Misty: A secure distributed actor language

7 days ago (mistysystem.com)

An interesting project, but it seems to be in its infancy :) I definitely want an actor based language to play with, and something with a strong type system would be perfect. gleam [1] and inko [2] look promising in this regard

[1]https://gleam.run/

[2]https://inko-lang.org/

  • For the record, Elixir has been slowly introducing a set theoretic gradual type system.

  • fundamentally I think though is that for distributed systems you don't really want actors, you want ~erlang processes. The distinction being around how errors propagate between processes, and various mechanisms to deal with that. The actor model doesn't have any of that in its theoretical basis. Because in a distributed system you fundamentally have unpredictable errors, and generally erlang tries to shoehorn you into a programming style where you're ok with faults, which makes your system more fault tolerant.

    The core philosophical problem with gleam is that it is trying to get rid of errors. Ok, well good luck with that.

    • Actor systems can handle unpredictable errors and if you watch a recent talk by Douglas Crockford about actors/Misty there are Erlang-like "let it crash" examples.

    • I've been meaning to get to know gleam better, so I'm interested in your comment.

      Do you mean that the error handling of an Erlang process is in any way diminished by using gleam? Or is it just that maybe it's unnecessary work to try so hard to prevent errors which you've already put so much into tolerating?

Curious if this overlaps at all with the use cases of the spritely project [1]. Another question is whether esoteric languages are strictly needed for these architectures or simply more convenient.

[1] https://spritely.institute/

  • Douglas Crockford has described Misty as vaporware (hence the name), whereas at Spritely we are building and shipping things that can be used. Rather than build an entirely standalone domain specific language, our research and development builds on top of Scheme because it's a multi-paradigm language that is easy to extend to implement new paradigms (such as the actor model) thanks to the powerful macro system. Lexical scope and first-class functions make Scheme amendable to the actor model (Scheme was initially created as an exploration of the actor model) and capability security. For the latter, we are inspired by Jonathan Rees' W7: A security kernel based on the lambda calculus.

    http://mumble.net/~jar/pubs/secureos/secureos.html

    We are also involved in a cross-organization effort to bring capabilities to everyone (on the network, at least) called OCapN and we are seeking implementers for as many programming languages as possible.

    https://ocapn.org/

    • I should clarify that when he calls it vaporware he means that he is interested in propagating the actor model concept rather than any specific language or implementation.

Regardless of the merits of the language itself, the presentation here leaves something to be desired.

The landing page itself conveys zero information, and when I click into the Introduction, it's almost entirely dedicated to a particularly persnickety whitespace standard, and the grammar rules for parsing comments and identifiers. This is not really helping me understand what the language is about...

Between that and the odd jab at Javascript assignment operators, I have the sense that the author is more interested in grinding axes than in explaining.

  • A similar presentation bug that stands out to me, the "Public Domain by Author" copyright claims are non-standard and don't actually do anything legally speaking in the US or many other world jurisdictions, and feel kind of silly/out-of-place. Maybe they are a political statement, but I think that just makes them more annoying, not less. This is why CC0 [0] exists and provides a ton of useful explanations and FAQ and suggestions on dedicating works to the public domain in a way that legally works/matters. Also as a reminder CC0 is not an OSI-approved code license and for that you should consider using something like CC0 "dual licensed" with "1-Clause BSD" [1] for software code. (Though CC0 is directly FSF approved now [and generally considered GPL family compatible], with suggested License verbiage in the CC0 FAQ.)

    [0] https://creativecommons.org/public-domain/cc0/

    [1] https://spdx.org/licenses/BSD-1-Clause.html

  • > I have the sense that the author is more interested in grinding axes than in explaining.

    People are free to target whoever they want when publishing on the internet.

    There is a good chance that neither you nor HN is a part of that target.

    • > People are free to target whoever they want when publishing on the internet.

      People are also free to criticize whatever is published on the internet. Hypotetically not being a part of the "target audience" doesn't preclude one form such freedom.

      I agree with the comment above: the introduction doesn't really "introduce" the reader to the language, it only introduces the reader to the syntactic constructs used in the language. Such introduction would better fit in the "specification" section.

    • > There is a good chance that neither you nor HN is a part of that target.

      I mean, I'm at least tangentially in the target audience, as an enthusiast of programming language design, who is very fond of Erlang...

      1 reply →

  • agreed the focus on whitespace rules and grammar feels misaligned for an introduction

  • ...author is Douglas Crockford, creator of JavaScript and JSON.

    • to be fair, if $Y creates $X and $Y doesn't hate $X with a passion and doesn't come up with $Z that is a gazillion times better than $X, then $X is probably not very useful.

This says that the implementation cannot cede time slicing to the OS, therefore it would seem to necessarily occupy kernel space. Am I mistaken?

Tldr for erlang users?

  • Erlang actors are not privately addressable, so they cannot be used for capability security. The actors described here are.

    • Joe Armstrong goes to lengths to describe the benefits of "privately addressable" actors in his thesis (though he uses different terminology). As far as I'm aware, Erlang actors are also privately addressable. cf:

      > System security is intimately connected with the idea of knowing the name of a process. If we do not know the name of a process we cannot interact with it in any way, thus the system is secure. Once the names of processes become widely know the system becomes less secure. We call the process of revealing names to other processes in a controlled manner the name distribution problem— the key to security lies in the name distribution problem. When we reveal a Pid to another process we will say that we have published the name of the process. If a name is never published there are no security problems.

      > Thus knowing the name of a process is the key element of security. Since names are unforgeable the system is secure only if we can limit the knowledge of the names of the processes to trusted processes.

      https://erlang.org/download/armstrong_thesis_2003.pdf (page 24-25)

      6 replies →

> The Misty Programming Language is a dynamic, (...), secure, distributed actor language

In this day-and-age, dynamic programs should be considered insecure (in the broad sense) by design. There have been lots of efforts in the past ~15 years to make distributed systems more robust (e.g. Cloud Haskell [0], choreographic programming [1]).

The term "secure" as used here is quite specific, used in reference to a capability model. This is quite nice and innovative. However, static typing and capabilities need not be mutually exclusive: capabilities can be modeled at the type level using algebraic effects [2].

[0]: https://simon.peytonjones.org/haskell-cloud/

[1]: https://en.wikipedia.org/wiki/Choreographic_programming

[2]: https://github.com/yallop/effects-bibliography

  • You can also model capabilities with the Object Capability Model—just pass the capabilities around as object handles. This has the downside of being rather verbose, but that can be remedied by something like Scala's implicits.