oda: diaspora* icon (stylized asterisk) on a blue-violet field (diaspora)
[personal profile] oda
I really love Diaspora, but I have some significant reservations about recommending it to any users who are concerned about the privacy or integrity of their data. I would be thrilled if I were confident enough in it to be able to recommend Diaspora freely. However, I do not yet know enough about its internal structure to feel that I can do it in good faith.

Right now Google+ is having a great many privacy issues and is suspending users right and left in the #nymwars, which means that there are many people looking around for a new home. Diaspora is a strong contender. It's got great basic functionality and a clean UI that Google+ seems to have cribbed from. The privacy model on Diaspora is also great. It's the security that I'm worried about. Users need to know that their data can't be read by anyone they haven't authenticated to read it, and that it can't be deleted or modified by anyone but themselves.

Personally, I also love Dreamwidth, but I know that some people want the ease of commenting that Diaspora has, where all of the comments are kept in a stream, unlike Dreamwidth's more post-centric model. So I want to have somewhere to send people who want that instead, or who want to be able to run their own servers.

We're almost a year out from the Security Lessons Learned From The Diaspora Launch. How is the software doing now, security-wise?

When I go look at The Official Diaspora Wiki there is an empty red link pointing to Security Architecture Proposal. This is not exactly comforting. When is the Security Architecture Proposal due to be posted?

I know that the problems exposed in the review have since been patched, but is Diaspora moving forward in a way that avoids new problems? Has anyone examined the inter-server protocols for security flaws? Where would I go to look for more information on this? I'm not a coder, so I can't simply read the code, but I can usually follow higher level reviews done by coders or architects, and I would love to see a newer security review if such exists.

In my experience, security is immensely easier to maintain if it is built into software from the ground up. This is from the perspective of a system administrator, not a developer, but I have always found it easier to maintain software that started out with the intention of being secure. One example is sendmail vs. postfix. Sendmail started out very permissive, and as abusers figured out how to manipulate it, it became more secure in response. However it has always been troublesome to maintain and more likely to need patching, because that security wasn't part of its core design. Postfix was designed for security from the ground up, and is much less difficult to maintain.

Another issue that was exposed in the early code review was the lack of a design document or commented code. Again, I am not a coder, but I know that documentation is the heart's blood of any team project, and absolutely critical for being able to maintain code. Where is Diaspora as far as documentation goes?

(Mirrored to Google+) (Mirrored to Diaspora)

Date: 2011-08-26 07:56 pm (UTC)
reddragdiva: (Default)
From: [personal profile] reddragdiva
Is your "Mirrored to Diaspora" link supposed to bounce back here?

Date: 2011-08-27 11:14 pm (UTC)
hub: (Default)
From: [personal profile] hub
Maybe one would hope that both being "open" they implement a cross post feature in some way, eventually pull or push RSS.

July 2012

S M T W T F S
12345 67
891011121314
15161718192021
22232425262728
293031    

Most Popular Tags

Page Summary

Style Credit

Expand Cut Tags

No cut tags
Page generated Aug. 19th, 2017 08:26 pm
Powered by Dreamwidth Studios