[sf-lug] any opinions or thoughts on identi.ca?

Rick Moen rick at linuxmafia.com
Sat Sep 12 06:38:35 PDT 2009


Quoting Christian Einfeldt (einfeldt at gmail.com):

> I haven't researched this issue much, but Identi.ca touts its service as
> being more Free (as in Free Speech) than Twitter.  They claim that it is
> easier to fork their service than Twitter. 

Well, it is.

Except, the term "fork their service" is rather confusing and
(inadvertantly misleading).  You can fork (i.e., independently use for
any purpose, and, if you wish, modify or commission modifications of)
the underlying _software_.  Which in turn means that you're not
dependent on any particular implementation of the "service" that uses
that software.

You are not limited to sharecropping on Twitter, Inc.'s property.  You
can have your content _anywhere_ someone sets up and runs that software
(_not_ just on "Identi.ca").  

My friend Evan Prodromou, recently living in Montreal, wrote the
entirely open source Laconica software that powers Identi.ca.  Twitter
uses entirely proprietary software.  If Twitter.com decides to close up
shop, you're completely and definitively screwed.  By contrast, if
Identi.ca closes down for any reason (or turns evil, etc.), you or
anyone else can start up a Laconica instance to host your and anyone
else you wish to host's tweets, in a heartbeat.

> For me, Twitter is a necessary evil, the same way that Gmail is a
> necessary evil. 

GMail is _supremely_ unnecessary.  ;->  So is Twitter.

> Gmail's ability to search my vast inbox of 41k emails is simply astounding.

41,000 e-mails isn't much.  And mutt and grep aren't broken.

Some people are starting to like "Sup" (though I'm remaining with mutt).
Here's my entry on http://linuxmafia.com/faq/Mail/muas.html:

  Sup: http://sup.rubyforge.org/ Ncurses-based, written in Ruby. (Also
  known as "sup-mail" and, rarely, as "sup-mailer".) Supports multiple
  accounts, mbox, mbox over SSH, IMAP, IMAP-SSL, Maildir, POP3 (pending),
  mh (pending), and Gmail (pending). Designed to handle very large amounts
  of mail. Does fast full-text search, GMail-style threading, multiple
  buffers, thread-centric operation, automatic contact-list management,
  custom code insertion via a hook system, organising e-mail with
  user-defined labels, automatically tracking recent contacts. Project was
  initially called "Redwood". Beta release at 2007-07-01. GNU GPLv2.


> And Google does employ several key FOSS developers and supports lots
> of FOSS coding.  

It's nice that they keep Chris di Bona's mortgage paid, but that doesn't
mean their proprietary services aren't just another way to throw away
your computing autonomy and hand over your data to a large, secretive,
and often rather sinister corporation that owes you no loyalty
whatsoever.  Frankly, screw that.

> We really need to find more ways to make money with Free Software. 

Why?  The existing ones work fine.

> Here is what Identi.ca has to say about its emphasis on Free:

Here's what I had to say, when a friend asked me in e-mail about an
online CNet column bad-mouthing Identi.ca and its underlying software:


  [My friend wrote, knowing I think the referenced author is, um, an
  ex-Stanford Law corporate attorney who tends, IMO, to speak someowhat
  with forked tongue:]

  > Our good friend Mr. Matt Asay has published more of his insightful
  > commentary on CNET yesterday:
  >
  > http://news.cnet.com/8301-13505_3-10293886-16.html
  >
  > I'm sure you'll enjoy it.

  [Snip some slightly uncharitable comments of mine about the referenced
  author's past commentary on "badgeware" Web 2.0 licensing for hosted
  software, in which he tends to have business interests that are not
  even in all cases properly, IMO, disclosed to readers.]

  In the current case, I'm pretty sure Asay's well aware he's spewing 
  bullshit.  The fallacy can be seen by asking "What happens if Twitter 
  shuts down?  Whereas, what happens if Identi.ca shuts down?"

  If Twitter shuts down, then Asay, Tim O'Reilly, and all the other 
  twitterers are completely and permanently screwed -- because nobody 
  else has the Twitter server software or the legal right (or even 
  physical ability) to run it, let alone maintain and redistribute it.
  If Identi.ca shuts down, you, I, Asay, O'Reilly, or anyone else can 
  replace it in about an hour with an independent instance
  of the open-source Laconica software that runs it -- requiring nothing
  more sophisticated than a static IP, a throwaway machine, Linux, PHP,
  and a couple of PEAR libraries (http://laconi.ca/trac/wiki/Installation).

  Asay is fully aware of that -- as, probably, is O'Reilly -- but they're
  going to talk around that point, taking advantage of the fact that
  they're talking to credulous people who don't know better.


  Watch Asay's tongue do its patented forking action, with Kung-Fu
  Grip<tm>!

      Twitter, in other words, with its closed license, may well be more
      open than Identi.ca, at least in the areas that most people care about
      (development community plus the ability to use tool of choice)

  Note that careful qualifier:  What matters is "areas that most people
  care about", and that that constitutes "development community"
  (Twitter's sharecropper community of people making mashups of its 
  proprietary software's published API), and "ability to use tool of
  choice".

  "Tool of choice" is defined for purposes of Asay and O'Reilly's rhetoric
  as Seesmic.  Any server back-end that Seesmic cannot talk to gets 
  defined as "less free" in Asay and O'Reilly's model.

  Neither of them wants to talk about the fact that Seesmic is useful
  only with a proprietary back-end that can vanish with the flip of a
  power switch.

  Effectively, Asay and O'Reilly have redefined "freedom" to mean "my 
  convenience at this moment".  Neat trick, if you can stand it. 

    Licensing does not create a community: there are plenty of open-source 
    projects that completely adhere to the Open Source Definition and yet
    are effectively closed to outside developers, while Microsoft and
    others have shown for years that they can attract significant outside
    development around their platforms.

  Again, the sham nature of this rhetoric can be seen by asking the same
  simple question as before:  What happens to OpenOffice.org code if
  Sun Microsystems is shut down (or Oracle, now)?  (OO.o is often cited
  as an opensource project effectively "closed" to outside developers.)
  What happens to MS-Windows if Microsoft Corporation shuts down?

  Anyone and everyone who cares about OO.o development has the ability and
  right to independently take over coding and release, at any time.  By
  contrast, MS-Windows developers/users would be totally screwed.

  Asay knows this perfectly well.


Last, here's what I wrote last November, when Evan had recently released
Laconica, and had written asking for my comments:

Quoting Evan Prodromou:

> Hi, Rick! I don't know if you've seen this site at all, but I started
> it this summer. It's the "Open Source Twitter", getting a lot of
> interest from FOSS people, thought you might like to join. I'd love
> your opinion on it.

Hi, Evan!  This is a small effort towards giving you thoughtful
feedback.  It's rushed, for which I apologise.

Short version:  Laconica's a very nice achievement.  Kudos.  Coolest
bit in my opinion is the OpenMicroBlogging spec, and its content-licence
negotiation feature is super-cool:  Whatever makes radically
decentralised but autonomous computing more practical is good.  And its
reliance on OpenID is common sense -- but also one more blow for the
good guys.  Reasons I probably won't use (specifically) Identi.ca have
nothing to do with its quite abundant merit, but rather reflect my
unreasonable insistence on doing my _own_ decentralised and autonomous
computing.


Long version:  When "Software as a Service" (SaaS) hosted apps took off,
I dug in my heels and said "no".  Formal expression of my saying "no" is
here: http://linuxmafia.com/faq/Essays/winolj.html

(I actually _do_ have a LiveJournal login now, which is "rinolj",
strictly to follow my wife's and some other friends' LJ blogs, but I
don't post blog entries there.)

As you'll see in the linked essay, my stance is that open source was all
about returning control of software _and_ data to the user.  SaaS/Web
2.0 creations are, from my (unreasonable) standpoint a step backwards.
My stances is that if I wanted to participate in something like Twitter,
I'd do it on my own machine and software resources using open source.
Ditto LiveJournal.  Ditto Digg.  Ditto Del.icio.us.  And so on.

So, I'm keenly interested in Laconica but merely respectful of
Identi.ca.  (Absolutely no offence intended!)  Identi.ca helps prove the
merit of Laconica, and undoubtedly will help developers torture-test it.

Yes, I know that very few people give a damn about having autonomous
control over their online presence and data.  I'm OK with being one of
those very few people.  When I look at applications I could run and
online schemes I could participate in, I try to estimate how much
complexity, machine resources, security headaches, and sysadmin time
(_my_ time) it's likely to chew up.  Time permitting, I deploy whatever
has high enough estimated coolness-to-headache ratios.

Laconica and OpenMicroBlogging _seem_ to make such a deployment pretty
attractive.  We'll see.


Further shirtsleeve comments follow, because you asked.  (Otherwise,
ex-cathedra critical remarks from some jackass sysadmin might come
across as impertinent and infuriating -- which they might, anyway.)

Might as well do the big flamebait item first:  PHP.

I like and use PHP.  Its association with security meltdowns is 80%
social effect: careless novice coders cut their teeth on it (but using
it of course doesn't make you a careless novice coder).  The other 20%
can be cut further by locking down the ubiquitous bad installation
defaults for the PHP engine.  See my recommendations, not yet fully
updated for PHP5:  http://linuxmafia.com/faq/Security/php.html

That sort of lockdown has tended, statistically, to break many developed
PHP apps, because of developers relying on the unsafe engine defaults.
This has been a disturbing trend.  Moreover, security rot has tended to
infect core PHP / PEAR modules such as the two XMLRPC messsaging
implementations:  See "Lupper" inside
http://linuxmafia.com/~rick/faq/index.php?page=virus#virus5 , which
exposed the fact that PHP's XMLRPC implementations do _no input validation_.

Failure to do input validation when your code can be expected to handle
public data is a huge red flag, for me.  This problem is endemic in Web
apps, generally, but seems overall a bigger problem among PHP codebases
than most others.  (To be fair, again, this almost certainly has a large
element of social effect.)

It's reassuring to hear news that a language has something like Perl's
"taint mode" (http://www.webreference.com/programming/perl/taint/) --
and to hear news that developers are actually using it at least
semi-routinely.  I don't know if such a mode exists in PHP, but it's
downright frightening that I don't hear PHP guys even talking about it,
or talking about input validation generally.

I came by my caution about Web apps' input validation the hard way:
http://linuxmafia.com/news.html

ikiwiki, by way of comparison, at least leverages the HTML::Scrubber CPAN
library -- and also doesn't require a back-end SQL database that can be
"injected".  What does Laconica do?


I really feel a bit unfair picking on PHP guys, because there's a much
worse group:  Java / J2EE / servlet people.
                                                                                

Better news:  Your dependency tree -- which seems modest.  One of the           
other things that incline me to say "No thanks" is having to install /
maintain a huge hairball of code, just to do something relatively
simple.  Featuritis is a plague in open source -- but of course less so
than in proprietary software, and with the Java tribe forming a link
between the bad habits of the two groups.

However, I get reassured when I see an effort to make code modular to
the extent feasible.  Does Laconica _really, absolutely_ require
XMPP/Jabber in order merely to do microblogging at all?  If not, maybe          
the http://laconi.ca/trac/wiki/Installation page should clarify what are        
the essential dependencies and which can be left out / configured out if
you don't need the entire marching band, e.g., non-federated.
                                                                                
(It's possible there's an inherent reason why XMPP really is an absolute
requirement.  Maybe you should have a brief page outlining the                  
architecture?)                                                                  


When I see that an apps is claimed to specifically require a SQL
back-end database, I often am forced to wonder why.  Not everyone's
running sourceforge.net.  ikiwiki back-ends nicely into your choice of          
pretty nearly any reasonable VCS (again, modularity), without problems.         
Why can't a microblogging engine do so?  If I have to dump a database           
engine to disk just so I can take a backup, I want to know why.


The core of ikiwiki is small; it has a well-documented interface for            
plugins:  http://ikiwiki.info/plugins/  So, again, this helps avoid             
having to install / maintain a code hairball, just to get _some_ part           
of everything running.
                                                                                

When I wanted to implement locally on linuxmafia.com something like the         
old Yahoo directory (now http://dir.yahoo.com), I looked around and
found almost nothing but overfeatured CMS engines -- all of which I
refused to use.  Something like a year later, I found and revamped              
PerlHoo.  See:  http://linuxgazette.net/issue98/lg_tips.html#tips.18            
It's just a pair of tiny, minimum-functionality, easily auditable Perl          
CGIs.  Exactly what was needed, not more stuff to break or get cracked.         


I hope you find at least _some_ of my impertinent comments useful.  Or
at least entertaining.  ;->





More information about the sf-lug mailing list