30 September 2010

Diaspora code

On the 15th, the Diaspora code was finally release in alpha and the reviews weren't good. The Register [ via Reddit along with Slashdot ] focused primarily on the dangerously inept security mistakes festering throughout all areas of the code. How bad? They ignore the most basic issue of scrubbing user-submitted data before inserting it into SQL queries. Here's my test for bad security practices: if even I know not to do something, it's bad. This is really bad.

Defenders--justifiably--remark that the fact that Diaspora is open source allows us to discover these flaws and publicize them to be either fixed or act as a warning to users. Closed source applications could contain worse and we'd never know. With Diaspora, Bloggers (such as MicroISV on a Shoestring) can examine the code and detail the full range of the issues involved. More interesting to me, and of greater concern, was an observation from faulteh on Slashdot regarding system requirements:

To be a seed you are going to need a hosting provider that supports ruby on rails with a freakishly huge list of gem dependencies, that is also running the thin webserver - that's right it doesn't work on apache ... In fact, installing all the dependencies on an ubuntu server running a LAMP stack still required an extra 350+Mb of extra packages ...

I haven't seen their concerns voiced elsewhere, and I'm not sure that the extra Ruby and Apache modules required result in as fragile/bloaty a configuration as they suggest. However, when very powerful blog and CMS frameworks can acheive so much with so much less, it suggests that there was a lack of architectural rigor in the decisions made early on in the Diaspora design process. All of these, of course, are minor points that ignore the 800-lb gorilla that Facebook is. What features are needed to make Facebook the next MySpace?

[ posted by sstrader on 30 September 2010 at 8:45:28 PM in Internet | tagged social network ]