ServerFault.com

[Ehtyar]

For those of you who don't read CodingHorror (start NOW!), Joel Spolsky and Jeff Atwood have just released StackOverflow's sister site, ServerFault.com to the public. This site uses the same engine as StackOverflow, except it's geared toward sysadmins. Very awesome stuff. There is, of course, already a sysadmin jokes thread.

Ehtyar.

[f0dder]

For those of you who don't read CodingHorror (start NOW!)

-Ehtyar (June 03, 2009, 01:42 AM)

Yeah, it's a great laugh seeing "Jeff discovers <X>, implementing it wrong"

[Ehtyar]

Anyway...

<RANT WARNING, RANT WARNING>

Typically I totally avoid web 2.0 completely, but ServerFault sounds like (and is) a really great site. Having said that, I've found a few things that piss me off about this site (and its attempt at being web 2.0) that I just can't keep to myself.

• Forcing OpenID is just plain retarded, and massively out of touch. Surely any technically competent person knows this technology is going in exactly the wrong direction.
• Using gravatar for avatars exclusively? Sucks!!
• Reinventing bbcode for no apparent reason whatsoever? Made of suck!!
• The number of restrictions and CAPTCHAs placed on new users? Made of lots of suck.
• Using AJAX to update everything except the front page? Priceless.

Not only did I have to get an OpenID to join this site (until someone explains to me just how this shit is supposed to work, and just what is supposed to happen when your account is breached, I consider it a MASSIVE dickhead technology), but if I want my pic on the site, I need to sign up to another friggin site? One would think 3 ad blocks on every page would buy you some space on your server, especially considering your avatar is 32x32.

</RANT WARNING, RANT WARNING>

HOWEVER, I am very much enjoying contributing to the site. I managed to earn two badges and 100 rep in around 2 hours on the site, which makes me feel like my contribution is appreciated and brings me back to help out more. I do like the way they've made certain everyone understand what the site is for, and the question/answer model that would eventually crumble in a typical forum architecture. My vote is a yay, but only because the site is based on a well formed concept.

Ehtyar.

[f0dder]

If more sites supported OpenID and gravatar, it would be a really nifty thing - I'm tired of maintaining passwords for a zillion sites (and damned if I use the same multiple sites, considering how many places use unsafe password storing practices!), and having to upload an avatar multiple places sucks as well. IMHO forcing these two isn't such a bad idea, and I wish more places would do so to get the technology spread.

But yeah, having to get an OpenID + gravatar account for just one site kinda sucks. And while OpenID single-signon is a really nice thing, I am also a bit concerned about the security implications. Definitely wouldn't use it for stuff like paypal or amazon to begin with.

And yup, reinventing bbcode is silly - especially because they (knowing Jeff's technical expertise) probably use regular expressions for parsing it

[Ehtyar]

If more sites supported OpenID and gravatar, it would be a really nifty thing - I'm tired of maintaining passwords for a zillion sites (and damned if I use the same multiple sites, considering how many places use unsafe password storing practices!)

-f0dder (June 03, 2009, 06:53 PM)

And here you are recommending the use of a single site to authenticate you on multiple sites.... I'm not sure being a bit concerned describes how I feel about it.

Still, I'm not saying this is all a bad idea, but forcing each of them on every single user is a little excessive IMHO.

Ehtyar.

[f0dder]

If more sites supported OpenID and gravatar, it would be a really nifty thing - I'm tired of maintaining passwords for a zillion sites (and damned if I use the same multiple sites, considering how many places use unsafe password storing practices!)

-f0dder (June 03, 2009, 06:53 PM)

And here you are recommending the use of a single site to authenticate you on multiple sites.... I'm not sure being a bit concerned describes how I feel about it.

-Ehtyar (June 03, 2009, 08:11 PM)

It's a bit of a double-edged sword. I'd be comfortable using it for non-critical stuff like forums and blogs, though. For anything more critical, I'd like some pretty specific details on how the OpenID vendor is keeping my information safe... and I'd want to read up closely on how the whole thing works.

Still, I'm not saying this is all a bad idea, but forcing each of them on every single user is a little excessive IMHO.

-Ehtyar (June 03, 2009, 08:11 PM)

How else would you achieve 'market penetration'?

[Lashiec]

Typically I totally avoid web 2.0 completely, but ServerFault sounds like (and is) a really great site. Having said that, I've found a few things that piss me off about this site (and its attempt at being web 2.0) that I just can't keep to myself.

• Forcing OpenID is just plain retarded, and massively out of touch. Surely any technically competent person knows this technology is going in exactly the wrong direction.
• Using gravatar for avatars exclusively? Sucks!!
• Reinventing bbcode for no apparent reason whatsoever? Made of suck!!
• The number of restrictions and CAPTCHAs placed on new users? Made of lots of suck.
• Using AJAX to update everything except the front page? Priceless.

-Ehtyar (June 03, 2009, 06:28 PM)

Answer: Jeff Atwood

On OpenID requirement:

The important thing to take away from this, if you're a programmer working on an application that stores user credentials, is to get the hell out of the business of storing user credentials! As we've seen today, the world is full of stupid users like me who do incredibly stupid things. Are you equipped and willing do everything necessary to protect idiots like me from myself? That's a key part of the promise of OpenID, and one of the reasons we chose it as the authentication system for Stack Overflow.

On Gravatar:

  Let someone else host the avatars . This collides with the concerns he expressed about depending on external services (Akismet), but whatever.

On BBCode:

With BBCode, if the user enters HTML you blow it away with extreme prejudice -- it's encoded, without exceptions. Easy. No thinking and barely any code required.

Since we use Markdown, we don't have that luxury. Like it or not, we are now in the nasty, brutish business of distinguishing "good" HTML markup from "evil" HTML markup. That's hard. Really hard. Dare and Jon are right to question the competency and maybe even the sanity of any developer who willingly decided to bite off that particular problem.

On restrictions and CAPTCHAs:

  IIRC, Jeff wasn't a big believer in CAPTCHA, but seeing how he removed the famous "orange" method and opted for reCAPTCHA, I suppose it's done to avoid system abuse.

And yup, reinventing bbcode is silly - especially because they (knowing Jeff's technical expertise) probably use regular expressions for parsing it

-f0dder (June 03, 2009, 06:53 PM)

And f0dder hits the jackpot!

Also, apparently everyone who can tell Mark Russinovich from a photo should be interested in the site. What's more, he/she must be a system administrator

[Ehtyar]

I do have to say this was not intended personally. I listen to the StackOverflow podcast religiously, and I very much enjoy his work on that.

On OpenID requirement:

The important thing to take away from this, if you're a programmer working on an application that stores user credentials, is to get the hell out of the business of storing user credentials! As we've seen today, the world is full of stupid users like me who do incredibly stupid things. Are you equipped and willing do everything necessary to protect idiots like me from myself? That's a key part of the promise of OpenID, and one of the reasons we chose it as the authentication system for Stack Overflow.

-Lashiec (June 04, 2009, 06:33 PM)

While I do understand the point he makes with regard to storing user credentials, you cannot tell me there are not solid and well proven frameworks in just about every language under the sun for storing user credentials securely. Where people become unstuck is when they decide to roll their own and inevitably screw it up. Lazyness.

On Gravatar:

  Let someone else host the avatars . This collides with the concerns he expressed about depending on external services (Akismet), but whatever.

-Lashiec (June 04, 2009, 06:33 PM)

Spectacular lazyness, and cheapness. He's also having us sign up to yet another service, which is rather irresponsible/hypocritical given his standing on storing user credentials...

On BBCode:

With BBCode, if the user enters HTML you blow it away with extreme prejudice -- it's encoded, without exceptions. Easy. No thinking and barely any code required.

Since we use Markdown, we don't have that luxury. Like it or not, we are now in the nasty, brutish business of distinguishing "good" HTML markup from "evil" HTML markup. That's hard. Really hard. Dare and Jon are right to question the competency and maybe even the sanity of any developer who willingly decided to bite off that particular problem.

-Lashiec (June 04, 2009, 06:33 PM)

I'm not sure I followed this one correctly, but it sounds like he's saying BBCode is the only sane alternative to letting your users put html in their posts. That is most definately correct, but it does not explain, nor justify, his development of a completely new syntax for his BBCode. One that makes substantially less sense than the kind we're all familiar with, I might add.

On restrictions and CAPTCHAs:

IIRC, Jeff wasn't a big believer in CAPTCHA, but seeing how he removed the famous "orange" method and opted for reCAPTCHA, I suppose it's done to avoid system abuse.

And yup, reinventing bbcode is silly - especially because they (knowing Jeff's technical expertise) probably use regular expressions for parsing it

-f0dder (June 03, 2009, 06:53 PM)

-Lashiec (June 04, 2009, 06:33 PM)

Not sure of your point here Lash Man. CAPTCHAs are fine, but not when you have to fill one out for your first 10 comments and votes. Just silly. If they're having such massive SPAM problems, get more moderators on board.

Ehtyar.

[Lashiec]

I do have to say this was not intended personally. I listen to the StackOverflow podcast religiously, and I very much enjoy his work on that.

-Ehtyar (June 04, 2009, 06:54 PM)

Sure. I'm an avid reader of Coding Horror as well, partly because the guy is an skilled blogger, and partly because he usually talks about something interesting, but I thought some of the issues you point can be explained by certain Jeff's posts. That said, Stack Overflow is not only him, so that would explain the extreme contrast between things he said and how things were implemented in the site.

While I do understand the point he makes with regard to storing user credentials, you cannot tell me there are not solid and well proven frameworks in just about every language under the sun for storing user credentials securely. Where people become unstuck is when they decide to roll their own and inevitably screw it up. Lazyness.

-Ehtyar (June 04, 2009, 06:54 PM)

Well, it also lines up nicely with his disdain for having several user credentials in the web. While it's the first site I have encountered to require OpenID, at least they have several providers to choose from. I'm not exactly sure about that wrong direction you say OpenID is going, but while the idea is certainly nice, the execution is weird to say the least, and I don't think that most users really care about the whole thing. Even now, that everyone and their dog is jumping on board, including (gasp!) Microsoft, it's becoming more irrelevant each passing day due to various reasons (browsers and passwords managers doing a "good" job storing different credentials, the vast majority of users not having that many passwords and logins to remember, etc.)

Spectacular lazyness, and cheapness. He's also having us sign up to yet another service, which is rather irresponsible/hypocritical given his standing on storing user credentials...

-Ehtyar (June 04, 2009, 06:54 PM)

Perhaps they reached the conclusion that many people would already have a Gravatar account (giving how essential is for blogs and the like), who knows.

I'm not sure I followed this one correctly, but it sounds like he's saying BBCode is the only sane alternative to letting your users put html in their posts. That is most definately correct, but it does not explain, nor justify, his development of a completely new syntax for his BBCode. One that makes substantially less sense than the kind we're all familiar with, I might add.

-Ehtyar (June 04, 2009, 06:54 PM)

Yup. I googled a bit about Markdown, which is another light markup language as BBCode as you may know, and it seems it does not offer XSS protection. Why they choose Markdown over BBCode? Dunno.

Not sure of your point here Lash Man. CAPTCHAs are fine, but not when you have to fill one out for your first 10 comments and votes. Just silly. If they're having such massive SPAM problems, get more moderators on board.

-Ehtyar (June 04, 2009, 06:54 PM)

Ooops, sorry about that, looks like I mixed thoughts. Then it's also probably done to avoid sock puppetry, and avoid giving yourself some extra points. That said, it's not that CAPTCHAs would be such an effective dissuasive method.

[justice]

The reason they chose Markdown over BBCode is most likely because BBCode requires you to type like a coder, while Markdown requires you to type like a writer. There's a lot more people that can write than that can code.

And as things like avatar images are not essential it makes more sense to use a third party service.

[f0dder]

The reason they chose Markdown over BBCode is most likely because BBCode requires you to type like a coder, while Markdown requires you to type like a writer. There's a lot more people that can write than that can code.

-justice (June 30, 2009, 04:28 AM)

Pretty bad reason, imho.

StackOverflow and ServerFault both address pretty techy people. And besides, regular people don't seem to have much trouble learning bbcode (or using the "easy editors", like the smart little buttons SMF has).