
How Diaspora killed itself before it even launched - jarin
http://jarinheit.posterous.com/diaspora-or-how-to-kill-your-facebook-killer
======
mcmc
I ran a non-profit called ossline for a while (www.ossline.org) which helped
open source projects with contributor license agreements, so I am familiar
with the issues.

I don't understand this "no way in hell I am signing a contract just to
contribute to an open source project" sentiment. It is trivially easy to do
(see Node.js's CLA which is an entirely electronic form,) and it gives the
users all sorts of additional protections that traditional open source
licenses can't otherwise provide, such as patent royalty protections.

The downside of these CLA agreements is that it allows the controllers of the
project to re-release code under a less stringent license, and in some cases a
commercial license. I can see someone becoming upset that code they worked on
in a GPL project was later released as BSD, but that doesn't seem to be an
issue with the OP.

All in all, the only reasonable take away here can be summarized in a
sentence: "Diaspora may have a more limited uptake by corporations who are
hesitant to open source proprietary additions to the software."

Certainly nothing to write a rant over.

------
dasht
Heh. The reasons given also explain why the GNU project has failed to release
any influential software like GCC, the various GNU shell utilities, GNU Emacs,
GDB and other such insignificant projects.

~~~
bconway
None of the projects listed above are AGPL-licensed. AGPL is egregious in its
viral nature.

~~~
tptacek
This word "viral" is like "death tax" or "pro-choice"; it communicates a real
phenomenon with an overt spin.

The reality is that this "virality" you're talking about is a perfectly
reasonable authorship protection. It allows groups that want to claim firm
ownership of a project to release its source code without worrying about
ending up competing with a fork.

We all know, at least ever since Github made it cool, that forks are a
desirable property of open source development. But it wasn't always looked on
that way and sometimes it in fact isn't desirable. Perfect example: a company
that wants to make a living selling a product. We're all better off if they
publish their source code, but if they do it with straight GPL, it's going to
end up used against them in someone's web app.

This is neither here nor there with respect to Diaspora. They may have made
some claim about exactly how "open" their "openness" is intended to be. But
it's simply not fair to suggest that the AGPL is an egregious license. "ALL
RIGHTS RESERVED" is an egregious license, and the most popular license in the
world.

~~~
lnguyen
Actually the AGPL doesn't prevent you from competing with a fork, as long as
that fork is also open.

Also as far as the contract goes, it's only if you want to contribute code
back to Diaspora project and have it become part of canonical codebase.
There's nothing to prevent you from making those contributions available on
your fork and have them remain open.

~~~
tptacek
Sorry, meant, "commercial fork". But you're right.

~~~
tomjen3
Actually it should properly be proprietary fork, since if it ends up with one
company being like Red Hat, they can still sell (with added services) what
give away for free.

------
moe
Do we really need to reach out to the license to declare this project DOA?
This is a hacker community, right?

For me the technical "architecture" did it.

A rails-app, of all things, to serve as some sort of "superpeer" for what
cries to be a P2P system? Really?

And their answer to their stated goal of "privacy aware, personally
controlled" is to store the data not in one opaque box (facebook) but to
distribute it over _many_ opaque boxes, under the control of random people,
without some sort of end-to-end encryption involved?

Really?

Sorry, but not only does real P2P technology exist, there are even _free_ and
_mature_ implementations out there for most of the primitives that a
distributed facebook would require. Why not plug together what's needed and
invent what's missing?

We have mature DHT impls like Kademlia (edonkey), Chord, freenet. Look at the
concept of Web-of-Trust and RSA/PGP for identity management in a distributed
system. Look at jabber for messaging and presence.

Something is seriously, fundamentally wrong when your answer to "distributed
system" comes out as "Rails".

~~~
limmeau
I don't think social networks need the same architecture as file-sharing
networks. I want the data I publish on my social network node to be available
24/7 to my network friends. Since neither I nor most of my friends have a
server at home, that means hosting the data on some server in some hosting
center. So Rails isn't a necessarily stupid idea for a social network
consisting of people like me.

~~~
moe
_Since neither I nor most of my friends have a server at home, that means
hosting the data on some server in some hosting center._

No. P2P networks like freenet and edonkey already distribute content over many
nodes, just with different goals and priorities. It would be possible to adapt
these mechanisms to ensure that data you _push_ to the network actually
_stays_ in the network for a reasonable period of client-downtime. I could
think of various ways to achieve this technically (n-copies, caching
superpeers, and each of your friends would naturally hold on a copy anyways).

One important bit to realize here is that the data volume is rather small
because only meta-data (friends-graph, profile, wall, messages, etc.) needs to
be handled in a truly distributed fashion.

Big chunks, such as images, could and should mostly remain on centralized
services for the time being.

Another important thing to realize is, that the privacy in such a network
could be made to be _much_ better than on any remotely hosted solution because
you can implement end-to-end encryption. All data on the network would
naturally be transmitted and stored only in encrypted form. You would reveal
chosen pieces to your friends by sharing the respective keys with them.

 _So Rails isn't a necessarily stupid idea for a social network consisting of
people like me._

People like you (the end-user) aren't even supposed to install diaspora on
their machines. Instead (if I understood them right) you are supposed to sign
up on someone else's diaspora installation and generally trust _all_ diaspora
nodes in the network because your data travels freely between them.

Disclaimer: If this description is wrong then someone please correct me.
There's some conflicting information about what diaspora _is_ and what it
_wants to be_.

Rails surely has its place in many applications. But for this one it just
screams "We have no clue what we're doing" to me.

~~~
limmeau
Perhaps we have different threat models regarding social networks. I'm
concerned about one big company being able to analyze (within its own
databases) the social network communication and friend-graph of a large part
of the population. I'm less concerned about targeted attacks on individual
semi-public messages. Some of my friends use Adobe Reader anyway.

If reading a person's social network communication and local friend graph
requires approximately the same effort as breaking into an individual mail
server or sniffing SMTP traffic on a network node, and the criminal effort is
approximately proportional to the number of persons to supervise, that's OK
for 1.0 for me.

I don't know the details of the protocol between Diaspora instances. But I
hope that if some foreign Diaspora instance wants to read my messages to my
friends on my own Diaspora instance, then it has to supply some proof that one
of its users is a friend of mine.

~~~
moe
Well, as said, my criticism comes from half a privacy angle, but mostly from
the technical/execution angle.

Their prototype leaves so many basic (and hard!) questions unanswered that, to
me, their architecture smells less like a conscious decision and more like a
strong case of: "If all you have is a hammer then everything starts to look
like a thumb."

In all honesty it looks like a non-starter to me.

Sure, "just start hacking" is what everyone tells young startups to do, and
that's what they apparently did.

But that approach doesn't work very well for building a distributed system
where all the components absolutely must snap into one another if you don't
want the whole thing to fall apart under stress. Much less if your stated
goals include terms like "privacy" and "security".

The old proverb "Weeks of coding can save you hours of planning" does not
apply here, at all.

------
aditya
Maybe if the author started with the premise that Diaspora is more about
offering an open source, secure and decentralized alternative to Facebook
rather than zomg facebook killer h8 gpl mindset they might understand the
situation better?

Diaspora is about choice, not market share.

~~~
dasil003
Unfortunately social networking _is_ about market share.

~~~
pwpwp
At the moment, yes. Once it's decentralized, not.

------
tingley
Reason #2 ("they make you sign the contributor agreement") is basically a
declaration that the author doesn't understand US copyright law. If you are
serious about keeping your code free, up to and including the ability to
enforce its license in court, there are legal reasons to do this.

At least, so says the FSF (and so do the IP lawyers I've talked to about it):

<http://www.gnu.org/licenses/gpl-faq.html#AssignCopyright>

<http://www.gnu.org/licenses/why-assign.html>

~~~
aplusbi
And if you are serious about relicensing your code under a commercial license
in the future, there are legal reasons to do this. The gnu project is pretty
trustworthy, but how much do you trust diaspora?

------
mathgladiator
It seemed to me that Diaspora is trying to hold the code and project together,
and the open source community isn't exactly the best for holding code
together. We have forks all over the place. I've got a fork, you've got a
fork; we all have forks and no spoons.

Is it better for the world for the open source community to fork left and
right and ultimately risk fragmenting the market to fail to compete against
facebook, or is it better for the open source community to work together as a
singular voice and produce something spectacular?

I remain neutral in the answer, and I think Diaspora has a difficult path
ahead of it.

It would be more interesting in my mind if the community actually worked
together rather than forking to compete against Facebook. What if this was the
opportunity for the open source community to rise up as a single voice and
strike Facebook down? Afterall, we failed against Microsoft. Can we learn from
our marketing and sales mistakes with Desktop Linux to strike a blow to closed
source software? I don't know if it this project or some future project. I
don't know if it is the slow march that will prevail. All I know is that the
more we fragment, the easier we are to discount.

Well, I'm going to shave my beard now.

~~~
jarin
I totally agree, and I think the best way to get the community to work
together and prevent forks is with a less restrictive license and no
contributor agreement.

~~~
jarin
I hope it didn't come across as nerd raging. Well, I guess it _was_ nerd
raging, but I really do want the project to succeed.

------
kevintwohy
A better title might have been "Some thoughts on the Diaspora software license
and contributor agreement."

It's alpha software. It's not perfect. They're not going to get everything
right on the first go, be it software bugs or maybe-too-restrictive licensing.
Let's give it more than 24 hours before declaring it 'dead.'

------
TamDenholm
_Use an extremely restrictive and viral license that will force companies and
"serious" developers to release the source code of derivative works._

Wasn't that kinda the entire point of diaspora, to be open, this is really
just the guys ensuring that it stays that way. Sure it sucks that you need to
sign a contract but in order to maintain that it remains open, it needs to be
restricted.

Yes i know how that sounds.

------
guelo
I can't stand anti free software zealots like this guy.

~~~
jarin
I'm not anti-Free Software. I'm all for it. I make my living off of it, and I
contribute regularly to open source projects. I'm anti-Overly-Restrictive-and-
Innovation-Stifling-Licenses. You'll note that I recommended that the BSD
license would be way more appropriate for this project.

~~~
zdw
Snarky translation: I'm all for embrace and extend of other peoples, just like
late 90's Microsoft. Look at how well that worked for everyone.

BSD licenses are great and all, but often lead to a situation where the
original developers get used with little to no compensation in return in terms
of code improvement or financial benefit. A great example of how annoying this
can be to the original developers - look at the bottom paragraph of
<http://openssh.org/>

My take on the whole thing - they should have published a spec, with hard and
fast guidelines for interaction and preferably a protocol verification test
suite, rather than code. Then release an implementation with a license that is
GPL or proprietary or whatever - just make it so that 3rd parties can write
interoperable code if they want.

To put this succinctly, we need the "HTTP" of social media, not the "Apache"
of social media.

~~~
raganwald
_To put this succinctly, we need the "HTTP" of social media, not the "Apache"
of social media._

That is very deep and it applies to a LOT of different "markets," not just
social networking. A truly open standard API for interoperability is a very
different thing from a truly open standard implementation.

------
cies
AGPL + contrib agreement is a way to ensure that commercial investments in
open source projects are more likely.

everyone may use and modify it, but has to disclose its modifications. (since
its AGPL'ed)

contributions that find their way back into the parent project (dispora) must
sign the contrib agreement so that diaspora can license it commercially under
terms they pick. this allows them to potentially make some money selling
commercial licenses. investors need this security because they do not want to
invest in a product that everyone exploit equally.

i think the model is valid and fair. it work for the company i currently work
for (zarafa.com).

jarin has the right to not like the license, sure. but if he used his patches
to serve a diaspora instance from heroku to anyone besides him self he should
(AGPL) disclose those patches. of course this does not mean he should sign the
contrib agreement, but that would limit the impact of his work...

jarin calls diaspora dead. i think thats unfair. they did a great job and it
will be nice reference material for a rails3+mongodb+haml+jquery+websocket
project. good choise of technology in my eyes! (thank $DEITY for not going
with php)

------
shib71
1\. It is absurd to expect to be able to make money from the work they are
doing. That said, they may need to make accommodations to allow commercial
plugins / complementary services.

2\. The "you give your contribution to us" clause is standard in any open
source project. How, for example, will they be able to update the project
license if they don't own the copyright?

~~~
jarin
1\. They're allowed to make $200,000 off of the community but other developers
aren't?

2\. That's not the problem. The problem is making developers sign a contract
just to contribute to the project.

~~~
fleitz
2\. Open Source projects require that you sign your copyright away and assign
it to them or offer them a license on compatible terms with their license.
Signing a contract to assign your rights or offer your contribution under AGPL
is standard fare. How many open source projects did you contribute to where
you DIDN'T have to assign your rights?

1\. They didn't "make" $200,000, they got $200,000 in donations, and yes,
people should be allowed to accept donations. If you don't like the terms,
don't donate. I'm sure the Diaspora guys would love it if someone put up
another kickstarter page accepting donations towards contributing to the
Diaspora code base.

~~~
aplusbi
>How many open source projects did you contribute to where you DIDN'T have to
assign your rights?

The Linux kernel doesn't require copyright transfers. Most open source
projects don't either (though many require a contributor license agreement).

~~~
shib71
Linux is well established - the licensing terms are unlikely to change and the
community understands (independant of the legal agreement, which they mostly
don't) that once they contribute code it is out of their hands.

The business of Diaspora is just as green as the code of Diaspora, and
requiring copyright transfer is a very sensible way of anticipating the
inevitable pivots.

------
loup-vaillant
This guy apparently haven't heard about the freedom box.[1] It's not out, but
it's doable, and once we have it, self hosted Diaspora seed will be a matter
of plug and play.

Therefore, we have no need for huge, scalable seeds. And despite the AGPL,
profitable companies _can_ make money out of Diaspora: contribute => make the
freedom box more attractive => sell more freedom boxes. Pure software
companies can be paid by hardware companies to do this job, everyone's happy.
Equating profitable with "proprietarizeable" is quite a stretch.

I feel like I'm stating the obvious, here. Could I be missing something?

[1]: <http://wiki.debian.org/FreedomBox>

~~~
jarin
Maybe that there is a hugely popular free, zero-installation social network as
Diaspora's primary competitor?

~~~
loup-vaillant
Free? _Free?_

Let me put it this way. Say you have a Facebook account. Say you use it as
intended: by doing most of your (semi) private communication through it.

Now, how much would I have to pay you for you to surrender a copy of your
Facebook account, with your wall, your past conversations, and a copy of what
your friends let you see? Promise, I won't do anything bad, but please sign
this little paper that let me to, just in case.

That's the real price of using Facebook. Either you really think your price is
$0, or you didn't think this through (most people don't, which is why I think
Facebook is so popular). _My_ price is $you_can't_afford_it.

(Edit: I forgot to mention advertisements, but I don't know how much they
really cost me.)

~~~
jarin
Diaspora is asking users to do the exact same thing: give up their Facebook
accounts and start over on Diaspora. In order for that to happen, there needs
to be a serious incentive for users to move over.

"It's open source" is not going to cut it for anyone but a subset of techies.
Data portability probably won't be a big incentive for most people either,
considering you can't even get them to back up their hard drives. Although I
think it is a pretty cool idea (and I would like to have one), I have serious
doubts that "you can pay us for a thing that you plug into your wall and your
profile lives on it" will be much of a sales point for most people either.

~~~
loup-vaillant
Fair points. However…

(1) Diaspora does _not_ ask you to surrender your data to _anyone_. You host
it yourself. At home.

Now there's still the switching busyness. As far as I know, Diaspora is shall
communicate with existing social networks, and of automatic import for your
remote data. So, the transition really amounts to by the FreedomBox, plug it
in, and push a few buttons. From there you feel no change, except for the eye
candy.

No change, no cost. Sure, Zuck will still spy on you while your friends are
still at Facebook, but as they move, he progressively won't be able to. The
same mechanism can apply to gmail: when you move out, you can still send and
receive emails, and you are spied by Google when you communicate with a gmail
user (but only then). I glossed over encryption, but that's the idea.

(2) Well, you nailed it: convenience trumps everything. It's like the Maslow's
hierarchy of needs, but for the "average consumer". Concrete and immediate
needs, like convenience, are at the bottom. More abstract and remote needs,
like freedom, are at the top. That's not how it should be, but I'm a bit
guilty of this myself.

So, I agree that if the FreedomBox isn't as convenient as services on the
cloud, it won't be used. I just believe that it can be. Heck it will even do
automatic distributed backup. It could even do High Availability with your
mail server (and your web servers if we manage to actually change HTTP to look
up srv records).

Now, I reckon the FreedomBox is like Diaspora 2 months ago: vaporware. For
now, we can only wait, see, and contribute. But I'm confident. An Iphone-like
success in 2 years from now as predicted by Eben Moglen seems actually quite
realistic.

------
tmugavero
I appreciate what they are doing and really want this to succeed, but with
this (maybe a little premature?) release it seems they are alienating their
early adopters right off the bat with licensing questions and shaky code (and
bad press). Sure it's pre-alpha, but once someone has an opinion it's hard to
change their mind later, even if their first impression was based on false
information.

Their biggest challenge however isn't code but rather getting the 500+ million
people who don't care about private seeds to go through some clunky
prohibitive process and start all over again. That's not to mention getting
the millions of websites already building on top of FB to change.

------
jaekwon
I'm not familiar with the AGPL. Does this mean that I cannot modify the
Diaspora source code to run on my server for my business needs, without giving
join ownership of my modifications to Diaspora? / without releasing the
modifications to the public?

OK that's a letdown.

~~~
drdaeman
Yes, it means that you have to allow your users to access any modifications
you did and freely use and redistribute them further under AGPL.

The _only_ problem I see here is site design - companies certainly won't like
that their corporate style will be used freely. Hope this'll be worked around
somehow (trademarking?)

About the code itself - Diaspora is a _distributed_ system, so IMHO it's quite
absurd to attract users with some proprietary installation-unique features.
Diaspora is more of a network, not a product. Imagine some ISP creating their
own proprietary extensions to the TCP procotol - sounds weird, right?

~~~
jarin
Actually it's not so absurd to want to build in proprietary features. Let's
say Yahoo! wants to create their own seed for their users, but they want to
tie the user accounts to their internal, confidential authentication systems.
It is both completely disadvantageous for Yahoo and has absolutely no benefit
for the OSS community for Yahoo to adopt Diaspora in that scenario. And I'm
sure there are a lot of companies and developers out there who have unique
features to add to their seeds that have absolutely no relevance to the main
codebase or other developers.

~~~
drdaeman
I see no real problem with this. They just have to write dummy AGPLed adapter
module, querying proprietary RPC service (or they can even use OpenID/OAuth
internally). There won't be anything confidential more than curious user can
find out, inspecting his browser's requests with completely proprietary
service.

------
obiefernandez
A good, recent article about contributor vs. participant agreements. (Also a
good primer on the subject)

<http://opensource.com/law/10/9/copyright-aggregation>

~~~
jarin
It seems like the sole reason for aggregating copyright in this manner is to
be able to dual-license the source code to companies. So basically the
community is more than welcome to help improve Diaspora (and by releasing at
such an early Alpha stage, it's all but certain that large amounts, if not the
majority of the code will be written by the community), but only Diaspora has
the right to make any money off of it.

~~~
mindcrime
> but only Diaspora has the right to make any money off of it.

That doesn't follow. Anybody can take the AGPL'd codebase and make money off
of it. It's not necessary to distribute something as closed source in order to
make money, ya know.

That said, I hate the AGPL, simply because I disagree with trying to redefine
"providing a service using Software X" as "distributing Software X." I'd have
preferred to see them go with the plain old GPL, if they wanted a "viral"
license. But whatever... it's their project.

~~~
jarin
I'd be ok with the regular GPL at this point.

------
naner
Really this is the least of their problems.

------
kuahyeow
I like to compare it with WordPress, what with wordpress.com and wordpress MU,
etc. Rails and AGPL vs PHP and GPLv2. Admittedly Diaspora are two steps up on
the language and license stakes but I don't think that's a real road-block.
That's probably just small stakes. If it's popular enough, site providers will
fall over themselves to enable 'installation' of Diaspora. People (theme
designers mostly) complain about GPL in WordPress too, but lots of web
designers are making custom WordPress sites and making money off it too.

~~~
jarin
Rails is MIT-licensed:
[http://github.com/rails/rails/blob/master/railties/MIT-
LICEN...](http://github.com/rails/rails/blob/master/railties/MIT-LICENSE)

~~~
kuahyeow
Diasport is AGPL <http://github.com/diaspora/diaspora/blob/master/COPYRIGHT>

