It's pre-alpha. I've yet to take a look at the repo, but any software that isn't full of security holes, bugs and flaws at the pre-alpha stage is probably ready for an alpha release. In other words: No duh.
It would actually be surprising to read the headline: "4 students develop bug free, totally secure social networking platform in 3 months"
That being said, I'm excited to see how the project develops -- it's the kind of project that I wish I had the time to contribute to.
What is the difference between a pre-alpha release, an alpha release, a beta release, and a public release, from the perspective of a 20 year old college co-ed who is looking at an IM window saying "Hey, Facebook doesn't respect our privacy. Come sign up for Diaspora (linky), it is like Facebook except they won't send your photos to your mom."
Yes and no. It got a lot of press outside of regular tech circles, and it's also attracting a lot of people who don't even know Ruby. Earlier today I fixed someone's bug report by showing them which half of "<<<" "===" ">>>" to remove from their Rakefile because of a bad merge. Many of the people who've subscribed to the list are incredibly inexperienced.
Heh, then maybe I'm not missing much. I subscribed, noticed it was filling my inbox (and thus making my phone beep), created a gmail filter for it, and promptly forgot I subscribed. 24 hours later, reading your comment makes me not want to really open up that label.
We all started somewhere and were inexperienced, but there was a time, before Google Groups, where the ability to signup to a mailing list was a small hurdle that helped weed out some of the mailing list distraction. September never ends.
Indeed, maybe, just maybe, a 1000 freshmen will install it on their machines tonight, it will wipe those thousand laptops tomorrow and destroy a thousand career the day after, in a similar fashion to how a 1000 freshmen destroyed their careers by dropping acid on Tim leary's suggestion in 1969.
Let's think about what Richard Feynman meant when he said "what do you care what other people think?"
It's been released as pre-alpha. That's responsible. If it has a greater magnetic attraction to naive early adopters than other software, whose problem is it? Ours or the Darwin Awards?
Since the sentiment here and in the article seems to be overwhelmingly negative, I'm curious what people think the Diaspora team could have done better. (Not rhetorically, actually curious.)
I guess "be experienced web developers" (or hiring some) would have helped them to avoid writing insecure code. Retaining a security consultant would seem extreme given that this is an early code-only release.
Is their real mistake simply not doing more to counter the hype? I mean, if you take some code you hacked together over the summer, put it on Github, and non-developers start clamouring to use it, that's a vanishingly improbable best-case scenario for some software developers (at least you think it is until you get the bug reports :)). I guess they should have gone out of their way to say "please don't host this without big scary BETA warnings"?
It seems like the most irresponsible parties here are whoever is hosting these services that uninformed members of the public are signing up to.
The thing is, the errors they've made are so basic as to raise questions to their competence. I don't want to give too much away, but think "absolutely no permissions checks anywhere." Think "base64 is not encryption."
They did say in their blog post that there were known bugs and holes. At the bottom. As the last sentence or two. But that's not stopping anyone...
There's only so much you can expect in such a short period of time from a few guys with little experience. I want them to succeed, but they need to develop or hire better engineering talent.
Hiring the UX firm to get that piece right was a smart decision, since UX sells products. But, the product they're selling is a secure, distributed social network--my hope is that they realize this and get help from an outside security expert.
The real value these guys provide is their vision and initiative.
Privacy was the key kickoff point in the first place. You can't have good privacy without good security. When these are your primary reasons for getting started, your 'user experience' has to entail security.
There's load of social networking platforms already far more mature that offer better security, permissioning, and many might say, an overall better user experience (elgg and buddypress spring to mind as names, although I won't say they're necessarily better UX).
Diaspora got a HUGE publicity boost from Facebook's earlier privacy blunders this year, and may be able to ride that wave a bit longer, but the 'federation' aspect they want to add could possibly/probably be added to existing product. Perhaps other products are considering this already? As someone else said yesterday, having an 'HTTP' for social media would be more important than having an 'Apache' for social media.