Skip to content(if available)orjump to list(if available)

Misty: A secure distributed actor language

Misty: A secure distributed actor language

36 comments

·January 12, 2025
Visit

evomassiny

An interesting project, but it seems to be in its infancy :) I definitely want an actor based language to play with, and something with a strong type system would be perfect. gleam [1] and inko [2] look promising in this regard

[1]https://gleam.run/

[2]https://inko-lang.org/

az09mugen

Another less-known actor based language is pony [0], it is well documented and made some uncommon choices.

[0] https://www.ponylang.io/

linkdd

For the record, Elixir has been slowly introducing a set theoretic gradual type system.

throwawaymaths

fundamentally I think though is that for distributed systems you don't really want actors, you want ~erlang processes. The distinction being around how errors propagate between processes, and various mechanisms to deal with that. The actor model doesn't have any of that in its theoretical basis. Because in a distributed system you fundamentally have unpredictable errors, and generally erlang tries to shoehorn you into a programming style where you're ok with faults, which makes your system more fault tolerant.

The core philosophical problem with gleam is that it is trying to get rid of errors. Ok, well good luck with that.

davexunit

Actor systems can handle unpredictable errors and if you watch a recent talk by Douglas Crockford about actors/Misty there are Erlang-like "let it crash" examples.

__MatrixMan__

I've been meaning to get to know gleam better, so I'm interested in your comment.

Do you mean that the error handling of an Erlang process is in any way diminished by using gleam? Or is it just that maybe it's unnecessary work to try so hard to prevent errors which you've already put so much into tolerating?

openrisk

Curious if this overlaps at all with the use cases of the spritely project [1]. Another question is whether esoteric languages are strictly needed for these architectures or simply more convenient.

[1] https://spritely.institute/

davexunit

Douglas Crockford has described Misty as vaporware (hence the name), whereas at Spritely we are building and shipping things that can be used. Rather than build an entirely standalone domain specific language, our research and development builds on top of Scheme because it's a multi-paradigm language that is easy to extend to implement new paradigms (such as the actor model) thanks to the powerful macro system. Lexical scope and first-class functions make Scheme amendable to the actor model (Scheme was initially created as an exploration of the actor model) and capability security. For the latter, we are inspired by Jonathan Rees' W7: A security kernel based on the lambda calculus.

http://mumble.net/~jar/pubs/secureos/secureos.html

We are also involved in a cross-organization effort to bring capabilities to everyone (on the network, at least) called OCapN and we are seeking implementers for as many programming languages as possible.

https://ocapn.org/

davexunit

I should clarify that when he calls it vaporware he means that he is interested in propagating the actor model concept rather than any specific language or implementation.

rurban

Still a lot todo.

https://github.com/douglascrockford/Misty There's only the spec and parser yet: https://mistysystem.com/doc/road_ahead.html

Giving that he was at same state a year ago also, I see not much progress

rahkiin

I just ticket the checkboxes on that page and now it is finished.

macintux

A fair bit of discussion from a year ago:

https://lobste.rs/s/r8vitn/misty_programing_language_from_cr...

https://news.ycombinator.com/item?id=38820305

There are a few older discussions on HN, but none with more than single digit comments.

dang

Thanks! Macroexpanded:

Misty Programming Language - https://news.ycombinator.com/item?id=38820305 - Dec 2023 (47 comments)

Creator of JSON Unveils New Programming Language 'Misty' - https://news.ycombinator.com/item?id=38680087 - Dec 2023 (6 comments)

Doug Crockford's new programming language – Misty - https://news.ycombinator.com/item?id=38620026 - Dec 2023 (3 comments)

Misty: Programing Language from the Creator of JSON - https://news.ycombinator.com/item?id=38114122 - Nov 2023 (3 comments)

swiftcoder

Regardless of the merits of the language itself, the presentation here leaves something to be desired.

The landing page itself conveys zero information, and when I click into the Introduction, it's almost entirely dedicated to a particularly persnickety whitespace standard, and the grammar rules for parsing comments and identifiers. This is not really helping me understand what the language is about...

Between that and the odd jab at Javascript assignment operators, I have the sense that the author is more interested in grinding axes than in explaining.

WorldMaker

A similar presentation bug that stands out to me, the "Public Domain by Author" copyright claims are non-standard and don't actually do anything legally speaking in the US or many other world jurisdictions, and feel kind of silly/out-of-place. Maybe they are a political statement, but I think that just makes them more annoying, not less. This is why CC0 [0] exists and provides a ton of useful explanations and FAQ and suggestions on dedicating works to the public domain in a way that legally works/matters. Also as a reminder CC0 is not an OSI-approved code license and for that you should consider using something like CC0 "dual licensed" with "1-Clause BSD" [1] for software code. (Though CC0 is directly FSF approved now [and generally considered GPL family compatible], with suggested License verbiage in the CC0 FAQ.)

[0] https://creativecommons.org/public-domain/cc0/

[1] https://spdx.org/licenses/BSD-1-Clause.html

tossandthrow

> I have the sense that the author is more interested in grinding axes than in explaining.

People are free to target whoever they want when publishing on the internet.

There is a good chance that neither you nor HN is a part of that target.

bheadmaster

> People are free to target whoever they want when publishing on the internet.

People are also free to criticize whatever is published on the internet. Hypotetically not being a part of the "target audience" doesn't preclude one form such freedom.

I agree with the comment above: the introduction doesn't really "introduce" the reader to the language, it only introduces the reader to the syntactic constructs used in the language. Such introduction would better fit in the "specification" section.

swiftcoder

> There is a good chance that neither you nor HN is a part of that target.

I mean, I'm at least tangentially in the target audience, as an enthusiast of programming language design, who is very fond of Erlang...

tossandthrow

It is the assumption that this is meant as dissemination. there is a lot of material online (especially on GitHub) that is not meant to be read.

It is a valid criticism that it is uninteresting to read, but the core criticism is that this should not have been shared on HN, to which the canonical response is to scroll through and not upvote.

fasten

agreed the focus on whitespace rules and grammar feels misaligned for an introduction

mirekrusin

...author is Douglas Crockford, creator of JavaScript and JSON.

thebestjames

Brendan Eich (of more recent Brave fame) is the creator of JavaScript.

mirekrusin

Thanks for correction, indeed I mixed him up, Crockford just created JSON parser and popularized this format (he also popularized js in general though his book, linter etc).

exe34

to be fair, if $Y creates $X and $Y doesn't hate $X with a passion and doesn't come up with $Z that is a gazillion times better than $X, then $X is probably not very useful.

dustingetz

example of distribution please? couldn’t find

faraaz98

Tldr for erlang users?

davexunit

Erlang actors are not privately addressable, so they cannot be used for capability security. The actors described here are.

withoutboats3

Joe Armstrong goes to lengths to describe the benefits of "privately addressable" actors in his thesis (though he uses different terminology). As far as I'm aware, Erlang actors are also privately addressable. cf:

> System security is intimately connected with the idea of knowing the name of a process. If we do not know the name of a process we cannot interact with it in any way, thus the system is secure. Once the names of processes become widely know the system becomes less secure. We call the process of revealing names to other processes in a controlled manner the name distribution problem— the key to security lies in the name distribution problem. When we reveal a Pid to another process we will say that we have published the name of the process. If a name is never published there are no security problems.

> Thus knowing the name of a process is the key element of security. Since names are unforgeable the system is secure only if we can limit the knowledge of the names of the processes to trusted processes.

https://erlang.org/download/armstrong_thesis_2003.pdf (page 24-25)

jerf

That may be what is in the thesis, but in real Erlang, any process can list all processes on any node it can reach: https://www.erlang.org/doc/apps/erts/erlang.html#processes/0 (As the docs say, it lists "processes on the local node" but I'm fairly sure any process can RPC that to any connected node to get the local processes on that node) From there you've got a lot of introspection on the processes in question.

And beyond that, there is no sandboxing in Erlang that allows you to do anything like spawn a process that can't access the disk or network or anything like that. So in practice that doesn't even hardly buy you anything on a real system because if you were somehow running unauthenticated Erlang code you've already got access corresponding to the OS permissions of the running Erlang process. (Though for those not familiar with Erlang, "somehow running unauthenticated Erlang code" is very unlikely, to the point that it's not a realistic threat. I'm just speaking hypothetically here.)

The thesis may cover how such systems could be turned to a more secure context but it does not correspond to current Erlang.

SoftTalker

This really only works if the process names are unguessable? Erlang PIDs are if not predicatable at least appear to be guessable, e.g. they look like this: <0.30.0>

Guthur

Continue to use Erlang. ;)

cosmic_quanta

> The Misty Programming Language is a dynamic, (...), secure, distributed actor language

In this day-and-age, dynamic programs should be considered insecure (in the broad sense) by design. There have been lots of efforts in the past ~15 years to make distributed systems more robust (e.g. Cloud Haskell [0], choreographic programming [1]).

The term "secure" as used here is quite specific, used in reference to a capability model. This is quite nice and innovative. However, static typing and capabilities need not be mutually exclusive: capabilities can be modeled at the type level using algebraic effects [2].

[0]: https://simon.peytonjones.org/haskell-cloud/

[1]: https://en.wikipedia.org/wiki/Choreographic_programming

[2]: https://github.com/yallop/effects-bibliography

demosthanos

You can also model capabilities with the Object Capability Model—just pass the capabilities around as object handles. This has the downside of being rather verbose, but that can be remedied by something like Scala's implicits.