Hot on HuffPost Tech:

See More Stories
Free Switched iPhone app - try it now!
AOL Tech

Diaspora's "open Facebook" source code riddled with security issues

It's important to note that the team at Diaspora was very up front about the recent pre-alpha dev-release of their code having "security holes and bugs" -- but early reports from coders who have gone through it paint a pretty grim picture so far. Code that's wrought with bugs and security holes is one thing, but many devs don't see the point in contributing the time and effort required to fix the issues.

A recurring theme among complaints is that the security holes are so gaping and deep-seated, that the entire thing may need a complete rewrite to even be worth the effort. Adding to the negative-pressure are complaints that the license chosen by Diaspora for the release is simply too restrictive to allow for proper open source growth.

As far as the code is concerned: The Register goes as far as to say that the code is "littered of landmines" -- which may be a bit strong since it usually implies intent when dealing with security holes, but it does fittingly describe the amount of said holes/bugs being reported. A commenter at Hacker News stated that after looking through the code, he found it to be "a combination of Rails Security 101 errors and 'web application programming is hard.'"

Another commenter talked about the photo controller, which Diaspora described in this release as being the only portion not "signed and ecrypted." Not being signed and encrypted sounds like the photo portion of Diaspora simply isn't, well, signed or encrypted yet. Instead, it appears that any user can upload any photo to any other user's account, and also delete any photo at will. Holes like these are much larger than the sort one would expect, but this is a pre-alpha release.


There's a fairly decent following for the happy-go-lucky argument that since the code is now open source, that the holes and bugs would be fixed as a matter of course. One angry commenter at Hacker News summed up the other side of that argument by saying that "slapping a GPL on your codebase and pushing it to GitHub does not make magical unicorns poop security findings into your mailbox." Hyperbole aside, he's probably right about that. There's a lot of heavy discussion right now about how the code will get fixed by people willing to do so -- except that the people who seem to know what's wrong with it have no desire to do it.

Part of that apathy stems from the license chosen for the code's release. As Jarin Udom brings up on his blog, Diaspora chose an AGPL license -- which would in effect force any contributing parties to divulge their own source code if they make anything using Diaspora's code. This wouldn't be a problem for the average user, but it does more or less curtail any hopes that large companies would ever spend a dime working to develop one single line of Diaspora-based code.

Read more discussion on Jarin's assertions at Reddit.

Once you combine the licensing woes and the "crappy code" with the obvious barriers to widespread adoption by non-geeks (such as the need for their own hosting service/server, or trusting a friend enough to allow them custody of their data), there isn't much impetus for the average unpaid developer to devote man-hours to something from which only the team at Diaspora can legally make a profit.

With a restrictive license and shoddy code out the gate, the Diaspora pre-alpha doesn't look very healthy at this point in time, but if you've got the experience necessary to lend a hand to the folks out there who want this venture to succeed, then by all means, hit up GitHub and get your code.

Tags: bug, diaspora, facebook, hole, security

Comments

13