[sf-lug] any opinions or thoughts on identi.ca?
Rick Moen
rick at linuxmafia.com
Sat Sep 12 06:38:35 PDT 2009
Quoting Christian Einfeldt (einfeldt at gmail.com):
> I haven't researched this issue much, but Identi.ca touts its service as
> being more Free (as in Free Speech) than Twitter. They claim that it is
> easier to fork their service than Twitter.
Well, it is.
Except, the term "fork their service" is rather confusing and
(inadvertantly misleading). You can fork (i.e., independently use for
any purpose, and, if you wish, modify or commission modifications of)
the underlying _software_. Which in turn means that you're not
dependent on any particular implementation of the "service" that uses
that software.
You are not limited to sharecropping on Twitter, Inc.'s property. You
can have your content _anywhere_ someone sets up and runs that software
(_not_ just on "Identi.ca").
My friend Evan Prodromou, recently living in Montreal, wrote the
entirely open source Laconica software that powers Identi.ca. Twitter
uses entirely proprietary software. If Twitter.com decides to close up
shop, you're completely and definitively screwed. By contrast, if
Identi.ca closes down for any reason (or turns evil, etc.), you or
anyone else can start up a Laconica instance to host your and anyone
else you wish to host's tweets, in a heartbeat.
> For me, Twitter is a necessary evil, the same way that Gmail is a
> necessary evil.
GMail is _supremely_ unnecessary. ;-> So is Twitter.
> Gmail's ability to search my vast inbox of 41k emails is simply astounding.
41,000 e-mails isn't much. And mutt and grep aren't broken.
Some people are starting to like "Sup" (though I'm remaining with mutt).
Here's my entry on http://linuxmafia.com/faq/Mail/muas.html:
Sup: http://sup.rubyforge.org/ Ncurses-based, written in Ruby. (Also
known as "sup-mail" and, rarely, as "sup-mailer".) Supports multiple
accounts, mbox, mbox over SSH, IMAP, IMAP-SSL, Maildir, POP3 (pending),
mh (pending), and Gmail (pending). Designed to handle very large amounts
of mail. Does fast full-text search, GMail-style threading, multiple
buffers, thread-centric operation, automatic contact-list management,
custom code insertion via a hook system, organising e-mail with
user-defined labels, automatically tracking recent contacts. Project was
initially called "Redwood". Beta release at 2007-07-01. GNU GPLv2.
> And Google does employ several key FOSS developers and supports lots
> of FOSS coding.
It's nice that they keep Chris di Bona's mortgage paid, but that doesn't
mean their proprietary services aren't just another way to throw away
your computing autonomy and hand over your data to a large, secretive,
and often rather sinister corporation that owes you no loyalty
whatsoever. Frankly, screw that.
> We really need to find more ways to make money with Free Software.
Why? The existing ones work fine.
> Here is what Identi.ca has to say about its emphasis on Free:
Here's what I had to say, when a friend asked me in e-mail about an
online CNet column bad-mouthing Identi.ca and its underlying software:
[My friend wrote, knowing I think the referenced author is, um, an
ex-Stanford Law corporate attorney who tends, IMO, to speak someowhat
with forked tongue:]
> Our good friend Mr. Matt Asay has published more of his insightful
> commentary on CNET yesterday:
>
> http://news.cnet.com/8301-13505_3-10293886-16.html
>
> I'm sure you'll enjoy it.
[Snip some slightly uncharitable comments of mine about the referenced
author's past commentary on "badgeware" Web 2.0 licensing for hosted
software, in which he tends to have business interests that are not
even in all cases properly, IMO, disclosed to readers.]
In the current case, I'm pretty sure Asay's well aware he's spewing
bullshit. The fallacy can be seen by asking "What happens if Twitter
shuts down? Whereas, what happens if Identi.ca shuts down?"
If Twitter shuts down, then Asay, Tim O'Reilly, and all the other
twitterers are completely and permanently screwed -- because nobody
else has the Twitter server software or the legal right (or even
physical ability) to run it, let alone maintain and redistribute it.
If Identi.ca shuts down, you, I, Asay, O'Reilly, or anyone else can
replace it in about an hour with an independent instance
of the open-source Laconica software that runs it -- requiring nothing
more sophisticated than a static IP, a throwaway machine, Linux, PHP,
and a couple of PEAR libraries (http://laconi.ca/trac/wiki/Installation).
Asay is fully aware of that -- as, probably, is O'Reilly -- but they're
going to talk around that point, taking advantage of the fact that
they're talking to credulous people who don't know better.
Watch Asay's tongue do its patented forking action, with Kung-Fu
Grip<tm>!
Twitter, in other words, with its closed license, may well be more
open than Identi.ca, at least in the areas that most people care about
(development community plus the ability to use tool of choice)
Note that careful qualifier: What matters is "areas that most people
care about", and that that constitutes "development community"
(Twitter's sharecropper community of people making mashups of its
proprietary software's published API), and "ability to use tool of
choice".
"Tool of choice" is defined for purposes of Asay and O'Reilly's rhetoric
as Seesmic. Any server back-end that Seesmic cannot talk to gets
defined as "less free" in Asay and O'Reilly's model.
Neither of them wants to talk about the fact that Seesmic is useful
only with a proprietary back-end that can vanish with the flip of a
power switch.
Effectively, Asay and O'Reilly have redefined "freedom" to mean "my
convenience at this moment". Neat trick, if you can stand it.
Licensing does not create a community: there are plenty of open-source
projects that completely adhere to the Open Source Definition and yet
are effectively closed to outside developers, while Microsoft and
others have shown for years that they can attract significant outside
development around their platforms.
Again, the sham nature of this rhetoric can be seen by asking the same
simple question as before: What happens to OpenOffice.org code if
Sun Microsystems is shut down (or Oracle, now)? (OO.o is often cited
as an opensource project effectively "closed" to outside developers.)
What happens to MS-Windows if Microsoft Corporation shuts down?
Anyone and everyone who cares about OO.o development has the ability and
right to independently take over coding and release, at any time. By
contrast, MS-Windows developers/users would be totally screwed.
Asay knows this perfectly well.
Last, here's what I wrote last November, when Evan had recently released
Laconica, and had written asking for my comments:
Quoting Evan Prodromou:
> Hi, Rick! I don't know if you've seen this site at all, but I started
> it this summer. It's the "Open Source Twitter", getting a lot of
> interest from FOSS people, thought you might like to join. I'd love
> your opinion on it.
Hi, Evan! This is a small effort towards giving you thoughtful
feedback. It's rushed, for which I apologise.
Short version: Laconica's a very nice achievement. Kudos. Coolest
bit in my opinion is the OpenMicroBlogging spec, and its content-licence
negotiation feature is super-cool: Whatever makes radically
decentralised but autonomous computing more practical is good. And its
reliance on OpenID is common sense -- but also one more blow for the
good guys. Reasons I probably won't use (specifically) Identi.ca have
nothing to do with its quite abundant merit, but rather reflect my
unreasonable insistence on doing my _own_ decentralised and autonomous
computing.
Long version: When "Software as a Service" (SaaS) hosted apps took off,
I dug in my heels and said "no". Formal expression of my saying "no" is
here: http://linuxmafia.com/faq/Essays/winolj.html
(I actually _do_ have a LiveJournal login now, which is "rinolj",
strictly to follow my wife's and some other friends' LJ blogs, but I
don't post blog entries there.)
As you'll see in the linked essay, my stance is that open source was all
about returning control of software _and_ data to the user. SaaS/Web
2.0 creations are, from my (unreasonable) standpoint a step backwards.
My stances is that if I wanted to participate in something like Twitter,
I'd do it on my own machine and software resources using open source.
Ditto LiveJournal. Ditto Digg. Ditto Del.icio.us. And so on.
So, I'm keenly interested in Laconica but merely respectful of
Identi.ca. (Absolutely no offence intended!) Identi.ca helps prove the
merit of Laconica, and undoubtedly will help developers torture-test it.
Yes, I know that very few people give a damn about having autonomous
control over their online presence and data. I'm OK with being one of
those very few people. When I look at applications I could run and
online schemes I could participate in, I try to estimate how much
complexity, machine resources, security headaches, and sysadmin time
(_my_ time) it's likely to chew up. Time permitting, I deploy whatever
has high enough estimated coolness-to-headache ratios.
Laconica and OpenMicroBlogging _seem_ to make such a deployment pretty
attractive. We'll see.
Further shirtsleeve comments follow, because you asked. (Otherwise,
ex-cathedra critical remarks from some jackass sysadmin might come
across as impertinent and infuriating -- which they might, anyway.)
Might as well do the big flamebait item first: PHP.
I like and use PHP. Its association with security meltdowns is 80%
social effect: careless novice coders cut their teeth on it (but using
it of course doesn't make you a careless novice coder). The other 20%
can be cut further by locking down the ubiquitous bad installation
defaults for the PHP engine. See my recommendations, not yet fully
updated for PHP5: http://linuxmafia.com/faq/Security/php.html
That sort of lockdown has tended, statistically, to break many developed
PHP apps, because of developers relying on the unsafe engine defaults.
This has been a disturbing trend. Moreover, security rot has tended to
infect core PHP / PEAR modules such as the two XMLRPC messsaging
implementations: See "Lupper" inside
http://linuxmafia.com/~rick/faq/index.php?page=virus#virus5 , which
exposed the fact that PHP's XMLRPC implementations do _no input validation_.
Failure to do input validation when your code can be expected to handle
public data is a huge red flag, for me. This problem is endemic in Web
apps, generally, but seems overall a bigger problem among PHP codebases
than most others. (To be fair, again, this almost certainly has a large
element of social effect.)
It's reassuring to hear news that a language has something like Perl's
"taint mode" (http://www.webreference.com/programming/perl/taint/) --
and to hear news that developers are actually using it at least
semi-routinely. I don't know if such a mode exists in PHP, but it's
downright frightening that I don't hear PHP guys even talking about it,
or talking about input validation generally.
I came by my caution about Web apps' input validation the hard way:
http://linuxmafia.com/news.html
ikiwiki, by way of comparison, at least leverages the HTML::Scrubber CPAN
library -- and also doesn't require a back-end SQL database that can be
"injected". What does Laconica do?
I really feel a bit unfair picking on PHP guys, because there's a much
worse group: Java / J2EE / servlet people.
Better news: Your dependency tree -- which seems modest. One of the
other things that incline me to say "No thanks" is having to install /
maintain a huge hairball of code, just to do something relatively
simple. Featuritis is a plague in open source -- but of course less so
than in proprietary software, and with the Java tribe forming a link
between the bad habits of the two groups.
However, I get reassured when I see an effort to make code modular to
the extent feasible. Does Laconica _really, absolutely_ require
XMPP/Jabber in order merely to do microblogging at all? If not, maybe
the http://laconi.ca/trac/wiki/Installation page should clarify what are
the essential dependencies and which can be left out / configured out if
you don't need the entire marching band, e.g., non-federated.
(It's possible there's an inherent reason why XMPP really is an absolute
requirement. Maybe you should have a brief page outlining the
architecture?)
When I see that an apps is claimed to specifically require a SQL
back-end database, I often am forced to wonder why. Not everyone's
running sourceforge.net. ikiwiki back-ends nicely into your choice of
pretty nearly any reasonable VCS (again, modularity), without problems.
Why can't a microblogging engine do so? If I have to dump a database
engine to disk just so I can take a backup, I want to know why.
The core of ikiwiki is small; it has a well-documented interface for
plugins: http://ikiwiki.info/plugins/ So, again, this helps avoid
having to install / maintain a code hairball, just to get _some_ part
of everything running.
When I wanted to implement locally on linuxmafia.com something like the
old Yahoo directory (now http://dir.yahoo.com), I looked around and
found almost nothing but overfeatured CMS engines -- all of which I
refused to use. Something like a year later, I found and revamped
PerlHoo. See: http://linuxgazette.net/issue98/lg_tips.html#tips.18
It's just a pair of tiny, minimum-functionality, easily auditable Perl
CGIs. Exactly what was needed, not more stuff to break or get cracked.
I hope you find at least _some_ of my impertinent comments useful. Or
at least entertaining. ;->
More information about the sf-lug
mailing list