Suspected PayPal Hackers Seek Deal To Stay Out Of Prison
Did A Google Earth Mistake Cause A Couple's Brutal Murder?
Diaspora's "open Facebook" source code riddled with security issues
It's important to note that the team at Diaspora was very up front about the recent pre-alpha dev-release of their code having "security holes and bugs" -- but early reports from coders who have gone through it paint a pretty grim picture so far. Code that's wrought with bugs and security holes is one thing, but many devs don't see the point in contributing the time and effort required to fix the issues.
A recurring theme among complaints is that the security holes are so gaping and deep-seated, that the entire thing may need a complete rewrite to even be worth the effort. Adding to the negative-pressure are complaints that the license chosen by Diaspora for the release is simply too restrictive to allow for proper open source growth.
As far as the code is concerned: The Register goes as far as to say that the code is "littered of landmines" -- which may be a bit strong since it usually implies intent when dealing with security holes, but it does fittingly describe the amount of said holes/bugs being reported. A commenter at Hacker News stated that after looking through the code, he found it to be "a combination of Rails Security 101 errors and 'web application programming is hard.'"
Another commenter talked about the photo controller, which Diaspora described in this release as being the only portion not "signed and ecrypted." Not being signed and encrypted sounds like the photo portion of Diaspora simply isn't, well, signed or encrypted yet. Instead, it appears that any user can upload any photo to any other user's account, and also delete any photo at will. Holes like these are much larger than the sort one would expect, but this is a pre-alpha release.
There's a fairly decent following for the happy-go-lucky argument that since the code is now open source, that the holes and bugs would be fixed as a matter of course. One angry commenter at Hacker News summed up the other side of that argument by saying that "slapping a GPL on your codebase and pushing it to GitHub does not make magical unicorns poop security findings into your mailbox." Hyperbole aside, he's probably right about that. There's a lot of heavy discussion right now about how the code will get fixed by people willing to do so -- except that the people who seem to know what's wrong with it have no desire to do it.
Part of that apathy stems from the license chosen for the code's release. As Jarin Udom brings up on his blog, Diaspora chose an AGPL license -- which would in effect force any contributing parties to divulge their own source code if they make anything using Diaspora's code. This wouldn't be a problem for the average user, but it does more or less curtail any hopes that large companies would ever spend a dime working to develop one single line of Diaspora-based code.
Read more discussion on Jarin's assertions at Reddit.
Once you combine the licensing woes and the "crappy code" with the obvious barriers to widespread adoption by non-geeks (such as the need for their own hosting service/server, or trusting a friend enough to allow them custody of their data), there isn't much impetus for the average unpaid developer to devote man-hours to something from which only the team at Diaspora can legally make a profit.
With a restrictive license and shoddy code out the gate, the Diaspora pre-alpha doesn't look very healthy at this point in time, but if you've got the experience necessary to lend a hand to the folks out there who want this venture to succeed, then by all means, hit up GitHub and get your code.
Comments
13
Subscribe to commentsSugarDaddySep 17th 2010 8:54AM
Why release a "pre-alpha" anyway? So not only do these kids not have any decent programming sense, they have no business sense either. I suppose they wanted to show off that things are progressing, but this probably was cue for a lot of people to write this project off as a pipe dream with an immature development team.
I've always hated the term "pre-alpha" by the way. And I believe the whole philosophy behind alpha and beta releases is to NOT release the code to the public before it is alpha or beta. Just another indication that these guys are over their heads. Also, what the hell is wrong with people giving these guys all that money when they didn't demonstrate that they had competency to pull this project off? Fail.
King AntoniusSep 17th 2010 8:57AM
For the record (because there's bound to be knee-jerk reactions), they do state very clearly on their site that this is not secure yet and filled with bugs so lets not jump on any bandwagons yet guys.
clonedSep 17th 2010 9:30AM
Right, but it won't stop bloggers from trolling. Someones going to look at the title of this article and write off the group as a failure. Just as the first poster did in the comments.
MyriaSep 17th 2010 10:30AM
There's a difference between bugs that can and will be dealt with in time, and fundamental design flaws that can't really be fixed without going back and starting again.
If the issues here are of the latter variety -- and there are more than a few respected professionals that feel they may be -- this isn't just a matter of a bunch of to-be-expected pre-alpha (why in god's name release a pre-alpha anyway?) bugs, but instead problems that are far more fundamental and not easily, if at all, fixed.
Victor Agreda JrSep 17th 2010 10:36AM
Why not wait to release until some of the most egregious security flaws were fixed? Why not provide a more open license? Why not do a smaller invite-only pre-release to suss out fundamental flaws?
I wouldn't call it trolling when we're trying to point out critical mistakes that could sink the entire project. I don't think anyone here has an agenda to see Diaspora fail -- we're simply trying to analyze the situation and point out real issues.
Instead we could just sleep in and hope it all works out somehow, right?
King AntoniusSep 17th 2010 11:44AM
Good points from both Victor and Myria. Some of those holes do need to be fixed ASAP, but every site like this has a lot of bugs at first, even when they first open publicly. Don't forget this is still at the point where you have to compile the source yourself. At this point it's probably best to just take a wait and see approach. In the end, this may be too little too late since Facebook has fixed the majority of issues that caused these people to make Diaspora.
technobuddhaSep 17th 2010 10:46AM
Wow, you are pure brutal! Lets put this into an HONEST perspective please...
#1 3 months of hard work coding: yes there's bound to be bugs
#2 its pre-alpha: it's meant for developers silly! not for the average user. that's comparing apples to oranges...
#3 everyone, EVERYONE was complaining for them to give status updates. And now that they RUSHED to get it out in a PRE-ALPHA, you state the OBVIOUS, that its riddled with bugs... wow. are you being paid by facebook by chance? hmmmmm?
I have plans of offering decentralized hosting of diaspora and other social networks at my site: pplsnet.com
but i admit, I would love to have it a bit better than what it is right now, but these are college kids.. its summer, and hey, I've always wanted to go to "burning man"...LOL
johnbondjoviSep 17th 2010 11:29AM
Wow and here I thought the idea behind "open source" was to hide all the bugs and security holes away from the people that are trying to find them and fix them for you......
DK WilsonSep 17th 2010 3:11PM
What?! My MacBook auto-submit setting to auto-enter my email address doesn't work here???? The website, Downloadsquad.com, contains "code that's wrought with bugs and security holes!" Run for your lives to the more reputable, Engadget!...
Look, that ulterior motives are at work here - Victor Agenda, Jr, errr, Victor Agreda, Jr. - isn't and shouldn't even be a question. Sir, the motives of you and yours here at Download Squad are baldly obvious.
What is saddest is that you actually have the nerve to spit out a quick rejoinder in your own comment section to anyone who doesn't say, "Baaaah" when you bleat. Your fear-mongering combined with Google's quite interesting placement of this article as its top news search result tells me all I need to know about the nature of your efforts.
SimonSep 17th 2010 3:07PM
I'd say there's a difference between one-off security bugs and architectural security bugs. All I've heard points to the latter--pre-alpha code or no, code designed for security from the ground up would likely be more well-received. The licensing issues only make things worse as there's no incentive for anyone outside to improve things.
As much as I support the idea, I'm glad I didn't donate to this project, both due to the lack of transparency and now due to these licensing and security issues. Hopefully either they fix their process and code or someone else comes along and makes something better.
jfjbSep 17th 2010 3:48PM
Sounds and smells like a design problem, or bad communication.
Coding is simple with logic, better with knowledge.
SteapsSep 17th 2010 4:11PM
I can't be arsed to read that full blog post in the time I have, but from the blog post:
"We know there are security holes and bugs, and your data is not yet fully exportable. If you do find something, be sure to log it in our bugtracker, and we would love screenshots and browser info."
They know they're problems. They're looking for those problems.
lassiSep 21st 2010 11:33AM
whenever you hear a hype in advance of open source projects that will change the world.. you know they're in it for the fame.