Actually Diaspora hasn't spent any of their money with us, (us = Pivotal,) we're just giving them space to work in, and occasional advice when they ask for it. It's been fun to have them around, and we're glad they're open-sourcing and getting feedback like this.
That's for super-power-users, maybe in 5 years for advanced users. If you attempt to do this with either unsupported browser or on unsupported website your browser will act very non-userfriendly, like by opening dropped file. Because of this it would be foolish and dangerous to even inform the vast majority of users of this feature.
From my observation their UI is just copied Facebook UI. And my issue with this is not lack of originality. Rather it's the fact that people will now compare Diaspora functionality with that of Facebook. Furthermore anything working differently will lead to frustration, as certain behaviors are expected.
Perhaps, but I'm not convinced. If you are going to have similar features and interface your only advantage left is The Fear of Privacy. And frankly, it's getting a bit old. It's the Facebook and Google that will change people's expectations and habits. You can create something that will work better but I see it as those auto-destructing emails. No privacy is better than false privacy.
drag and drop uploading is like 10 lines of code for the usual suspects.
Not taking anything away from the diaspora guys, I havent tried the application, just mentioning in case anyone thought drag and drop was too much of a hassle to add to their app, it can be done in a few minutes.
There is this famous story about a consultant who is called in to find the error in an expensive machine. After a while he marks a place on the machine with a cross. The bill is 100000$: 0.01 for the chalk used to make the cross, 99,999.99$ for "knowing where to put it".
The story is Tesla visiting Henry Ford to fix some electric motors he had on his production line. The amount of the bill was $10,010. Ford called him up later to ask why ten thousand and ten, when Tesla quipped the famous quote ($10 for the chalk, $10,000 because I knew where to put it).
I think it speaks to the support network available for entrepreneurs in NYC. Charlie O'Donnell of First Round kicked it off, from what I recall, with this post advising Diaspora on how to make it through the immediate chaos and get to building. Many people spoke up via blog posts and tweets to suggest simply getting to work as quickly as possible and to not set the vision too high yet.
I'm really disappointed to see that the team has decided that instead of learning about an existing standard (XMPP) which fits the purpose perfectly, they've decided to begin defining their own protocol, which will go down the same path but with less rigour and a whole lot of wasted time. Eventually it will have to be trashed in favour of something more robust.
If that's what they've spent the last three months working on, they've had some bad advice. I thought Pivotal were all about "just get the damn thing done" and so would have encouraged them not to waste their time.
We are indeed all about being pragmatic. I think a lot of our pragmatism has rubbed off on the Diaspora folks, but do keep in mind that we're not really advising them in any formal capacity. (Other than the occasional conversation over breakfast, or when they ask about ideas.) I'm sure if you asked them about their choices, they'd be very happy to take in new ideas. Not to speak for them, but I think they're just trying to get a concept out and iterate on it. I think Ship it Squirrel would approve.
i really wonder how long the "community" is going to humour these developers. it's really about time we realize that a bunch of people got tricked into giving some students a bunch of money to hack on a fun project over the summer because they were led to believe that it would be something more than it ever was going to be. they failed to produce anything useful, or even a good starting point for a larger project. they have made poor decisions, have been far-from-transparent, and i don't see how anyone in their right mind would want to hop on board and commit a bunch of their time to this project.
is it just the publicity? how long can everyone ride that, and why would anyone with a clue think that's a worthwhile endeavour.
i've read through the developer mailing list and it's a bunch of arguments that essentially boil down to opinions about what this project "should be", and technical discussions by admitted non-experts about topics that are extremely fundamental to the success of this project. with 200K, and a boatload of exposure, they could have spent the summer consulting with experts, planning a viable solution. but they didn't (nor did they ever imply that they would, so no surprise here). i don't mean to sound elitist, but a viable global social networking platform should probably be designed by experts.
i'm not trolling, i'm hoping that people will read this and go "oh yeah, maybe my time could be better spent on other projects", instead of blazing onwards without looking at the big picture.
They actually explicitly dismissed XMPP (see the comment on this video from them: http://vimeo.com/13026173). They were also approached by the onesocialweb.org team to work together and also dismissed the invite.
It seems however that they plan to align with the ostatus.org protocol, but so far no documentation of their architecture and protocol has been delivered. In Ostatus, the server-server messaging is HTTP based and using the PubSubHubBub and Salmon protocols.
A video demo of "hey look, click here and something happens over there!" is all well and good for impressing your mother, but not entirely useful looking forward. They've mentioned concerns with horizontal scaling and yet they don't consider the obvious option - Erlang.
In their presentation for Pivotal's Tech Talks series, they dismissed XMPP on the basis of not wanting to learn about it(!). Their dismissal of onesocialweb seems inappropriate on technical grounds. Also, HTTP is not the be-all and end-all. Not everything has to be shoehorned onto HTTP...
The name reminds me of the holocaust. It doesn't help that the color theme of the app evokes Schindler's List.
You can bet for most non-US people that 'diaspora' reminds them of some sort of persecution their people have faced. It is also a word that is used in a lot of languages, I have friends who are Russian, Ukranian, Serbian, Lebanese, Armenian, Jordanian etc. who all refer to themselves being in the 'diaspora' (ie. persecuted people who left their homeland and are now living in the west)
actually, for most south asians, the "diaspora" just refers to the extended south asian community who have moved to the west in search of better jobs etc. there are no negative connotations to the term.
It's like at my work when I proposed that we could get some benefit from an "interim solution" until we could finish up what we were planning. Of course people started (innocently, ignorantly) calling the original plan the "final solution". Always made me cringe.
You either work with uneducated simpletons, or closet nazis and crypto-fascists. There is just no way anybody with a modicum of culture would hear "final solution" and not cringe, much less use the phrase passively in everyday non-historic conversation.
To me, as a Jew, “Diaspora” just means “outside of Israel”. Of course Jews live in so many different countries outside of Israel because of our history of being persecuted, but when I first heard of the “Diaspora project” I did not have an immediate reaction of “what an offensive name”.
I think a bigger problem might be that for the majority of people who use The Facebook, diaspora has absolutely no denotation. (And very little connotation).
Diaspora is at least an easy-grade SAT word.
Even for those of us who know the denotation, it gives absolutely no indicator as to what the product does. (It is instead a reference to how the product works... dispersed Facebook). From a marketing standpoint this is a problem.
Hopefully this will become 'the diaspora project', and they will come up with a new name for the actual results of it.
that's what I felt as well ... diaspora usually happens when a people are kicked out of their land to roam the earth among other people. Not very positive as far as connotations go. But hey, let's see what they come up with.
I'm not so sure about the name. I understand how it conveys their mission exactly and it does that really well: leave facebook(or twitter or wherever), come here. I can see how setting themselves up from word 1 as opposition to facebook has a huge amount of importance but what happens to that branding on the off chance they win?
(I know this is like planning where to put the swimming pool in your 1 bedroom apartment in the event that you win the lottery but I think the choice of name does/did have a lot to do with just how long the view of the founders was when they started.)
That said, it is currently my only quibble. I'm glad to see that things actually got done and out the door. It sure seems to have gone a lot better than anything I worked on this summer.
A diaspora isn't just about leaving a place and going somewhere else; it means roughly "a scattering" in Greek and means that a group of people are leaving one central homeland and going all around the world. Even if they win, the distributed nature of their network makes the name perfect.
I've found multiple instances of text in more or less official places containing general English problems (spelling, grammar). I'm assuming for the time being it isn't due to outright lack of fluency in English, and so that leads me to think that they just aren't putting in the [little] extra effort to proofread before publishing. It's not that big a deal, but I think it would help for them to look more polished as far as official text goes.
What? Correct me if I'm wrong, but it looks like they're just releasing the source code, not taking new users for "the" Diaspora or sharing access to any kind of central database of users. It's just a ruby web app you can download and run locally (or on a web server if you're that dumb...), right? And in that case, how is this any worse than the hundreds of other bits of (unsafe, untested) social networking code floating around the interwebs?
... is a question which would be better to answer privately, to a security contact. Use your imagination as to what the email would likely say.
This may just be a difference of philosophy, but I don't think "It isn't really a release, so nobody would be stupid enough to actually run this on a publicly accessible server." After all, consumers of The New Hotness have a lot less incentive to think through the security implications of running it than the developers did. [Edit: And the developers apparently have a publicly accessible instance running. That decision is curious.]
This will be running in production today. If very bad things happen, the TechCrunch article about it will have Diaspora in the headline.
That is enough of an incentive to have a security page.
They're currently getting coverage on the Guardian, BBC, etc, and will get it on the New York Times within 24 hours. That is about to create an emergency for them, because being the secure, privacy-aware alternative to Facebook gives people some expectations as to how the software will work. Many of those expectations match the designed behavior. None match the software as actually implemented.
They just did a media launch and they're in for their earliest users getting burned in a very painful, public manner. If this isn't an emergency, what does an emergency look like?
This is the problem with public disclosure: I could tell you, but it would practically write exploit code which you could point at any one of the "Try Diaspora now!" sites popping up and do very bad things.
Here, let me tell you what isn't a problem: you cannot type "system('rm -rf /')" into their username field on the signup form and wipe any machine with Diaspora installed because some idiot passed untrusted user input straight to exec. But if that were a problem, do you understand why mentioning publicly "Hey, the username field is passed straight to exec... that's sort of bad." is a bad idea? Because that lets any idiot immediately create wipe_arbitrary_diaspora_install.rb
There are several vulnerabilities in Diaspora right now. They allow very bad things. There are multiple public Diaspora installations. They are all vulnerable to very bad things.
If you're smart enough to get code from github working on your own box, paranoid enough to worry about facebook's control of your data and be interested in an alternative, and savvy enough to get wind of such an early release, I don't think you're going to put anything that sensitive in this network!
They don't seem to be publicizing it, but there's a live version up at a subdomain of joindiaspora.com, which people are sharing on diaspora's facebook page. Won't link here because of the concerns above and because it's creaking under the load already.
>Feel free to try to get it running on your machines and use it, but we give no guarantees. We know there are security holes and bugs, and your data is not yet fully exportable. If you do find something, be sure to log it in our bugtracker, and we would love screenshots and browser info.
There exist publicly accessible Diaspora instances, and there will be more by the end of today. That was entirely predictable, since it has been marketed as the host-your-own federated Facebook. There is already someone on the mailing list asking how to let people use his from outside his university network, because they firewall non-80 ports. If he figures out how to configure thin, bad things happen.
Any disclosed vulnerability is an exploit roadmap for these public instances. Speaking generally, exploits of public web apps can sometimes be pretty severe. Yes, the software is immature, but is now immature and an attack vector.
There's no marginal benefit beyond what putting a security warning message on the download page would get you. In fact, filing a public bug would probably be less effective in preventing harm than such a message would be. The marginal cost is significant.
There's actually more of a case for disclosing security bugs in established products if the vendor doesn't respond quickly enough. If people are relying on a product for critical uses, having information that lets them minimize their risk could be helpful. I don't see the benefit in this case.
If it's true that for a social network to be successful it needs some quick growth at the beginning to have a critical mass, then Diaspora is in trouble. They're in trouble because they release non-usable alpha versions of their code, loose the buzz ("Diaspora released another version today, X works now, but it's still not good enough to replace Facebook."), and by the time they have a 1.0 version nobody's going to care.
I'm saying it might not make sense to develop software in an open-source manner whose existense relies of viral growth of users dependant on a one-off buzz generated when the 1.0 is released.
My question was, does Diaspora actually have such a process?
It seems to me their approach is to get power-users like HN folks on-board first. Conveniently, we are also the users who would run servers for our friends or do a startup that would do Diaspora hosting. But that's my point. If we keep seeing these alpha releases, it will loose the buzz, and it'll never reach critical mass / momentum. Eg. this release is so minimal, I really don't care. Tell me when it's 1.0.
Many of the exciting new open source projects seem to have a huge focus on UX. I love this. Open source has always seemed to have a stigma of 'unusable' and these initiatives are really going against that notion. Diaspora, jQueryUI, SproutCore, Cappuccino..
 I use exciting not as personal excitement here but by the community excitement around these projects. Whether its press coverage, developer buy in or user elation.
I was kinda of expecting more with a funding, an office, and a semi large team.
I have personally been working with my co-founder with zero funding on a MMORPG social start-up that brings the best features of Facebook to another group of people. We have implemented real-time features through Erlang (including Chat and Streams), data collection/aggregation from games, and far more. (http://www.guildwork.com/blog/ if anyone is interested, its our public testing site, we have not launched). Anyway I guess my point was if 2 people with zero funding and no office can accomplish that, I certainly expected more from them. But to be fair we been killing ourselves slowly by working as hard as we do, maybe they took a relaxing approach. =P
Also for something that is meant to be distributed Rails does not seem like a very good choice.
Just my 2 cents, hopefully open sourcing it will pick things up.
Agreed. The UI isn't even that good. They paid a company to tell them to copy Facebook, but ghettoed it. The funding definitely went to people who were not ready for this. They had 4 developers on this, you'd expect more polish. Just feels like a regular crud app with flash sockets, won't work iPhone/iPad without a lot of tinkering. Am I being too harsh?
In my perspective I was leaning more toward having funding for a designer (I assume they paid 10k for http://luxr.posterous.com/ or got it free). I am not a designer, but since we have not hired one, I am the one doing the designing and ending up spending more time then I should and hating what I come up with. I am also the main engineer on our project so thats time I could be putting to making code/features better.
"Is there additional insight into what "aspects" are, though? It confuses me - will it confuse an ordinary user?"
This is a pet peeve of mine, using extremely generic words to describe an important part of what you are working on. "Object Oriented Programming" got away with it, but that is aimed squarely at developers. I don't think you want words like "aspect" in front of actual users.
I've noticed this a lot in academic research, also. I lost track of how many different ways I saw the word "feature" overloaded in different fields.
And perhaps the initial aspect names and all other strings should not be hard coded in English into the product. Yes, it is pre-alpha, but it will be a pain later to replace all strings with the #t helper and keywords.
I think that since the community funded this project that the code should have a more liberal license so that the community can do what they want with it.
The project also depends on MongoDB, which is also AGPL licensed, which raises the question of if paid hosting of a diaspora instance is 'commercial' and if it requires a MongoDB license from 10gen, I would think that it does.
They should BSD/MIT license their own code, and build more storage options outside of MongoDB. I am surprised that donors didn't insist on a license as part of the kickstart funding.
Only the MongoDB server is AGPL licensed, all of the official clients are Apache licensed; you're free to use mongo for commercial hosted services without getting a commercial license from 10gen provided that you publicly release any changes that you make to the server codebase - you're never required to release the code of your actual application (provided that you're using one of the official clients).
The AGPL (like the GPL) does not allow adding more restrictions. You do not need any further license to use AGPL licensed code in a commercial product, you just have to abide by the license terms of the AGPL.
I assume the 10gen commercial license allows you avoid having to provide source code for your product to your users. (but the mongodb website isn't clear about that).
I would like to make it clear that users of MongoDB don't need to opensource their product, only their changes (if any) to the MongoDB server itself. The commercial license is mostly for companies that have strict (if misguided) "no AGPL" policies. Most users do not need it.
MongoHQ and other companies providing commercial hosting of MongoDB only need a commercial license if they modify the server and don't contribute back. We want to encourage hosting providers which is why we don't require buying a special license.
Damn, I was all excited until I saw that. I think it will probably stifle the spread of Diaspora after the initial excitement dies off. For example, it would make it difficult to run a server with a different theme/UI and custom modifications (maybe some that would help pay for the costs of running the server), and it seems like it would limit Diaspora server ownership to solo techie enthusiasts (maybe with friends and family but no serious mass adoption).
I'm all for free software and all that, and GPL is great for infrastructure software like web servers and databases, but I think a BSD license would probably work better overall for Diaspora adoption and for encouraging more serious developers to work on it.
I think CDDL would potentially be a better license. That would force returns on existing files in the project (keeping it from going closed), but if you have your own changes outside of those files, you should be OK (allowing you to commercialize your enhancements).
There are a bunch of open source social networking projects out there. One is Appleseed, which has been in active development since 2004, open source since 2005, and has had four releases in the past 3 months.
there was something called "AroundMe" which was at first the usual walled-garden social network software. But then they changed their philosophy to make it like what Disapora is now. I guess it started sometime in 2005. I edited the older version of their software to setup my own social network.
What Diaspora really needs now is some startup, some well-known developers, or the Diaspora crew themselves to stand up and say "Okay, now we're going to use this framework to build a very real social network." Until then, it's just some people building out some cool ideas. Don't get me wrong, that's great; it's just hard to rally around it without getting something concrete behind it.
I'm not sure what the end product will look like or what the functionality will be, but when I think of "distributed social network" I'd like to see something like a HN node, a reddit node, a Digg node, a Slashdot node, etc., where they all communicate with each other and aggregate updates from all those platforms, so that if I make a comment or submit a story on one site, it shows up on the "social network" part of my profile across every other site. A bit like FriendFeed, I suppose. If large sites adopted it in that way, it could certainly become a "very real social network."
I would like to see (and if I get the time, or a client who needs it I will look into creating) a dispora plugin for wordpress, as opposed to that dreaded buddypress. It (to me) would have the same appeal as disqus etc with you being able to use the same account to connect across the web, with different "seeds".
They are building social networking software which means that at some point the goal will need to be to get everyone and their mother on board. Because they built the app on Rails, they are now facing an uphill battle with distribution as there are not a lot of places that you can easily setup a Rails site.
I love Rails but for this type of app, it might have helped them gain traction faster if it was built on PHP, or was even just a massive plugin for WordPress.
Now if a lot of people really seem to love Diaspora and demand for Rails hosting increases dramatically, I'm sure hosting providers will take note and increase their commitment to Rails. That would be an ideal situation, but not a likely outcome.
> I love Rails but for this type of app, it might have helped them gain traction faster if it was built on PHP, or was even just a massive plugin for WordPress.
This is one thing I hope they get right: it's the right thing to do to focus on a first implementation, but in the end what is more important is the protocol that emerges from that. If the underlying protocol is solid then you will get independent people writing ports of it to every language under the sun in no time. On the other hand if the underlying protocols are either flimsy or technology dependent (specific to ruby or some other part of their stack) then it's going to really limit how much this can spread and how much involvement they get.
I'm dealing with this right now, as I'm pretty interested in Diaspora's architecture. Since Fedora (13) ships with Ruby 1.8.6, it looks like I'll be building a standalone version of ruby just for this (requires Rails 3, released a couple of weeks ago, which in turn requires ruby >= 1.8.7).
Rails is a perfectly good target for this, IMHO; I'm a Python guy and would have preferred Django, but that's a bikeshed as far as I'm concerned. And, for a dev release, depending on a just-released version of a major framework isn't a huge deal, as long as they understand that it's going to be a barrier to entry for quite a few people until distributions have caught up.
It only took me 10 or 12 minutes to get it set up and running, but I already had a mongod running on my laptop and all 5 popular rubies installed with rvm (with most gems already installed). Still, follow the readme file, and it is fairly easy.
i don't think the end goal is to get everyone to be running their own server. the data will be distributed among many different servers but surely there will be providers that come along to host data for large groups of people.
Sure, the goal might be to have everyone on own installation of it but it would be a reasonable expectation that a lot of people would want their own installation (as demonstrated by WordPress.org's bazillion downloads per micro-second) since part of the promise is owning your own data.
The fact that they are using rails demonstrates more newbie-style cluelessness, to me. Not even remotely a good choice. But, the sort of things 4 guys fresh out of college with no experience would think was the obvious choice.
For some reason I thought that development was being done in php.
Other than that I'm somewhat dismayed that their open source release isn't actually running on some site and says run at your own risk due to security issues. Edit: (Looks like there is a demo in the comments here but not open to sign up)
Hopefully development continues quick enough that it escapes into the public before the tech hype is gone.
I've installed and played with both, but I'm still not sure how things will develop if social networks become more "distributed." Ideally, in my opinion, sites sould be able to run any social software, whether Appleseed, Elgg, or Diaspora, and they could all interconnect and push updates to each other, somewhat similar to the many available options for blogging software all syndicating via RSS. I'm glad that there has been so much interest and publicity surrounding Diaspora, since it will benefit this new type of social networking and help it grow, now matter what platform or language each client is built on!
Some people like to use explicit self to differentiate methods from local variables. Also, there are consistency issues. Explicit self is required for attribute writers and implicit self can call private methods on parent classes. Personally, I'm not a big fan of implicit self.
Mongodb is an interesting choice. I haven't used Mongodb, so I might be misunderstanding a design decision made by the Mongodb developers, but isn't it possible to get into a situation with Mongodb where the writes are delayed and, as a result, new records (documents) added to a database might not show-up on the following reads (so a user might post a status update, but then he/she might not see it added to his/her status updates page when the pages reloads). Or perhaps the Diaspora developers decided to commit writes to the disk immediately at the cost of performance? Just curious.
With a distributed social network, I'd imagine that it's okay if data is a second or two out of date, so it should be cool.
> but then he/she might not see it added to his/her status updates page when the pages reload
Even if it were to happen, you're assuming a page loads when they make a comment. ;) This shouldn't happen until there are extremely high loads, but even then, just don't make the comment box reload the page, insert the comment into the DOM, and make your POST with AJAX. ;)
Looks ok, not as good as I was hoping (though I realise they are working on back end stuff).
Fancy front end things, though, are just overkill at this point. Next they must nail the interface or people will not use it. Random example; "all aspects" needs to change to something else (or they need to aggressively teach people what an aspect is).
If you set out to make a private social network, though, it's not that easy. Now, instead of trusting facebook, you'll have to trust ALL of your friends' hosting providers. For example, with diaspora, someone at mediatemple can in principle peek at the contact details you have synced with any of your friends. How is that any more secure?
What this is, is decentralized. Which is still really cool!
You are right about having to trust too many different hosting companies or people who install it and make it public, but there should be a way to tunnel directly through to another user with everything in the middle just seeing an encrypted data stream.
However, how about a simpler scenario: you set up on one of your servers and only invite your family to join. Another instance for a club, etc. Have a very easy export/import mechanism to push material in your account in one group to another, under your control.
Their app is running on someone's hosted server. You can of course have complete security BETWEEN servers (as these guys say "PGP for you privacy nerds") but ... you still have to trust everyone's hosting company.
A single hosting company hosting 1000 diaspora accounts can compromise details of 127,000 accounts, if each diaspora user has 127 friends on average.
As far as setting up social networks on a server, there are plenty of those ... dolphin, elgg ... and they are quite good. If you want it to be decentralized nodes, you are stuck trusting everyone's hosting providers to not peek at the data you are sharing. Which imho is worse than trusting only facebook in terms of privacy.
On the other hand in terms of everything else, decentralization is a huge WIN! Such as scaling and uptime.