Security Lessons Learned From the Diaspora Launch

patio11 writes "Diaspora, the privacy-respecting OSS social network, did a code release last week. Attention immediately focused on security. In fact the code base included several severe security bugs. This post walks through the code, showing what went wrong, and what it would let an attacker do to someone who was using Diaspora." The developer who wrote the post ends with: "You might believe in the powers of OSS to gather experts (or at least folks who have shipped a Rails app, like myself) to Diaspora’s banner and ferret out all the issues. You might also believe in magic code-fixing fairies. Personally, I’d be praying for the fairies because if Diaspora is dependent on the OSS community their users are screwed."

Re:Axe job

[siride]

Yeah, but his point is that this is *the* major feature of diaspora. How could it be missing from any release? It should be in there from the beginning, in the core architecture.

Re:Axe job

[jensend]

Uh- they haven't launched, and aren't launching for a good while yet. They just prefer to develop their code in an open fashion rather than "cathedral style." Sure, they could have just developed it in private until they felt it was "close to right"- and have lost many of the benefits of being an open-source project by doing so. Developing it in the open should result in a better codebase developed in less time.

Re:Axe job

[spleen_blender]

There is no Silver Bullet in coding. You can't get it right from the beginning always, and you shouldn't hinge success on that hope. The biggest benefit projects get from the FOSS community is that such silly security problems are easily spotted and fixed. If anything this gives me HOPE because it shows there is enough interest in the project that the code is being held to a solid standard. And thanks to that same community those standards will be met, maintained, and hopefully exceeded.