone
should get a community of people around the project fixing bugs, etc.

I've always been saying that making a distributed social network is much
easier than "solving" privacy and security for such a thing. First of all, try
even defining what it means to privately share things with people on the
internet. Then, realize that most solutions (such as diaspora) will actually
EXACERBATE the privacy problem, by making you trust the hosting services of
_all your friends_ instead of just facebook.

That said, after diaspora was announced it made me think about whether it's
possible to ensure privacy in principle. Meaning, is it possible to only trust
YOUR hosting company and friends, and cut out every other middleman from being
able to snoop your data?

I came up with something which I think would be very useful, and I actually
submitted a provisional patent for the technology, which basically enables
distributed AND private social networking using just today's web browsers.

If you want to check it out or get involved, see <http://myownstream.com> .
This is an open-source offshoot of a social network I'm building, which I hope
to release next year. You can see the roadmap there, but so far it's been
going really well :)

~~~
xentronium
Is your school specializing on building secure distributed social networks?

~~~
EGreg
No, man. I was studying math at NYU. Now I do web development.

It's just a coincidence that these guys are also from NYU.

------
rbates
There are very serious security blunders here, but I wouldn't go as far as the
article to say it needs a complete overhaul. Here are a few example fixes.

1\. Most of the XSS errors should be handled by Rails 3 auto-escaping. I'm not
certain why this isn't happening. It may be a simple HAML config error or bug.

2\. The session key should be moved out of the Git repo.

3\. Most of the authorization can be done by reaching through the current
user's associations. For example "current_user.photos.destroy" would prevent
users from destroying other's photos.

I'm not defending the developers here and agree these should not have gotten
past them. My point is these problems can be fixed in a few days, and thanks
to open source, there are many eyes looking at the code to find additional
security issues.

------
moron4hire
This is the problem: college students are terrible programmers. There aren't
enough consequences for writing bad code in college. In industry, you learn
very quickly that everything you learned in college is minuscule compared to
what you actually need to know to work.

I knew guys who only studied databases or only studied HTML+JavaScript+CSS.
And we all expected that this level of specialization was common and even
desirable! Wow. Looking back now, how silly of us. Where did we get this idea?
Certainly not from anyone with significant experience in industry. We had one
professor with significant industry experience... from the days of IBM
mainframes. She was the head of the department. She ran two classes a year, in
"software engineering", basically "technical writing and project management".
They were good classes, the most like the "real world" of any of our courses,
but only 50% of the students took it and it represented maybe 10% of our
studies for those of us who did.

Yes, the CS degree is about preparing students for CS graduate programs. But
there was never a suggestion that perhaps the CS degree was not what we
needed. Or maybe there was a suggestion, one, from some guy on Teh Intarwebs,
against every other person in positions of respect around us. We were
consistently told that the CS degree was the path to a software development
degree. Yes, internships. They are very important. We don't do enough of them.
We certainly need more of an apprenticeship model. I suspect that the
development of good programmers would work in a culinary school model more
than a research school model.

College graduates are basically the first level of competency worth training
to become developers, or at least are supposed to be (let's just stick to
ideal situations right now, with no wind resistance and infinite point
masses). It's like in the martial arts, we say that black-belt is where the
learning _begins_. Once you reach black-belt/BSCS, you have only acquired the
_tools_ that you need to start learning.

Every programmer I've known thought he was a super hacker by the time he got
out of college. Me included. I see it in the interviews I conduct, also. There
is an air of arrogance. There is a sense of shock and personal assault when
pointing out their errors. They haven't yet grocked that the code is not them.
They haven't yet learned that the errors are inevitable, that it is only time
and experience that teaches us how to avoid them, that programming is about
the pursuit of eventual perfection and not the dogmatic defense of yesterday's
code.

So one of two things happens. Either the degreed programmer shucks his hubris
and finds humility, or he becomes a leech on his coworkers (and my use of the
masculine pronoun is no mistake, the female programmers I've known don't have
this pathology). Unfortunately, the latter is apparently indistinguishable
from the former for most management types. Haha, but digging on the liberal
arts majors aside, most people who come out of college with a BS in CS do not
want to make programming their wake-to-sleep life. They want it to be their
9-to-5 career, and leeching is the easier route to that.

The kids mean well, I'm sure they are quite intelligent, and they've got
heart. But a startup was probably the worst first endeavor for them. I think
it's better to go through your male-programmer-humiliation on someone else's
dollar. They're basically going into more debt to learn how to be programmers
now that they've gotten out of college. They could have been earning a salary
to learn how to be programmers.

~~~
mlinsey
I agree with you up until your last paragraph "a startup was probably the
worst endeavor for them". The sheer gumption to throw yourself whole-heartedly
at problems you are unqualified to solve is one of the most important
characteristics of a startup founder. Even if you spent time learning to be a
great coder, there would be a dozen other things you'd need to be doing for
the first time when you first start a startup. Rather than spending a bunch of
time learning in industry, it's just as well to just try it when you are young
and have less to lose.

Diaspora is also a somewhat unusual case. For most consumer web startups, the
back button is a much bigger threat than security vulnerabilities in the early
stages. Once you've iterated a lot have a better idea of what you're actually
building, one of the first steps is usually to hire coders who are much better
than you. In Diaspora's case, it's unclear to me whether their vision is a
business or an open-source project - in the latter case then having stronger
coders lead the effort is more important.

~~~
code177
I wholeheartedly agree with you, if the fact was as simple. As it stands, the
paragraph should have read: "a startup [with $200,000 funding of other
people's money] was probably the worst endeavor for them", as that more
accurately represents the reality of the situation.

~~~
mlinsey
I don't think funding changes the situation either - if anything they could
have used even _more_ money so they could hire someone more senior that would
help guide their development.

Perhaps the problems also lie in the expectations of those giving money. I
assure you that few experienced angel investors would have been upset or
surprised that the college kids they gave $200K to produced code that was
messy or had some bad security problems in the early stages. They would be a
lot more concerned with how the founders planned on getting adoption for their
fledgling service, or whether they were iterating on the product quickly
enough. It seems that many who have donated to Diaspora (or who are getting
upset on behalf of other people who donated to Diaspora) have different
expectations. '

Just today I was playing with the product of a company in the just-ended YC
batch. I found I was able to delete someone else's posted content on the site
trivially easily. While I'm sure PG wouldn't be exactly happy to hear about
this, he sure as heck wouldn't think that the founders should have spent more
time learning to code in industry before taking his money to build a startup.
He'd just tell them to fix it (and it's probably fixed by now), and then move
on to more important questions like whether they were getting more users and
building the right features.

------
dododo
it's insulting to refer to them as kids and criticism like this is only
helpful if you give examples: this article does not do that, just making wide
sweeping statements about "how bad" it all is. i had a quick look at github,
it didn't look like it stunk, but i don't know ruby nor the framework they
use.

they didn't appear to use pbkdf2 or similar to derive their crypto keys, so
that isn't good. but at least they didn't make up their own algorithm (though
maybe they're making their own crypto protocol--hopefully not--i couldn't tell
from the code).

it's very easy to say "this sucks", it's harder to say "this sucks and here's
why" and it's even harder to say "this suck and here's why _and here's how i
do it in my deployed product_ "

~~~
steveklabnik
I call everyone 'kids,' it's not meant to be offensive. I'm 24 myself.

The 'here's why' part gets tricky with security stuff. I don't want to be
complicit in people trashing accounts. And if you read, I did submit patches.

And they are making up their own protocol. It's currently not documented.

~~~
mkramlich
yep. in common usage it often seems 'kids' is a reference to anyone no older
than 5-10 years younger than oneself. ;)

------
jarin
I'm not even sure it's worth submitting patches to Diaspora, both because of
the fundamental problems with the code, but also because of their "Open Core"
licensing scheme (AGPL + contributor agreement):
[http://www.ebb.org/bkuhn/blog/2009/10/16/open-core-
shareware...](http://www.ebb.org/bkuhn/blog/2009/10/16/open-core-
shareware.html)

Looking through the code, it looks like Diaspora is really just putting a
front end and "aspects" on top of OStatus. I think it might be good at this
point to just scrap the Diaspora code and start over from the basics with a
good OStatus-based reference implementation in Rails.

~~~
cmars232
At its core, the real value in something like Diaspora is its protocols. If
you disagree with the license, or the language they chose, why not make your
own implementation from scratch that can federate with it.

If it survives, I might do this... I think their approach is fine for rolling
out a private enterprise FB or creating an alternative hosting solution, but
I'd like to see an even more decentralized solution. Ruby isn't a good choice
of language for mobile, or native compiled "IJW out of the box" deployable
solutions.

------
mayank
It's great that they're getting so much open-source help, but I'm going to ask
the obvious question: if a "complete overhaul" is what's needed, as the author
seems to imply, and the FOSS community performs said overhaul, then what of
the $250k that was given to the Diaspora guys? Is it still even "Diaspora"
anymore, as opposed to a FOSS project?

~~~
jlgbecom
And more importantly, if you're going to rewrite, why help Diaspora, and not a
more mature option?

~~~
kennedywm
Because momentum and attention are more important than maturity. The qualities
that come from maturity can be built with work; momentum and attention aren't
as much of a function of hard work and are far more difficult to capture.

~~~
jlgbecom
Momentum can die as fast as it builds, while maturity is lasting. All these
projects are in active development, and it'll be very difficult for Diaspora
to catch up.

------
chaostheory
One thing I really liked about this post: most people readily complain about
something, yet only a few like Steve actually do something to help fix it.

~~~
harryh
Indeed. If the world was filled with more people like Steve it would be
awesome. This post is getting close to 100 comments. If each commenter took
the time to fix just one bug, that would be a lot of progress just there.

Go Steve!

------
rblion
Jason Fried was right. All the hype and pressure before launch will cause some
serious problems.

------
msy
They could've really saved themselves some grief is they'd been far more
explicit about saying that it's Alpha and months from being production ready.
All this 'there's bugs! omfg!' hoo-ha could've been headed off at the pass

~~~
twymer
I think there's a big difference between "omfg bugs" and "The bottom line is
currently there is nothing that you cannot do to someone's Diaspora account,
absolutely nothing" from
[http://www.theregister.co.uk/2010/09/16/diaspora_pre_alpha_l...](http://www.theregister.co.uk/2010/09/16/diaspora_pre_alpha_landmines/)

~~~
msy
Not really, in fact that article was exactly what I was thinking of, reading
it it'd be easy to get the impression they were talking about production
software after the first sentence. Bugs are fixable and I haven't found any
serious design or protocol mistakes, nor seen anyone else point any out. Given
that, I'd say they're doing pretty damn well.

~~~
steveklabnik
Yes, there are: <http://news.ycombinator.com/item?id=1699782>

~~~
kenjackson
Without more details its hard to tell how big of an issue this is. I've been
brought in on projects to fix security in the past, and in many cases, after
thorough design and code review, we crafted up a modified design and
implemented it in a week.

And these were in substantially larger systems.

With that said, I haven't looked at the code, so maybe the issue is more
fundamental than that, but I haven't seen evidence of that yet.

------
Maro
At least somebody's got a sense of humor:

Github issue #8: "Facebook has a majority market share"

<http://github.com/diaspora/diaspora/issues#issue/8>

~~~
jokermatt999
If you didn't catch it, it's referring to Ubuntu Bug #1: Microsoft has a
majority market share

<https://launchpad.net/ubuntu/+bug/1>

~~~
Maro
I saw that. But it's still funny =)

------
thinkalone
Steve, where did you get the $250,000 figure? Their Kickstarter page still
shows $200K and change
([http://www.kickstarter.com/projects/196017994/diaspora-
the-p...](http://www.kickstarter.com/projects/196017994/diaspora-the-
personally-controlled-do-it-all-distr)), and now there are currently three
mentions of $250K in the comments here, none of them questioning the $50K
raise. Just checking to see if I missed another bit of funding somewhere.

~~~
steveklabnik
Nope, I just remembered wrong. I'll edit that now, thank you. At least that's
not as bad as someone on Reddit who tried to say they raised $4mm...

~~~
thinkalone
No worries - I would have left a comment on your post, but I didn't have an
account to sign in with, and wasn't sure if maybe they had raised an
additional $50K outside of Kickstarter.

Just wanted to say good on you for fixing bugs and contributing to Diaspora!
Unfortunately I don't even know enough Ruby to understand what I'm looking at,
but I'm excited about the project - they've definitely got a good resource in
you! Is there any indication that they switched to Ruby during this Summer? I
_swear_ it was originally going to be in PHP, but I can't find any mention of
that now. Could the oversights in the code be due to this being the first
piece of Ruby the team has written?

~~~
steveklabnik
They won't have me for long; I have my own projects to work on. Hackety Hack
is more important to me, by far.

I also vaguely remember that it was supposed to be in PHP as well, and several
other people have mentioned that. I can't find a source...

It could be the reason, but things like "make sure if you're trying to delete
a photo, it's yours" is something that transcends implementation languages,
you know?

~~~
thinkalone
Maybe they'd even be open to hiring you as a paid consultant, since they are
now using Ruby, and seemingly are willing to invest in improving their
project.

------
middlegeek
They (Diaspora staff) said this as they released it:

"Feel free to try to get it running on your machines and use it, but we give
no guarantees. We know there are security holes and bugs..."

~~~
citricsquid
The issue is you shouldn't build (or ship) code like this with such major
security holes, you build security at the start, it should be an integral part
of the application. You can't just dick out some insecure application then add
in security, it doesn't work.

~~~
gloob
Microsoft didn't "build security in at the start", nor did Apple, nor did
Twitter, nor (I suspect) did Facebook or YouTube. It's a pre-alpha of an open
source project. Of course there will be problems.

~~~
citricsquid
Yeah and how much code is being used now that existed when they didn't have
security? You can't compare this and what Microsoft, Apple or Twitter have
done, I'd be very surprised if any of those companies continue to use code
that was developed at a time when they didn't consider security. Although
thinking about it, the software industry is questionable... maybe I'm wrong,
it just seems a very bad start.

Twitter has had major security problems, same with many other "big" companies,
shouldn't this be a lesson that security is the primary concern _especially_
for an open source project?

~~~
astine
What's the likely hood, security issues asside, that much of this code ends up
in the 'final' Diaspora product down the line? I might misunderstand their
intentions, but as I understand them, these guys are trying to start an open-
source project. Open-source projects need momentum before they need anything
else. Money is a start, but they need code. It doesn't even need to good code
or even passable, so long as it kind of works and provides something for
hackers to hack on. If they play their cards right, it's that last bit about
attracting hackers to the project that will turn Diaspora into something
viable. None of the code they write right now really matters.

Just think of many of the older more established FOSS projects, Linux, Apache,
etc. Many of them started out very rough, but attracted developers and turned
into something useful. I think that dumping the code right now, was probably
the best move that they could have made.

------
didip
I was totally expecting crap like below when cloning the project:

* literal SQL without escaping (They use Mongo it turns out)

* 10,000 lines of controller action (The biggest one is Photo#create, but far from huge). PS: They use carrierwave, which is AWESOME.

* giant business logic in the views (They use haml and the code is clean).

* Not escaping user's input (OK, there are places where they forgot to put it).

Their code is far from shit. Easily improvable as they gain more developers.
Aren't we too quick to judge?

------
thibaut_barrere
Good thing: the project already has 292 forks and 2051 watchers on GitHub!

I believe they will get an amazing quantity of outside work.

------
catshirt
As far as I can consider, there are two possible alternatives to this (that
is, releasing their flawed code). They could have either released flawless
code, or they could have released no code at all. I understand OPs concern,
but considering the alternatives I don't really get the tone of the article.

------
pkulak
First people bitch and whine because they are working "in secret" and not
releasing code. Then they release and everyone freaks out because it's not
finished. I guess the only way everyone would be happy would be if they
released a completed project after a week.

~~~
jordanmessina
Where in this article does the author complain about it not being finished?
It's the fact that the Diaspora team is not doing things right. No one cares
that this project isn't finished they care about how much it sucks because
their whole reason for starting the project was privacy and they don't even
come out of the gates with a secure system for people to implement/build
upon...

~~~
pkulak
The author of the article didn't, but no one is going to argue both points,
since they are contradictory. This author is angry that the code isn't
finished. Many other people were angry that it wasn't released. I'm just
saying, there's no way for these guys to please everyone, which is to be
expected.

~~~
steveklabnik
I'm not angry the code isn't finished. I'm concerned that people don't
understand what they're getting into; yes, they mentioned that it's an alpha
release, but nobody is paying attention to them.

And I'm also concerned that if they'd consider releasing something so broken
that it won't be taken care of in the future.

------
kbatten
My god most of these comments are sickening. It sounds like a group of old men
reinforcing each other how much better people were "back in their day" all the
while forgetting what "back in their day" actually was. Is it jealousy that is
fostering these posts?

------
marknutter
This is pretty unfair. They just want to get it out there earlier than later,
so that the community can help with a few of the less glamorous parts of the
app. I guarantee they've been spending most of their time just wiring things
up and making the interface look pretty (the fun stuff), and now are tapping
into the OSS community to help take care of the security details. I completely
sympathize with this strategy, and they explicitly said it was far from secure
or complete.

It's this kind of code bashing that makes it difficult and intimidating for
newbies to break into development. Think twice before you lambast younger,
less experienced programmers on the internet. What a shame.

------
10ren
It's an MVP. Problem is, it's in an established market. Although this worked
for open source in the established unix market, that wasn't a _mainstream_
market. But note: only a tiny subset of users are going to switch initially
anyway, so, in practice, it's not mainstream at all. Besides, expert coders
will contribute; I've seen it happen.

And it's infinitely better than the alternative, of getting everything right
first time, _because that's impossible_. Something is better than nothing.
Live it!

~~~
jat850
The "V" in MVP stands for viable.

As is, the Diaspora code base is not viable. Not even minimally so.

~~~
10ren
The "P" stands for product, not code-base.

Logically, security and privacy are secondary: they are properties _of_ some
functionality/data.

~~~
jat850
Yes, P does indeed stand for product. And this is not a product. Not yet,
anyway.

~~~
10ren
If you do some reading around MVP, you might be surprised at what a low
standard exists to constitute a product. Some folk even count an ad + landing
page as an MVP. ie. 0 code base. An MVP is a point of departure, not arrival.

~~~
jat850
I will certainly concede that, especially given that this isn't anywhere near
my realm of knowledge - I'm strictly a coder and don't have the vision or
insight into product presentation, preparation, or anything like that.

However, my instinct tells me that the example you mention of say, an ad +
landing page, IS an MVP in one good sense - to gauge interest in a potential
product (an iPhone app, etc), gathering subscribers to mailing lists, beta
signups, etc.

But in the scope of what Diaspora is trying to accomplish, releasing the code
base like this doesn't qualify as a product - I think.

I am way more than willing to be wrong on this point, though. I'm also
probably just splitting hairs by this point.

~~~
10ren
At the moment, their primary task is actually to gauge/encourage interest -
without that, they have lost.

A following task is to discover if what they have is usable/useful by real
people, and the only real test of that is to release it and get feedback.
Related is flushing out bugs (most effectively done by actual usage); testing
performance (even for small numbers of users); and of course flushing out
specific privacy and security issues. Note that it's not actually necessary to
even continue with the same codebase; it is possible to use it as a prototype.

I think a helpful way to separate a "product" from a "codebase" is to ask
whether a complete rewrite in a different language with a different internal
architecture (and of course codebase), that is indistinguishable to users,
could be sold as the same product.

I think the Mythical Man Month would be of interest to you; he has your
perspective, but with a wider scope. I think you'd really enjoy it, if you
haven't already. Some fascinating ideas appear right up in chapter 1, very
clearly written.

~~~
10ren
It's fun to think of a software product as a giant ADT (Abstract Data Type),
as it specifies operations that may be carried out (via a GUI, or command
line, or webpage, or webservice, etc), while the detail of the implementation
of those operations is hidden. Each instance (running copy) of a software
product contains its own data.

------
mark_l_watson
As other people have already said: this is just an early code drop. It would
be good to have it transition into an open source project with many
developers, especially because the developers are I assume starting their fall
school term.

I enjoyed building and playing with the code, and I hope that there is a much
improved version in the future.

~~~
hornokplease
"the developers are I assume starting their fall school term." Two of the
Diaspora team graduated in May, and the other two have taken a leave of
absence from NYU to continue to focus on the project. See:
<http://www.joindiaspora.com/2010/08/26/overdue-update.html>

------
duck
_I don't want to disclose too many details_

I thought the idea of a developer release was to do exactly this.

~~~
steveklabnik
To them? Sure. On my blog, for (what's currently around) 8000 people to read?
Nope.

------
adnam
What do you think the first release of Facebook looked like under the hood?

------
motters
I can hear Zuckerberg chuckling like an evil genius.

~~~
code_duck
Why would he even care? It's only in some confused fantasies that this
project, of all projects, would be THE ONE to actually challenge Facebook. It
might, it might not. No more likely Diaspora than some project cooked up by a
pair of 16 year olds in Brazil.

------
skbohra123
In all this , we forgot that they are here to create an open social network.
This was their dream, so may be this is the way they wanted to do it.

------
startupcto
I'm not sure what is the problem here. It's a piece of software that was
released to the public on Github and if anyone decided to use it shouldn't
expect it to work without flaws.

If it was a piece of crappy software that I wrote and put it on Github, I am
going to get criticize to the point that it's worthless, I'm not sure where is
the open source spirit going this way.

------
c00p3r
Why? It is called crowd-sourcing and there are even several "bestsellers for
dummies" about how to use crowds to make money.

Nothing to see here.

