Hacker News new | comments | show | ask | jobs | submit login

It's pre-alpha. I've yet to take a look at the repo, but any software that isn't full of security holes, bugs and flaws at the pre-alpha stage is probably ready for an alpha release. In other words: No duh.

It would actually be surprising to read the headline: "4 students develop bug free, totally secure social networking platform in 3 months"

That being said, I'm excited to see how the project develops -- it's the kind of project that I wish I had the time to contribute to.

That isn't stopping tons of people from creating hosting services, and tons of other people from signing up.

And people were breaking skulls when roller blades got hip back in the day.

If the roller manufacturer put a big warning on their packing, whose fault is the accident?

I agree with you, but the kind of insecure this is isn't just an 'oops, we screwed up, it's alpha!' kind of insecure. It's a colossal, "I don't know how to build a web app" systemic issue.

Well let's call it "learning large"...

...serious hats off to them if they've learned enough to be dangerous (literally)...

Since the sentiment here and in the article seems to be overwhelmingly negative, I'm curious what people think the Diaspora team could have done better. (Not rhetorically, actually curious.)

I guess "be experienced web developers" (or hiring some) would have helped them to avoid writing insecure code. Retaining a security consultant would seem extreme given that this is an early code-only release.

Is their real mistake simply not doing more to counter the hype? I mean, if you take some code you hacked together over the summer, put it on Github, and non-developers start clamouring to use it, that's a vanishingly improbable best-case scenario for some software developers (at least you think it is until you get the bug reports :)). I guess they should have gone out of their way to say "please don't host this without big scary BETA warnings"?

It seems like the most irresponsible parties here are whoever is hosting these services that uninformed members of the public are signing up to.

The thing is, the errors they've made are so basic as to raise questions to their competence. I don't want to give too much away, but think "absolutely no permissions checks anywhere." Think "base64 is not encryption."

They did say in their blog post that there were known bugs and holes. At the bottom. As the last sentence or two. But that's not stopping anyone...

There's only so much you can expect in such a short period of time from a few guys with little experience. I want them to succeed, but they need to develop or hire better engineering talent.

Hiring the UX firm to get that piece right was a smart decision, since UX sells products. But, the product they're selling is a secure, distributed social network--my hope is that they realize this and get help from an outside security expert.

The real value these guys provide is their vision and initiative.

Privacy was the key kickoff point in the first place. You can't have good privacy without good security. When these are your primary reasons for getting started, your 'user experience' has to entail security.

There's load of social networking platforms already far more mature that offer better security, permissioning, and many might say, an overall better user experience (elgg and buddypress spring to mind as names, although I won't say they're necessarily better UX).

Diaspora got a HUGE publicity boost from Facebook's earlier privacy blunders this year, and may be able to ride that wave a bit longer, but the 'federation' aspect they want to add could possibly/probably be added to existing product. Perhaps other products are considering this already? As someone else said yesterday, having an 'HTTP' for social media would be more important than having an 'Apache' for social media.

What is the difference between a pre-alpha release, an alpha release, a beta release, and a public release, from the perspective of a 20 year old college co-ed who is looking at an IM window saying "Hey, Facebook doesn't respect our privacy. Come sign up for Diaspora (linky), it is like Facebook except they won't send your photos to your mom."

Indeed, maybe, just maybe, a 1000 freshmen will install it on their machines tonight, it will wipe those thousand laptops tomorrow and destroy a thousand career the day after, in a similar fashion to how a 1000 freshmen destroyed their careers by dropping acid on Tim leary's suggestion in 1969.

Let's think about what Richard Feynman meant when he said "what do you care what other people think?"

It's been released as pre-alpha. That's responsible. If it has a greater magnetic attraction to naive early adopters than other software, whose problem is it? Ours or the Darwin Awards?

If one doesn't care about the PR backlash from a thousand people losing their data, why care about the people pointing out the flaws beforehand?

Sure, the names don't mean anything. Gmail was in beta with millions of users for years.

However, the Diaspora github readme says this in bold: "PLEASE, DO NOT RUN IN PRODUCTION. IT IS FUN TO GET RUNNING, BUT EXPECT THINGS TO BE BROKEN"

So, shame on the register for calling this news.

Yes, as of 35 minutes ago, it says that. But before that, it didn't, and tons of people are throwing this up on ec2, heroku, and everything else: http://github.com/diaspora/diaspora/commit/e668071ea51050ae7...

good point. I didn't see that.

Yesterday, Ars ran a front page story titled: "Open source Facebook replacement Diaspora drops first alpha"

So I'm not surprised users ran out to try it.

You're trying to say that early adopters don't know the difference between an alpha/beta release and a production release? Don't buy that.

Then you're obviously not subscribed to diaspora-discuss or diaspora-dev.

Interesting. So people who have gone through the trouble of subscribing to the development mailing list don't know that this code is nowhere near production release? That's.... odd.

Yes and no. It got a lot of press outside of regular tech circles, and it's also attracting a lot of people who don't even know Ruby. Earlier today I fixed someone's bug report by showing them which half of "<<<" "===" ">>>" to remove from their Rakefile because of a bad merge. Many of the people who've subscribed to the list are incredibly inexperienced.

Heh, then maybe I'm not missing much. I subscribed, noticed it was filling my inbox (and thus making my phone beep), created a gmail filter for it, and promptly forgot I subscribed. 24 hours later, reading your comment makes me not want to really open up that label.

We all started somewhere and were inexperienced, but there was a time, before Google Groups, where the ability to signup to a mailing list was a small hurdle that helped weed out some of the mailing list distraction. September never ends.

And please, don't get me wrong. I love noobs. But nobody's reading the README. Nobody's reading previously filed bugs. Nobody's reading other threads on the ML. It's really, really bad.

I think part of it's that the README is SO long. They should really move the installation documentation into a different github page or something.

> any software that isn't full of security holes

Bugs sure. But not security holes. Sure no one plans for security holes, but I can say with decent confidence that the websites I write don't have any obvious security holes.

Wouldn't some security holes count as bugs?

Securit holes are subset of bugs.


Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact