Yes, you have to log in to create a deck. You're the second person I've seen suggest being able to make decks without being logged in. There's too many potential headaches as far as cookies expiring, losing the super secret url, etc. to make me actually want to implement this.
I am planning on turning on HTTPS soon, but I despise third party authentication as a rule. Feel free to try and convince me, but I have never seen the point in tying my uptime to the uptime of a third party, and allowing a third party to revoke my users account if they so wish.
> I have never seen the point in tying my uptime to the uptime of a third party, and allowing a third party to revoke my users account if they so wish.
Couldn't agree more. Which is why I recommended Persona! Persona is decentralized. Third party authentication done right. I highly encourage you to look into it, especially if you already know about the issues oauth2 and co have.
Third party authentication is still the right thing to do in 99 percent of cases. Users should not have to rely on the unknown first party they are sending their credentials to to do things the right way. Moreover, developers should not have to reimplement all these protections every time - 2FA, bcrypt, proper separation of authentication and data, etc etc they are not all cheap to set up and some of them are obscure.
Regarding making decks while logged in - my expectation is that the tool would let me share a URL that is not tied to an account. Something akin to the WoW talent calculators that used to be popular back in the days: http://eu.battle.net/wow/en/tool/talent-calculator
Sent some feelers out to devs I respect. Verdict is mostly negative on Persona.
Seems like Mozilla is merely providing bare bones support for Persona these days, and has stopped funding it: http://identity.mozilla.com/
Further, and this is the real nail in the coffin for me, it seems like if you wish to change your email address or lose access to it, there's no way to migrate all accounts at once. It's up to the implementor to support that: https://developer.mozilla.org/en-US/Persona/The_implementor_...
Fun note: Until recently, Email wasn't even required to sign up for GS. A Hacker News user pointed out that without this there's no way to let a user reset their password, so I made it required (though there's still no actual way to reset your password yet. Eeps!) https://qht.co/item?id=8521505
I keep digging (since the site isn't breaking, yay!) but it just keeps not looking good.
On the github, in the last month, a total of four people have committed code eleven times. One committed more than all the others combined.
Also, I originally said:
> Feel free to try and convince me, but I have never seen the point in tying my uptime to the uptime of a third party, and allowing a third party to revoke my users account if they so wish.
How does Persona not fall foul of both of these? Let's say that I implement Persona and someone uses their Gmail to create an account. Gmail goes down. Can they sign into my site or is my site effectively down for all gmail users?
What if that same user is booted off of Gmail or closes their Gmail account for whatever reason? Are they not then booted off of my site by accident?
Persona is not necessarily tied to gmail. Persona offers a gmail gateway. As long as a user has a way of authenticating against the persona server using the provided email, they are fine. This could be their facebook account just as well.
Maybe you should talk to Dan Callahan, he'll be happy to answer your questions in more details I'm sure. I'm saying that because you sound like Persona could benefit you and Persona certainly could use more people like you criticizing it :)
So this comes back to tying accounts to emails: Well, this is the user's choice. They put their internet life into the hands of Google or Yahoo or whatever by choosing such an email provider that may go down at any time. It's completely reasonable and does not actually put YOU in a position where your sites locks users into a third party, you are just giving more choice.
As for activity: although it's not on git, there has been renewed interest in Persona lately. And until a better alternative comes by (which won't be for a long, long time) I'll defend persona tooth and nail because, it may not be perfect, but it is far better than what is currently taking over the entire web.
I know that it's not necessarily tied to Gmail. My point was that now my site is dependent on their relationship to whatever they authenticated against. It might be gmail, it might be Facebook, it might be anything. If that thing either goes away, or revokes their access, they're gone from my site as well. That doesn't sit well with me.
> They put their internet life into the hands of Google or Yahoo or whatever by choosing such an email provider that may go down at any time. It's completely reasonable and does not actually put YOU in a position where your sites locks users into a third party, you are just giving more choice.
It's not reasonable. Not to me anyway. And isn't putting your internet life into the hands of any single place exactly antithetical to the entire idea of decentralization?
> it may not be perfect, but it is far better than what is currently taking over the entire web.
It's better than Facebook Connect or things like that, sure. But we aren't comparing it to that, we're comparing it to individual logins. Individual logins put the relationship into the hands of the users and me. That's where it should be.
KeePass and apps like that provide all of the major benefits to users without any of the downsides.
I am not talking about the gateways. I am talking about the identity providers. If your identity provider goes out of business, revokes your access, or any number of other things, you lose your credentials to all sites.
For instance, here's a site with a guy trying to sell you on using IDPs from a big company rather than a small. One of his points though is that the IdP is a single point of failure, exactly my point:
I'll look into Persona. It probably won't be today as I'm trying to be extra attentive to the site while I'm drumming up traffic, but it's on my list now.
In theory you could build it in one sitting then share it. And I suppose there's use there. I don't particularly like the idea of people not being (necessarily) able to edit after the fact. That might not be as big of a downside as I think it is though. I'll mull that over as well. It works for imgur, after all, and even though I have an account I fairly often use it without signing in...
I think this is mitigatable by allowing your users to merge their account into a new one. So this is functionality you can implement serverside, persona does not by itself prevent your users from changing their email - it just doesn't provide the possibility (right now?)
That's quite interesting! I tried to learn Lisp a while back and found the string handling to be horrible, and it's such a huge part of modern development.
It sounds like there's someone with a lot of skill working to fix exactly this.
So I just looked up Common Lisp string handling and none of it looks familiar. It's possible what I was trying to use before wasn't Common Lisp. It's also possible I was trying to learn from a site that was just doing a horrible job of it. It's possible things have gotten much much better since I last tried to learn it.
Whatever the cause, I was under the impression that you essentially had to treat strings as lists of characters and that there really weren't any built-in functions to handle strings as strings. It seems that's wrong at least in modern day.
Strings are sequences and functions that work on sequences work on strings as well. So getting substrings etc. is all possible.
I've had very little problems operating on strings in Common Lisp (all I missed was starts-with and ends-with functions), could you give some concrete examples so that I might help you?
I can't now because it was years ago I was having problems. I'm starting to think that it was a different Lisp and not Common Lisp I was looking at, too. Too long ago to remember for sure.
Strings are a simple-array of characters and functions that work sequences work on strings (ej. remove). They are complemented with a some string specific functions like string-equal, string-trim, string-upcase, etc. It has been that way for at least 20 years. It might have been that the site was doing a horrible job at explaining it.
Eh. I'm definitely a part of several communities on Twitter. It's just that they're micro-communities that are fluid in size and shape. If I'm talking business stuff I'll @shazow usually. If it's coding, usually @wolever, sometimes @shazow or @lnxprgr3, depending on the language/platform/etc.
The whole hashtag thing is ... pretty hit or miss. I wouldn't mind a better solution to that. But as weak as it is, it's how I found some of my closest twitter-friends, so it can definitely work.
Thankfully I haven't had to deal with any harassment issues (not famous, nor a noticeable minority), though sadly I don't doubt that they exist to some degree.
And just to be snippy, I find it amusing that he's so against comments on blogs, preferring that you write your own blog post. Isn't that exactly like Twitter? Everyone has their own medium, none of which are explicitly connected...
It's not at all exactly like twitter, for one a text that needs to stand on its own (a blog post) will require far more work to be of any sort of quality than a simple reply on twitter.
> I think Twitter is defined by the fact that it's about broadcast.
Writing on a blog with comments off is 100% broadcast with no built-in solution for conversations to form. Twitter has a (flawed) way, so twitter is actually LESS about broadcast than this blog.
> Communities are, above all else, defined by membership, the ability for people to identify as a part of one, and to participate in activities, and share things and experiences with the group.
How does a reader proclaim membership in this blog. Sign up for comments? Post comments? Nope. How does a reader participate? How does a reader share their experiences with the group? Far easier on Twitter than here.
> Every user floats by themselves, interacting with who they please.
Every reader of the blog floats by themselves, interacting with nobody.
> Try following a multi-party conversation using any of the official clients;
How is THIS possible on the blog? You can email the author, sure, but you aren't going to see or be able to reply to anyone else that emailed him.
There's also the widely-repeated quote of "If I had more time, I would have written a shorter letter." Length is not necessarily indicative of amount of thought.
Does that 20% come from your own stats or a third party? Most of the third parties look at worldwide market share. IE8 is disproportionately represented in third-world countries which you may or may not care about in your business.
Best I can tell IE8 is somewhere around 6% in the US (these numbers are rough to find because most of the places that collect statistically significant numbers charge for the info). On my site (which centers around a first-world disposable-income-heavy hobby) IE8 is basically non-existent. Your mileage may vary.
On my largest site with a couple million visitors a month, IE makes up about 16% of site visitors. About 25% of those are using IE8. So, about 4% overall. I specifically ensure that the site still works in IE8 and up and was still quite functional on IE7 when I last looked.
Anyone not ensuring their site works on IE is leaving money and customers on the table. Note that it doesn't have to look exactly the same, but it should still work and allow customers to learn, buy, sign in, subscribe, etc.
It depends on your market. I've worked on apps that have never even seen a visitor using internet explorer at all. This happens all the time in b2c software. So that analogy of leaving money on the table is not very realistic.
Of course, it varies. But there are far more users of desktop IE than desktop Safari in the US, for instance. So, once your product spreads beyond early adopters, iPhone users and Mac users (all of which are the minority of the market by large margins in each case) it's important that your site already works with the new visitors as word spreads.
It's not just early adopters vs late adopters. And nobody is saying to disregard all of IE, only very old versions.
We're talking about dropping support for a browser that is mostly used on a thirteen year old operating system that even Microsoft has dropped support for.
My site is unlikely to ever have a significant number of IE8 users. It revolves around a nerdy hobby that people easily spend $500/year on, often in big chunks. They aren't letting their tech get that out of date.
I fully admit that this isn't every market, but you absolutely CAN make decisions about your specific market and decide that IE8 just simply is not and never will be worth it.
On the other hand, there are certain markets that will probably have to worry about IE8 for ten more years.
In theory, I'm right in your target market. I've been considering a good way to keep my handful of users up to date with small changes that aren't big enough to be immediately visible.
But I'm just not feeling it.
In the FAQ, you try to distance yourself from the way that blog posts are used. But, and this is big, blog posts can be used exactly like it seems VisionHistory is designed to be used. I could post nothing but a bullet list on a blog. Just because most people don't doesn't remove that possibility.
I was intrigued enough, given my current desire to have/make a solution to this, to check out the pricing page. So it's not that I was completely uninterested. But I wasn't interested enough to pay the prices listed and I don't know what you could add that would change that. It just seems to solve too small of a problem.
Definitely fair points. I appreciate the feedback!
We are hoping some of the features that a blog can't (or at least not easily) provide would make people want to covert. For example, your customers can subscribe to be notified of updates automatically, easily search through the version updates, submit feature requests to you, download a printer friendly version, etc. all from one nice interface.
Of course if some feature does come to mind that you think would make you want to transition if we added it, do let me know. I'm always open to ideas!
You're right -- it is a small problem that needs solving but one that we've seen time and again from building our own Web applications. So we're happy to solve it and see if there's a larger market of SaaS apps (and others) that could benefit from it.
I don't think it's fair to say that consumers overall like either one more than the other, it depends on what we're paying FOR.
Why are consumers okay with paying a metered fee for electricity, water, and gasoline?
There's competition and/or regulations pushing those prices into reasonable ranges. Usage is fairly predictable. These are things that are horrible to have suddenly shut off without warning (like what effectively happens when you're throttled into unusability). They are things that people need in order to be a functioning member of society in the majority of places on Earth (in places with good public transit, gasoline gets removed from this list).
Aside from point #1, those also sound like the Internet.
> Why are consumers okay with paying a metered fee for electricity, water, and gasoline?
They're not. But normally they don't have a choice.
However, some of the utilities in the Northeast have plans wherein your bill is mostly constant year round even in spite of the spikes at certain times of the year. Lots of people like them even though they almost always wind up paying more than they would otherwise.
It's not just about constancy, it's about having some relationship between how much you pay and how much you use. Utilities that offer that "pay the same every month" feature base the amount you pay on your average usage throughout the year.
Here's an analogy that's closer to cell phone unlimited plans: Imagine if it were instead the same flat fee for everyone across the country. I imagine you'd find the family that lives in a small apartment and keeps the house cool in the winter isn't too happy to find out that very little of their gas bill is explained by their own energy usage, and the vast majority of it is paying to heat the mansions of the rich people across town.
>> Why are consumers okay with paying a metered fee for electricity, water, and gasoline?
> They're not. But normally they don't have a choice.
Wait, what? Says who? I certainly don't speak for everyone, but I'm perfectly happy paying just for my usage of these things.
I think the difference is predictability and that the costs aren't astronomical if you have a high-usage month. If it's colder than usual, I'd perhaps expect to pay another 10% on my utility bill. That's reasonable and not a hardship.
If I were to spend, say, $30/mo on a plan with 500 minutes of voice calling, and went 100 minutes over, but was only charged, say, $6 for that overage, I'd have no problem with that (because 30/500=0.06 and 0.06100=6). But instead I get charged something like $20, which is way out of proportion to the overage. That's* the objection.
And I think part of it is related to an understanding of actually "using something up". When I use more electricity, I know that I actually used something up: that extra power came from more coal being burned, or more water falling from a dam, or something of that nature. When I use more water, I know that my use of it drained a reservoir a little bit more than it otherwise would. I used up a physical good, and I'm paying for that use. If I use more than what a regulator has decided is my "fair share", I might pay a premium for that extra (many utilities have tiered pricing), but I'm ok with that because I do recognize I'm using more than usual, and the added cost of the higher tier isn't unreasonable or burdensome.
But the cost of me spending 100 extra minutes on the phone costs the carrier basically nothing. Sure, if everyone did that in a month, perhaps it would strain the carrier's network (not that it would cause the carrier to spend capital on increased capacity; they'd likely be fine with more dropped/failed calls that month). In general, though, the marginal cost to the carrier when you use more minutes than your plan provides is near zero -- and yet the carrier charges an exorbitant markup for that overage.
> Why are consumers okay with paying a metered fee for electricity, water, and gasoline?
I don't think they are; certainly in my country people hate metered water. And people love fixed-rate mortgages even when they'd pay less on floating. If people had the option of unmetered electricity or gasoline, I think they'd take it.
It could be a regional thing, or it's possible that I am unusual myself, but I've never thought twice about metered electricity, but that's largely because I've never been hit with anything I consider unfair like I have with both mobile phones and home Internet.
Another shitty() reality is that companies love putting clauses in contracts that won't hold up in court because MANY people just assume that it must be legal and the rest of the contract is still binding, just not the illegal parts.
() This is really done to protect mom and pop business. If they accidentally put in a clause that's not legal, it'd really suck if the entire contract were nullified. But big companies with bajillion dollar lawyers use this loophole to essentially intimidate their customers.
I'm likely a fuddy-duddy, but I agree with mijndert. I detest the idea of using Site A to authenticate with Site B.
For only the tiniest benefit to me (I guess it's marginally faster to sign up, maybe?) and no real benefit to you, your service is now beholden to another. What if Twitter bans a user that is valuable member of your site? What if Twitter goes under? What if Twitter is outlawed in some countries? What if I have a moral obligation to signing up for Twitter in the first place?
For my own site, I have four form fields on the signup page. Username, Password x2 and an optional email. That, IMO, is actually easier than the twitter flow.
With the twitter flow, I have to click to sign in, then read what permissions you're requesting (from another comment I hear that you aren't requesting permission to tweet for me, which is GOOD), then click to accept.
Since I personally don't require email, the user actually has to give me zero personal information. Using twitter, on the other hand, I have to give you my twitter handle, which might actually be personal information. I don't know how you're going to USE that information, so if it's personal, I'm not sure if that information is going to be shown to everyone in the community or not.
Well the site I set up using this code, I created a Twitter app that didn't ask for permission to Tweet because I only need it to login the user.
What do you mean in your site the email is OPTIONAL? How can user reset their password if they forget their password? IF a user sign up using their email then they have to confirm it as well which makes the user to log in to his email.
Also users have one less password to remember if they use Facebook or Twitter sign in?
What if the site needs a profile picture for user profile? Then the signup process takes longer time and users have to fill a larger form.
I'm not saying I'm totally in for Social signups, but what alternative do we have?
I honestly haven't had anyone needing to reset their password yet. In my particular case it's not really the end of the world if someone gets locked out, but I should probably think what I'd do in that case...
Let's be real. Most users reuse their password for everything anyway. Those that don't likely use a password manager of some sort.
I doubt that any site needs a profile picture. Even Twitter gives you a default if you don't want to set it.
The alternative we have is what we did before social was a thing. The Internet existed before Twitter. The very site we're on doesn't require a social pairing to sign up for it!
I am planning on turning on HTTPS soon, but I despise third party authentication as a rule. Feel free to try and convince me, but I have never seen the point in tying my uptime to the uptime of a third party, and allowing a third party to revoke my users account if they so wish.