Trouble with Diaspora

This code was written by a bunch of undergraduate college students.<p>This is hiring a bunch of interns (with near zero experience) to implement your product, giving them three months, and then being shocked -- SHOCKED, when the code is not professional grade quality.<p>I was shocked when everyone and their brother was willing to shell out money to a group of completely unproven college students to produce a distributed open source 'Facebook Clone', that is also 'private'. My inclination is that the 'distributed' and 'private' parts of the description push it into the oxymoron tier of product specifications. I would have expected this alone to give people pause about what the architecture would be (somehow it didn't).<p>Honestly, at least they have produced something, and for the most part, it works. Hopefully they haven't burned through too much of the $250,000 that they started with. 3 months of development time is honestly nothing.<p>Presumably, they could get comments on this, throw the entire thing away, re-write while fixing the various issues, and be well beyond where they are now in another three months. (If this is as bad as Steve says, I hope this is the case). Presumably the development will go faster because previously they were learning and developing at the same time (presumably).<p>Hacking together a prototype that you then throw away is a perfectly reasonable development model. I'm impressed (and pleased) that they have produced anything.

This code was released to developers as an incomplete preview. I'm not sure why people are holding it to the same standards as a finished product that's being released to end users. Seems like a pretext to talk trash.

"Release early, release often" (an open source mantra). Here on HN i also find the 'getto launch' being preached -- "if you not embarrest by your product at lauch-time, you should have released earlier".<p>Judging from the noise their release makes here on HN i think the diaspora guys did well opening up their repo 'early'.<p>And to steve: i think you hold 'professional programmers' (which i interpret as programmer that get paid) waaay too high..

I've seen 'really, really bad' code. This ain't it.<p>Yeas, it's made some rookie mistakes. Yes, there's a load of things they shouldn't be trusting on postback (silly things like not checking the owner of an object on 'delete' commands).<p>That's not bad code, that's a bad implementation. That's not knowing what to trust and what not trust cause they've never been screwed up the ass by it yet.<p>But bad code? No.<p>The implementations are problems, they need this shit pointed out to them. That is all.<p>Steve and Patio11 are doing some serious damage to a good project for no apparent reason apart from self promotion. I want to call them nasty names, I really, really do.

Please see the discussion from last night: <a href="http://news.ycombinator.com/item?id=1699641" rel="nofollow">http://news.ycombinator.com/item?id=1699641</a><p>Rather than type a bunch of replies to everyone, here's some random thoughts:<p>1. Release early, release often is great. But when your product's main focus is "a private social network where you control your data" and other people can do anything they'd like with your account...<p>2. If this was just unpolished, I wouldn't say anything. But like patio11 is saying, this has been covered by major news outlets, and many non-technical people are getting involved. This is a plea to pay attention to the fact that it's pre-alpha software.<p>3. The mistakes are beyond amateur. This isn't "omg it's not perfect," this is "I can't believe they didn't even apply the basics." The reason that this matters is that it doesn't bode well for the future of the project. If they can't even get this correct, how am I supposed to trust them later?<p>4. I only complain because I care. I want this project to succeed, and I really like a lot about the interface, actually. But that doesn't mean I won't call a spade a spade.

There's a lot of negativity and "I told you so" snickering floating around Diaspora on Hacker News.<p>I'm putting it down to envy: these guys have shipped some pre-alpha code that's interesting to a large number of people.<p>Excellent marketing in the open source community for developer eyeballs, perhaps not so good in terms of end-user experiences, but that's not the point at this stage, numbers will be low and the perceptions of the dumb early-adopters (of pre-alpha distributed social networking code, ffs) shouldn't leak too badly into the mainstream.<p>However, people are now eating the dogfood, and I expect to see fairly rapid improvements in the code: not unexpected for an alpha drop in my experience.<p>To the people who are moaning, would you like others to see <i>your</i> alpha code and laugh bitterly about you being a young (or old for that matter) upstart?

The trouble is that they were so ambitious but lacked any experience from which to chart those ambitions. They're just a bunch of young twenty-somethings just getting out of school. They haven't built any large-scale real-world security-hardened software yet.<p>More than the fact that the code isn't production ready (by a long shot it seems), I'm just surprised the released anything at all. Perhaps spending all that money on those consultants was a good thing for them. I doubt they would've been able to get by on their own given what was released and the hype they set in motion. It's a lot to live up to. They made some really bold claims.<p>Just goes to show that you can't just talk the talk and watch your dreams come true.

Ok... I'm no clearer on what the problem is than when I started reading the article.<p>All I got from it was they have security problems. What exactly? where exactly?<p>"Really, Really, Really Bad" is really subjective. When stating a problem try to be concrete and objective and give examples. For instance, if you think someones cooking is a bit off and you are a chef, say you need a little more salt or pepper or whatever the case maybe. A chef can't simply say it is really, really, really bad, leave such comments to amateurs who don't know what exactly they are experiencing and how exactly to fix it.<p>If you don't really have the time to address each particular concern then give them a reference to some security books that are essential when developing something like this.<p>As it stands the community is no better off before than when you wrote this. You should have written an article about "10 security books that are a must read to prevent diaspora mistakes".[I would appreciate it if someone who is knowledge about this wrote something like this]

Okay first of all, I'm glad that a bunch of undergrads from my school were able to raise $200k, get a lot of press, and build something. This alone should get a community of people around the project fixing bugs, etc.<p>I've always been saying that making a distributed social network is much easier than "solving" privacy and security for such a thing. First of all, try even defining what it means to privately share things with people on the internet. Then, realize that most solutions (such as diaspora) will actually EXACERBATE the privacy problem, by making you trust the hosting services of <i>all your friends</i> instead of just facebook.<p>That said, after diaspora was announced it made me think about whether it's possible to ensure privacy in principle. Meaning, is it possible to only trust YOUR hosting company and friends, and cut out every other middleman from being able to snoop your data?<p>I came up with something which I think would be very useful, and I actually submitted a provisional patent for the technology, which basically enables distributed AND private social networking using just today's web browsers.<p>If you want to check it out or get involved, see <a href="http://myownstream.com" rel="nofollow">http://myownstream.com</a> . This is an open-source offshoot of a social network I'm building, which I hope to release next year. You can see the roadmap there, but so far it's been going really well :)

There are very serious security blunders here, but I wouldn't go as far as the article to say it needs a complete overhaul. Here are a few example fixes.<p>1. Most of the XSS errors should be handled by Rails 3 auto-escaping. I'm not certain why this isn't happening. It may be a simple HAML config error or bug.<p>2. The session key should be moved out of the Git repo.<p>3. Most of the authorization can be done by reaching through the current user's associations. For example "current_user.photos.destroy" would prevent users from destroying other's photos.<p>I'm not defending the developers here and agree these should not have gotten past them. My point is these problems can be fixed in a few days, and thanks to open source, there are many eyes looking at the code to find additional security issues.

This is the problem: college students are terrible programmers. There aren't enough consequences for writing bad code in college. In industry, you learn very quickly that everything you learned in college is minuscule compared to what you actually need to know to work.<p>I knew guys who only studied databases or only studied HTML+JavaScript+CSS. And we all expected that this level of specialization was common and even desirable! Wow. Looking back now, how silly of us. Where did we get this idea? Certainly not from anyone with significant experience in industry. We had one professor with significant industry experience... from the days of IBM mainframes. She was the head of the department. She ran two classes a year, in "software engineering", basically "technical writing and project management". They were good classes, the most like the "real world" of any of our courses, but only 50% of the students took it and it represented maybe 10% of our studies for those of us who did.<p>Yes, the CS degree is about preparing students for CS graduate programs. But there was never a suggestion that perhaps the CS degree was not what we needed. Or maybe there was a suggestion, one, from some guy on Teh Intarwebs, against every other person in positions of respect around us. We were consistently told that the CS degree was the path to a software development degree. Yes, internships. They are very important. We don't do enough of them. We certainly need more of an apprenticeship model. I suspect that the development of good programmers would work in a culinary school model more than a research school model.<p>College graduates are basically the first level of competency worth training to become developers, or at least are supposed to be (let's just stick to ideal situations right now, with no wind resistance and infinite point masses). It's like in the martial arts, we say that black-belt is where the learning <i>begins</i>. Once you reach black-belt/BSCS, you have only acquired the <i>tools</i> that you need to start learning.<p>Every programmer I've known thought he was a super hacker by the time he got out of college. Me included. I see it in the interviews I conduct, also. There is an air of arrogance. There is a sense of shock and personal assault when pointing out their errors. They haven't yet grocked that the code is not them. They haven't yet learned that the errors are inevitable, that it is only time and experience that teaches us how to avoid them, that programming is about the pursuit of eventual perfection and not the dogmatic defense of yesterday's code.<p>So one of two things happens. Either the degreed programmer shucks his hubris and finds humility, or he becomes a leech on his coworkers (and my use of the masculine pronoun is no mistake, the female programmers I've known don't have this pathology). Unfortunately, the latter is apparently indistinguishable from the former for most management types. Haha, but digging on the liberal arts majors aside, most people who come out of college with a BS in CS do not want to make programming their wake-to-sleep life. They want it to be their 9-to-5 career, and leeching is the easier route to that.<p>The kids mean well, I'm sure they are quite intelligent, and they've got heart. But a startup was probably the worst first endeavor for them. I think it's better to go through your male-programmer-humiliation on someone else's dollar. They're basically going into more debt to learn how to be programmers now that they've gotten out of college. They could have been earning a salary to learn how to be programmers.

it's insulting to refer to them as kids and criticism like this is only helpful if you give examples: this article does not do that, just making wide sweeping statements about "how bad" it all is. i had a quick look at github, it didn't look like it stunk, but i don't know ruby nor the framework they use.<p>they didn't appear to use pbkdf2 or similar to derive their crypto keys, so that isn't good. but at least they didn't make up their own algorithm (though maybe they're making their own crypto protocol--hopefully not--i couldn't tell from the code).<p>it's very easy to say "this sucks", it's harder to say "this sucks and here's why" and it's even harder to say "this suck and here's why <i>and here's how i do it in my deployed product</i>"

I'm not even sure it's worth submitting patches to Diaspora, both because of the fundamental problems with the code, but also because of their "Open Core" licensing scheme (AGPL + contributor agreement): <a href="http://www.ebb.org/bkuhn/blog/2009/10/16/open-core-shareware.html" rel="nofollow">http://www.ebb.org/bkuhn/blog/2009/10/16/open-core-shareware...</a><p>Looking through the code, it looks like Diaspora is really just putting a front end and "aspects" on top of OStatus. I think it might be good at this point to just scrap the Diaspora code and start over from the basics with a good OStatus-based reference implementation in Rails.

It's great that they're getting so much open-source help, but I'm going to ask the obvious question: if a "complete overhaul" is what's needed, as the author seems to imply, and the FOSS community performs said overhaul, then what of the $250k that was given to the Diaspora guys? Is it still even "Diaspora" anymore, as opposed to a FOSS project?

One thing I really liked about this post: most people readily complain about something, yet only a few like Steve actually do something to help fix it.

Jason Fried was right. All the hype and pressure before launch will cause some serious problems.

They could've really saved themselves some grief is they'd been far more explicit about saying that it's Alpha and months from being production ready. All this 'there's bugs! omfg!' hoo-ha could've been headed off at the pass

At least somebody's got a sense of humor:<p>Github issue #8: "Facebook has a majority market share"<p><a href="http://github.com/diaspora/diaspora/issues#issue/8" rel="nofollow">http://github.com/diaspora/diaspora/issues#issue/8</a>

Steve, where did you get the $250,000 figure? Their Kickstarter page still shows $200K and change (<a href="http://www.kickstarter.com/projects/196017994/diaspora-the-personally-controlled-do-it-all-distr" rel="nofollow">http://www.kickstarter.com/projects/196017994/diaspora-the-p...</a>), and now there are currently three mentions of $250K in the comments here, none of them questioning the $50K raise. Just checking to see if I missed another bit of funding somewhere.

They (Diaspora staff) said this as they released it:<p>"Feel free to try to get it running on your machines and use it, but we give no guarantees. We know there are security holes and bugs..."

I was totally expecting crap like below when cloning the project:<p>* literal SQL without escaping (They use Mongo it turns out)<p>* 10,000 lines of controller action (The biggest one is Photo#create, but far from huge). PS: They use carrierwave, which is AWESOME.<p>* giant business logic in the views (They use haml and the code is clean).<p>* Not escaping user's input (OK, there are places where they forgot to put it).<p>Their code is far from shit. Easily improvable as they gain more developers. Aren't we too quick to judge?

Good thing: the project already has 292 forks and 2051 watchers on GitHub!<p>I believe they will get an amazing quantity of outside work.

As far as I can consider, there are two possible alternatives to this (that is, releasing their flawed code). They could have either released flawless code, or they could have released no code at all. I understand OPs concern, but considering the alternatives I don't really get the tone of the article.

First people bitch and whine because they are working "in secret" and not releasing code. Then they release and everyone freaks out because it's not finished. I guess the only way everyone would be happy would be if they released a completed project after a week.

My god most of these comments are sickening. It sounds like a group of old men reinforcing each other how much better people were "back in their day" all the while forgetting what "back in their day" actually was. Is it jealousy that is fostering these posts?

This is pretty unfair. They just want to get it out there earlier than later, so that the community can help with a few of the less glamorous parts of the app. I guarantee they've been spending most of their time just wiring things up and making the interface look pretty (the fun stuff), and now are tapping into the OSS community to help take care of the security details. I completely sympathize with this strategy, and they explicitly said it was far from secure or complete.<p>It's this kind of code bashing that makes it difficult and intimidating for newbies to break into development. Think twice before you lambast younger, less experienced programmers on the internet. What a shame.

It's an MVP. Problem is, it's in an established market. Although this worked for open source in the established unix market, that wasn't a <i>mainstream</i> market. But note: only a tiny subset of users are going to switch initially anyway, so, in practice, it's not mainstream at all. Besides, expert coders will contribute; I've seen it happen.<p>And it's infinitely better than the alternative, of getting everything right first time, <i>because that's impossible</i>. Something is better than nothing. Live it!

As other people have already said: this is just an early code drop. It would be good to have it transition into an open source project with many developers, especially because the developers are I assume starting their fall school term.<p>I enjoyed building and playing with the code, and I hope that there is a much improved version in the future.

<i>I don't want to disclose too many details</i><p>I thought the idea of a developer release was to do exactly this.

What do you think the first release of Facebook looked like under the hood?

I can hear Zuckerberg chuckling like an evil genius.

In all this , we forgot that they are here to create an open social network. This was their dream, so may be this is the way they wanted to do it.

I'm not sure what is the problem here. It's a piece of software that was released to the public on Github and if anyone decided to use it shouldn't expect it to work without flaws.<p>If it was a piece of crappy software that I wrote and put it on Github, I am going to get criticize to the point that it's worthless, I'm not sure where is the open source spirit going this way.

Why? It is called crowd-sourcing and there are even several "bestsellers for dummies" about how to use crowds to make money.<p>Nothing to see here.