Saying that you want to take on the world’s biggest social network is the kind of thing that puts a big target on your back. At least that’s what the ambitious young crew behind Diaspora, an open source alternative to Facebook, found out this week.
The Diaspora team pushed out an early (as in “pre-Alpha”), “Developer Release” of their source code on Wednesday to open source hosting site GitHub, with ample warnings about security holes and other bugs in the code. All the same, the group – lovingly profiled by the New York Times as idealistic warriors fighting Facebook’s inroads into users privacy -found themselves on the receiving end of some bare knuckle comments as contributors and security-minded pros got their first look. In at least a few cases, the holes they discovered could be used to compromise the privacy of users.
“Basically, the code is really, really bad..And they’re there due to things that any professional programmer would never dream of leaving out of their code,” blogger and software developer Steve Klabnik wrote after reviewing the code.
Among other things, reviewers found that Diaspora’s code includes a dangerous sounding Cross Site Scripting hole in the user commenting system and a session poisoning vulnerability. Input checking, in general, appears to be lacking, according to user comments.
Of course, most of the bugs reported were not explicitly security related, but concerned problems installing Diaspora or configuring user accounts – buggy UI elements or platform compatibility problems on Linux, Windows and the like. The most commented on open issue, “Facebook has a majority market share” weighs existential and competitive issues facing Diaspora. Another open issue reads simply “Diaspora sounds too much like diarrhea.”
But with the dust barely clear after the initial code release, some developers are already calling for a restart, arguing that the Diaspora foundation, as currently envisioned, will never achieve the project’s goal of providing social networking platform that attracts users and protects privacy. That assessment has to do not just with the challenges of polishing and securing the Diaspora code, which appears to be a monumental task, but also with concerns about the way that the project’s “Open Core” licensing will subsume the work of contributors.