What I do – Page 10 – Factory Joe

The importance of View Source

There’s been a long history of innovation on the web founded in open access to the underlying source code that first websites, then later interactive web applications, were built on. The facility of having ready access to the inner workings of any web page has been tantamount to continued inspiration, imitation, and most importantly, the ongoing education of subsequent generations of designer-developer hybrids.

On my panel today on The Hybrid Designer, I took a moment to call out my concerns that the shininess of Rich Internet Application (RIA) frameworks like Apollo and SilverLight (the framework formerly known as WPF/E) is blocking out critical consideration to the gravity and potential consequences of moving to these platforms. As Marc Orchant put it:

One of the most interesting discussions in the session was precipitated when Messina voiced his concerns that “containers” for web functionality like Adobe Apollo and Microsoft Silver[light] would make it harder to create dynamic applications that leverage these data streams as they will, he predicted, created new “walled gardens” by obscuring what is currently a pretty open playing field of ideas and techniques. [Jeremy] Keith added the observation that by hiding the source for the hybrid applications created using these tool, up and coming designers would lose a valuable learning resource that runs counter to the spirit of a read/write web built using open, standardized tools. Needless to say, the room was pretty sympathetic to the sentiments expressed by the panel.

In particular, I was suggesting that these frameworks effectively remove the View Source command — an utter reversal in the trend towards openness in web technologies leading to, in my view, new silos within a more closed web.

Ryan Stewart, who sadly I didn’t get a chance to catch up with afterwards, took me to task for my oversimplification:

Today at the Web 2.0 Expo, I sat in on a panel with Richard MacManus, Kelly Goto, Chris Messina and . They talked about the “hybrid designer” and touched on some points about the web and the richness that has really created the “hybrid” notion. In one bit, Chris said he was lamenting the fact that a lot of RIA technologies are taking away the “view source” and he got applause from the crowd.

I think this is the perfect example of how misunderstood the RIA world is. Chris used the example of Apollo and Silverlight as two technologies that are killing view source. Apollo is meant for desktop applications. We don’t have “view source” on the desktop, but that doesn’t mean we couldn’t. Apollo uses Flex and Ajax to create the desktop applications, and BOTH of those allow for view source. It’s true that Flex developers can turn off that feature, but really how is that any different than obfuscating your JavaScript in an Ajax application? When people want to share, the RIA tools out there have mechanisms in place to let them do that. Can you ask for more than that?

I was also surprised to hear Chris complain about Silverlight in that group. Of all the technologies, I think Silverlight actually has the best “view source” support. It uses JavaScript as the programming language behind the hood, and the XAML is just text based, so you can view source just like any other web page and see both the XAML and JavaScript libraries. That’s pretty open I think.

I’ll plead ignorance here (especially in terms of Silverlight), but I refuse to back off from my point about the importance of View Source (a point that I don’t think Ryan disagrees with in principle).

Whether you can get at the “goods” in Silverlight or Apollo apps is only part of the problem. I’ve examined the contents of four or five Apollo apps and each one had any number of impenetrable .swf binaries that I couldn’t do anything with, and even with the complete source code of TwitterCamp, a rather simple Apollo app, it wasn’t obvious how a design-leaning hybrid designer like myself would actually modify the app without buying into expensive Adobe tools like Flash ($699) or Flex Builder ($499). And that in sence, is no different than removing the View Source command altogether.

…and even when I finally did figure out that I could right click and choose View Source while running TwitterCamp, I received this error message and no source code:

Now, Ryan also claims that We don’t have “view source” on the desktop, and I would argue that 1) it depends on your platform and 2) I’m not fundamentally prevented from tinkering with my desktop apps. And this is key.

Let’s drill down for a moment.

On the Mac, every application has the equivalent of a View Source command: simply right click and choose “Show Package Contents”. Since every Mac application is essentially a special kind of folder, you can actually browse the contents and resources of an application — and, in certain cases, make changes. Now, this isn’t as good as getting to the raw source, since there are still unusable binaries in those directories, but you can at least get to the nib files and make changes to the look and feel of an application without necessarily touching code or having the full source.

And so just like on the web, especially with free and open source tools like Firebug and Greasemonkey, with a little bit of knowledge or persistence, you can modify, tweak or wholly customize your experience without getting permission from the application creator all by way of “viewing the source”. More importantly, you can learn from, adapt and merge prior art — source code that you’ve found elsewhere — and that, in turn, can be improved upon and release, furthering a virtuous cycle of innovation and education.

Nonetheless, I’m glad that Ryan has corrected me, especially about Silverlight, which indeed is put together with a lot of plain-text technologies. However, I still can’t help but be skeptical when there seems to be so much in it for Adobe and Microsoft to build out their own islands of the web where people buy only their tools and live in prefab Second Life worlds of quasi-standards that have been embraced and extended. It feels like déjà vu all over again; like we’ve been here before and though I’d thought that we’d internalized the reasons for not returning to those dark ages, the shininess of the new impairs our ability to remember the not-so-distant past… While Ryan may be technically correct about the availability of the source, if that top-level menu item vanishes from the first-gen of RIAs, I remain increasingly concerned that the net result will constitute the emergence of an increasingly closed and siloed web.

I do hope that Ryan’s optimism, coupled with activism from other open source and open web advocates, will work with great speed and efficacy to counter my fears and keep that which is now the most open and vital aspect of the web the way it is now and the way it was meant to be.

The relative value of open source to open services

There’s an active debate going on in the activeCollab community stemming from the announcement that the formerly exclusively community-backed open source project will lose much of its open source trappings to go commercial and focus a closed platform providing open web services.

For those who aren’t aware, activeCollab was created as a free, open source and downloadable response to Basecamp, the project management web app. In June of last year, the project founder and lead developer, Ilija Studen, offered his rationale for creating activeCollab:

First version of activeCollab was written somewhere about May 2005 for personal use. I wanted Basecamp but didn’t want to pay for it. Being a student with few freelance jobs I just couldn’t guaranty that I’ll have money for it every month. So I made one for myself. It’s running on my localhost even today.

Emphasis original.

Ilija offered many of the usual personal reasons for making his project free and open:

Learning.
Control.
Establishing community.
Earning money.

Now, the last one is significant, for a couple reasons, as was pointed out at the time of the first release: Ilija wanted to make money by offering commercial support and customization on a product imitating someone else’s established commercial product.

But competition is good, especially for my friends in Chicago, and they’ve said as much.

But, Ilija made one fatal mistake in his introductory post that I think he’s come to regret nearly a year later: I find it normal to expect something in return for your work. activeCollab will always be free.

And so a community of Basecamp-haters and open source freeloaders gathered around the project and around Ilija, eager to build something to rival the smug success of Basecamp, something sprung from the head of the gods of open source and of necessity, to retrace the steps of Phoenix before it (later redubbed Firefox), to fight the evils of capitalism, the injustice of proprietary code, and to stave off the economic realities of trying to make a living creating open source software.

For a little under a year, the project slogged on, a happy alternative to Basecamp, perfect for small groups without the ability to afford its shiny cousin, perfect for those who refuse to pay for software, and perfect for those who need such collaboration tools, but live sheltered behind a firewall.

A funny thing happened on the way to the bank, though, and Ilija realized that simply offering the code for people to download, modify and run on their own servers wasn’t earning him nearly enough to live on. And without an active ecosystem built around activeCollab (as WordPress and Drupal have), it was hard to keep developing the core when he literally was not able to afford continuing to doing so.

Thus to decision to break from his previous promise and close up the code and offer instead an open API on which others could build plugins and services — morphing activeCollab from a commodity download to a pay-for web service:

Perhaps I am naive, and this was the business model all along. i.e. Build a community for the free software during early development and testing, then close it up just as the project matures.

That was not original plan. Original plan was to build a software and make money from support and customization services. After a while we agreed that that would not be the best way to go. We will let other teams do custom development while we keep our focus solely on activeCollab.

But, the way in which he went about announcing this change put the project and the health of his community at risk, as Jason pointed out:

Ilja,

I’m a professional brand strategist, and while nothing is ever certain, I also feel that this is a bad move.

Essentially you’ve divided your following into three camps. For, against and don’t care. A terrible decision.

What you should have done (or should do… its not too late)__

—> Start a completely seperate, differently branded commercial service that offers professional services

—> Leave your existing open-source model the same and continue to develop the project in concert with the community

————————-

Sugar is not a great model to follow. It’s not.

A better example would Bryyght[dot]com, a commercial company hosting Drupal CMS. The people there are still very actively involved in the original open-source project.

Overall, you should choose your steps wisely. While you’re the driving source behind the project – NOBODY fully owns their own brand.

A brand is owned by the community that are a part of it. Without customers, a brand is nothing.

JH

A brand is owned by the community that are a part of it. Without customers, a brand is nothing. (Hmm, sounds like the theory behind the Community Mark).

I think JH has a point, and with regards to open source, one that Ilija would do well to consider. On the one hand, Ilija has every right to change the course of the project — he started it after all and has done the lion’s share of work. He also needs to figure out a way to make a living, and now, having tried one model, is ready to try another. On the other, closing up the core means that he has to work extra hard to counter the perception that activeCollab is not an open source project, when indeed, parts of it still will be, and likely, won’t be the worse for it.

That many of the original Basecamp haters who supported Ilija’s work have now turned their anger towards him suggests that he’s both pioneering a tribrid open business/open service/open source model and doing something right. At least people care enough to express themselves…

And yet, that’s not to say that the path will be easy or clear. As with most projects, the test is now how he manages this transition that will make the difference, not that he made the decision.

All the same, it does suggest that the open source community is going through an evolution where the question of what to be open about and with whom to share is becoming a lot harder to answer than it once was. Or at least how to sustain open source efforts that play into facile operation as web services.

With the Honest Public License coming in advance of the GPL v3 to cover the use of open source software in powering web applications and services, there are obvious issues with releasing code that once you could count on being tied to the personal desktop… now with the hybridization of the desktop/internet environments and the democratization of scripting knowledge, it’s a lot harder to make a living simply through customization and support services for packaged source code when you’re competing against everyone and their aunt, not to mention Yahoo, Google and the rest.

Steve Ivy asked a poignant question in his recent post on Open Source v. Open Services: If the service is open enough, what’s the value of the source?

Truly, that is a question that I think a lot of us, including folks like Ilija, are going to have to consider for some time to come. And as we do consider it, we must also consider what the sustainable models for open source and open services look like in the future, for we are now living finally living web service-based economy, where the quality of your execution and uptime matter nearly as much, if not more, than the quality of your source code.

Pukka 1.5 adds support for Ma.gnolia

Pukka, a favorite tool of the Delicious crowd, has added support for Ma.gnolia with its 1.5 release.

Thanks to Ma.gnolia’s Mirrord API (which mirrors the Delicious API), a number of formerly Delicious-only applications can also be used with Ma.gnolia. Pukka now ranks among them, though not with out a few discrepancies, notably no support for spaces in tags or ratings, but these are minor issues that can be worked out over time (note, to enable private bookmarks, check this out).

What’s interesting about apps adding cross-domain API support is the slow emergence of standards in new areas (i.e. outside the standard protocols). A framework for application developers that handles multiple bookmarking APIs that essentially do the same thing would be of great value, similar to the work that Jacob Jay started with his MediaSock framework (for publishing to over a dozen media services). I could see such a framework being really useful in browsers, feed readers, media players and similar applications.

Anyone?

Coworking survey and vote on the Net Squared Innovation Fund

I don’t normally cross-post, but seeing as how my blogs are starting to converge a bit, I don’t mind throwing this one in there…

First, Tara’s been collecting survey data on coworking trends — as well as what common experiences, expectations and desires are. We’ve received about 50 responses so far and would love to have more — especially from the LifeHacker and WebWorkerDaily communities.

If you’re interested, come fill out the survey, shouldn’t take more than a few minutes, and we’ll be sharing the data with everyone at the end.

Second, I just blogged over on Citizen Agency about getting your vote out for the Net Squared Innovation Fund. We’re donating a good chunk of consulting time to the effort to help equip non-profits with the skills, technology and “2.0 know-how” that they need to stay competitive and be even more effective in their advocacy using modern tools.

I invite you to read through and familiarize yourself with the slate of proposals that are all in the running for a chunk of the $100,000 that’s been set aside specifically for 20 community-selected projects and then go vote!

Oh, and if you’re in the area tomorrow night, we’re hosting Gina Bianchini, the co-founder and CEO of Ning and Benjamin Rattray the CEO of Change.org at Net Tuesday on the topic of “How Nonprofits Can Use and Build Online Social Networks: Change.org and Ning at Net Tuesday”, starting at 6pm at Citizen Space. Should be an excellent event.

Microformats: Empowering Your Markup for Web 2.0

I received a copy of John Allsopp’s new book, Microformats: Empowering Your Markup for Web 2.0 in the mail today.

My first impression is certainly positive and I think that John has made a very valuable contribution to the community and to our efforts to get microformats out there on the open web.

We now have a solid resource that describes the community, the process, a number of microformats and how they’re being used today and profiles a number of organizations that are making good use of microformats already (sadly he missed Ma.gnolia in the bunch, but there’s always second printings!).

This book is ideal for web developers looking for a handy reference on the existing formats, for web designers wondering about how to make use of microformats in their code and how to apply CSS effectively using their semantics and finally, there’s even probably a trick or two that folks familiar with microformats might learn in its nearly 350 pages.

So, go buy yourself a copy and let me (and John) know what you think!

Problems with OpenID on Highrise

Turns out that 37 Signals’ implementation of OpenID could use some… getting real.

Let me go over these issues and provide either resources or remedies.

Normalization of OpenIDs URLs

Look at these three URLs and make a note to yourself about any differences you see:

To a lay person (or even your average geek), these URLs all represent the same thing — especially if you type any of them into the address bar, they’ll land you on my out-of-date homepage.

But, in the land of OpenID and URI evaluation, these differences can be very significant, especially when you get into the differences between OpenID v1.1 and the forthcoming v2.0 (which adds support for inames).

To the contrary of some discussion on the OpenID list, the way in which you normalize an identity URL very quickly becomes a usability issue if the cause of OpenID login failures are not immediately obvious.

Remedy: Given some of the issues folks have had with OpenID at Highrise, DHH decided to make usability the priority:

I’m going to fix the trailing slash issue on URL-based OpenIDs. We’ll be more liberal in what we take.

This should mean that folks logging in with OpenID shouldn’t have to guess at what their appropriate identity URL looks like, instead only substantively know what the important parts are (i.e. the domain and any sub-domain or path(s)).

Outstanding issues: Of course, 37 Signals can do this, but what happens when the identity URL that someone uses on Highrise doesn’t work elsewhere because other consumers aren’t as liberal with what they accept?

Lack of support for i-names

One of the issues (features?) that OpenID v2.0 brings is the support for i-names, a controversial schema for representing people, businesses and groups using non-familiar formatting codes.

I’ve heard that there’s somewhere in the ballpark of 20,000 i-names users in the wild (I happen to have =chris.messina but never use it), but compared with the over 70 million (and growing) URL-based OpenID users, this is an incredibly small minority of the overall OpenID landscape.

Nevertheless, one potential point of frustration for these users is in the lack of standardization in implementing or indicating support for i-names, as Rod Begbie pointed out in the Highrise forum, to which DHH replied, . We don’t support iname OpenIDs for now, though. We’re just supporting OpenID 1.1.

And this, I imagine, is going to be a common issue, for both OpenID implementors (dealing with support requests for support of i-names) and for i-names users, such that I question, as others have, the wisdom of offering support for i-names identifiers, when issues still clearly remain in the usability of basic URLs.

Remedy: Once the OpenID v2.0 spec has been finalized, there will need to be a new logo to indicate which version of OpenID a consuming site supports; this will hopefully work to set expectations for i-names users.

Outstanding issues: At the same time, the addition of i-names to OpenID v2.0 has caused a lot of concern for folks, many of whom have simply decided to stick with v1.1.

Personally, I don’t see the long term value in fragmenting the OpenID protocol away from more familiar URL-based identifiers. I want something simple, straightforward and obvious. Otherwise, v2.0 is going to be a headache to advocate, to implement and to support that a lot of folks with just stick with v1.1.

Double delegation aka the Sean Coon Problem

My buddy Sean Coon pinged me the other day to see if I could help him debug the problems he was having signing into Highrise with his OpenID account. When he had signed up, he had used seancoon.org as his OpenID URL. He’d started playing with it, but then left it, only to return later, unable to login.

His problem was three-fold, but I’ll first address a basic issue with delegation that some folks might not be familiar with.

As it turned out, Sean had delegated seancoon.org to resolve to ClaimID as his identity provider. The problem was that he used http://claimid.com/spcoon as his identity URL instead of http://openid.claimid.com/spcoon, which is where his OpenID was actually stored.

Typically when people use claimid.com/[username] as their OpenID identity URL to login to sites, this transformation takes place invisibly. This is because ClaimID delegates to themselves.

The problem lies in that Sean delegated seancoon.org to his ClaimID profile, which in turn was delegated to ClaimID’s OpenID server. If this sounds confusing, it is, and that’s why it’s not allowed in OpenID.

As I understand it, delegation can only be done once, or else you might end up in an infinite chain of delegations that may end in some grandious infinite loop. By restricting your delegation hops to one, a lot of problems are avoided.

Remedy: In this case, Sean only needs to re-delegate to openid.claimid.com/spcoon, and fortunately, there’s a handy WordPress plugin that can handle this for him.

Outstanding issues: Delegation is probably one of the coolest aspects of OpenID, since it allows you to use any URL of your choosing as your OpenID and then let someone else deal with the harder part of actually talking to all your services. Furthermore, you can delegate any number of services and set up fallbacks in case your primary identity provider is taking a nap. Communicating how this works and how to resolve and communicate errors when things go wrong is one of the biggest holes in the OpenID offering, and with user experience experts like 37 Signals joining up, I hope that these issues get the amount of due diligence and attention that they deserve.

Untested assumptions

Finally, I discovered a serious mistaken assumption in the Highrise sign-up process. To test out this issue, I created a test account, using http://google.com as my OpenID:

Now, here’s the problem: they didn’t force me to login to that OpenID when I signed up; instead they just assumed that I knew what I was doing and that I was using a valid OpenID.

So here’s the email that I got confirming my account. Note my username:

Of course when I go to login, I can’t, and I’m locked out of my account — since I can’t login and prove that I own google.com — which, notably, is the same result as if I’d mistyped my OpenID. Fortunately, 37 Signals gave me a backdoor, but it kind of defeats the whole purpose of using OpenID and suggests that you shouldn’t let folks arbitrary set their OpenIDs without having them prove that they really have control of their stated identifier.

Remedy: For implementors, you must get proof that someone controls or owns an OpenID if you’re going to rely on it as their primary identifier. You can’t assume that they’ve typed it correctly or even that they’ve even used a proper OpenID. And, most importantly, you’ve got to stress test such a new system to make sure issues like this are avoided.

Oh, and it does appear that MyOpenID.com OpenIDs are totally not working at this time; I’ve put Scott Kveton and Jason Fried in touch, so hopefully they can resolve the matter. Interestingly, if you’ve delegated to more than one identity provider and you’re using your own OpenID URL to login to Highrise, you should be able to get in.

Conclusion

It’s still promising to see folks like 37 Signals get on board with OpenID, but we clearly have a long way to go.

I hope I’ve clarified a few of the current issues that people might be seeing, or that are generally confusing about OpenID, and I admit that while I’m trying to clarify these things, a lot of this will still sound like Greek to most folks.

Given that, if you’re having issues getting OpenID, feel free to drop me a note and I’ll see if I can’t help resolve it.

Netscape will add support for OpenID

Alex Rudloff from Emurse just pinged me that Netscape will formally launch their support for OpenID on Monday:

One of the most consistent pieces of feedback that we have received thus far is that we should look into allowing people to log in using their AOL accounts that are currently used for Netscape/AOL mail, were once used for the previous My.Netscape site, and are used throughout the AOL network.

You sent this feedback, and we have been listening. In conjunction with AOL announcing its role as an OpenID provider, and spurred by the rapid pace by which OpenID is being adopted on the Web, on Monday, March 26th, Netscape will not only support signing in with your current AOL screen name, but also OpenID as a way of accessing Netscape.com and My.Netscape.

This comes as no surprise given that Netscape’s parent company, AOL, is an OpenID identity provider and is building out places where you can use your AIM screenname to login.

Reporting on OpenID implementations lately has become akin to reporting that companies have discovered and are now starting to use HTML… there’s still a long way to go, but clearly this is the future foundation of identity-based services.

Highrise follows trend with OpenID signups at 9%

In announcing a number of welcome changes to their pricing plans on Highrise, their new CRM tool, 37 Signals also provides some welcome figures on the uptake of OpenID:

Another interesting stat is that 9% of the people signed up are using OpenID. Lots of early adopters on board!

This is more or less consistent with Ma.gnolia’s rate of uptake:

So far, over 15% of new Ma.gnolia members are seeing the advantage and getting their OpenID when they join Ma.gnolia. Considering how new OpenID is, and that it takes a bit of un-learning of old sign-in habits, we’re really delighted to see this adoption rate.

Jason Fried has also suggested that OpenID will be making its way to their other products soon:

We’re still learning about OpenID and OpenID implementations with Highrise. There are still some bugs to work out. Once we feel we’ve really nailed that we’ll look into spreading it across the rest of the product line.

As we see more mainstream coverage, like the USA Today article suggesting that OpenID “cuts down on Web registrations”, it’s likely that we’ll easily surpass 100 million OpenIDs by the end of the year as more and more small businesses reap the benefits of the advance of this technology in how it reduces the greatest barrier to attracting and retaining new customers: signing up for yet another account!

All in all, good news for OpenID and for 37 Signals customers.

ClaimID adds social networking

In spite of previous disavowals of having social networking aspirations, identity link aggregator ClaimID has now added the ability to add other ClaimID members to your profile as contacts.

Interestingly, they restrict you to adding friends who have OpenIDs (since every ClaimID profile URL is an OpenID) and use the XFN microformat to define your relationship.

This is a significant decision because, presumably, every OpenID has an owner. As such, adding one of these “verified” OpenID URLs as a contact to your verified OpenID URL could represent a higher trust level — a stronger “claim” as the lingo goes — than simply using the XFN rel-me attribute to create a “weak” relationship claim. Or so goes the theory.

Meanwhile, I’ve recently been reordering my Flickr screenshot collections and have created a set devoted to adding friends interfaces. If you have examples of similar interfaces, leave me a link to the source and I’ll get them added!

37 Signals’ new app Highrise launches

With narry a word on the 37 Signals’ blog SvN, the veil has been lifted on their long awaited CRM tool called Highrise.

There are a number of posts that capture some of the many features of Highrise on the SvN blog and are worth a look:

In the meantime, I’ve collected a bunch of screenshots (nice catch Allen) — in addition to their great tour — that will give you a sense of what the app is all about.

I’m totally excited about their adoption of OpenID, but I have to admit, their implementation — especially in the forum — is a little odd. I love the auto-adapting interface for inputing your OpenID, but the fact that I can’t sign in to the forum with the OpenID that I created my Highrise account with kind of misses the point.

And still no sign of microformats either, but a guy can hope right?

Anyway, it is exciting to take a look at all the interface greatness in this app — definitely some fine work. Whether I’ll become a paying customer is up in the air, especially as open source solutions like CiviCRM exist (though without the interface trappings that make 37 Signals products so attractive). I do like what I see so far, though — and if I can find a way to fit it into my workflow, I’ll likely end up a pretty satisfied user.