Brad Fitzpatrick (bradfitz) wrote in lj_dev,
Brad Fitzpatrick
bradfitz
lj_dev

Releasing all of the source.

I was rolling around in bed, unable to sleep (what's new?), when I thought..... "why the hell haven't I just released all the livejournal source?"

I remember having a few reasons in the past, but I honestly can't remember them now, or they're no longer applicable. There is one potential negative effect (which I'll discuss in a second), but everything other case of how the source would be handled would be beneficial.

Here's the one negative thing.... security. I don't believe in "security through obscurity", but I do believe that security holes and serious bugs tend to be found less in code that's a big black box. Especially for somebody trying to find a hole. Before, if somebody wanted to hack livejournal it'd mean trying to root the box, then causing damage. However, now it'd be much easier... download the code and find that one place where I did something stupid and never caught before.

So---- here's my plan: I want to have a bunch of you do code reviews of all the source before I release it. Let's say I release it in a week.... Monday, March 5th. Does that give all of you Perl hackers enough time?

I want tons of comments, itemized by file and line number... anything that looks suspicious. Please focus on security problems and bugs only, not feature enhancements or changes. Keep a separate file for those, and we can discuss them in a week. For now, all I care about is making sure it's tight enough to release to the world.

Then, I want to work on an INSTALL file, since installing livejournal is no easy task.

Then --- I want at least one of you, ideally several, to actually run all of LiveJournal on your own machines for testing/development.

Also, give me suggestions for licenses, since I hate them but realize I should stick one on here. As far as I know, the GPL is useless for web applications, since you can take the code, modify it, run it on your site, and never have to release your changes because you never released a binary. So, X/BSD/MIT license? Or, should I write my own, in English? Don't ask me what I want out of the license, because I really don't even care.... I want to hear what you think I should care about, and what license I should then use.

So yeah, if you're somewhat competent with Perl and want to review the source, let me know. I know they say Perl is a write-only language, but my Perl is a lot easier to read than most, but perhaps I'm biased. :-)

Also, if anybody has any reasons why perhaps I shouldn't just release all the code, now's the time to state your case, and let everybody here debate it.

The reason I'm doing this, if anybody's curious, is because I'm getting increasingly stressed out with so much to do, and I realize that the only way I'll get any help is if people can be running development livejournal servers on their own machines.

After the source is open, I'll setup rsync/CVS/cvsweb, etc...

I'm still going to be the sole authority on what goes into the main tree, though. I'm incredibly picky about bad code and bad design, and I'll be honest with you if I don't like something, but I think everything will be fine. I hope people will take up the task of documenting, too... some of the LJ API functions are documented, but others aren't. We need shitloads of documentation, really.

This'll be fun...
Subscribe
  • Post a new comment

    Error

    Anonymous comments are disabled in this journal

    default userpic

    Your reply will be screened

    Your IP address will be recorded 

  • 12 comments