Hacker News new | past | comments | ask | show | jobs | submit login
“Why was Rust chosen for Libra?” in congressional hearing [video] (c-span.org)
285 points by mgraczyk 37 days ago | hide | past | web | favorite | 77 comments



Congressman: I was really surprised about the Rust language. So my first question is, why was the Rust language chosen as the implementation language for Libra? Do you believe it's mature enough to handle the security challenges that will affect these large cryptocurrency transactions?

Facebook: [We will own & control the code.]

Congressman: It looks like Libra was built on the nightly build of the Rust programming language. It's interesting because that's not how we did releases at the DoD. What features of Rust are only available in the nightly build that aren't in the official releases of Rust? Does Facebook see it as a concern that they are dependent on unofficially released features of the Rust language? Why the nightly releases? Do you see this as a function of the prototyping phase of this?

Facebook: [No answer]


The first question summary is … poor. Congressman's biggest concern after poking around on github seemed to be about international committers and a "native Nigerian" committing a lot of the code. (based on looking around the github-generated contributors pages for the libra and rust repos, I have no idea who he's talking about).

The second answer was: "This is a very technical question. We'll get back to you." Which is to be expected; there's no reason for Mr. Marcus to risk a felony by bullshitting in front of Congress about technical decisions.


> I have no idea who he's talking about

This comment buried below: https://news.ycombinator.com/item?id=20467750

points to this repo "A javascript client for libra": https://github.com/perfectmak/libra-core

@perfectmak is in Lagos.


> Congressman's biggest concern after poking around on github seemed to be about international committers and a "native Nigerian" committing a lot of the code.

He comes from a DoD background. Security is probably his concern here.


That's fucking awesome, on the other hand, Rust code is running live in production in Firefox, exposed to the internet and actually offers a much higher degree of safety than many comparable languages - these questions they should have been able to answer readily.


The good senator illustrating the noisy wheel syndrome. Ken Thompson's reflections on trust have been repeated over and over again, and is now a mainstream meme. But the fact that it's a often repeated common meme doesn't mean it's a practical threat. I'm not aware of it ever being responsible for an actual security breech. That's pretty significant - because there must be thousands of breaches each and every day. That isn't surprising, as it would particularly difficult for open source GNU, LLVM, and Rust because people are literally compiling code and comparing the assembler output to the previous versions.

He probably also isn't aware of how large computer companies like Facebook operate. Again, a single failure doesn't effect them like a single in a fighter plane. In fact a chaos monkeys that randomly knock out bits of production infrastructure are a useful technique for them. I'm sure the senator it thinking in terms of a chaos monkey randomly knocking out engines, airfoils, and computers on a flying plane.

The quality of compiler is a concern - but it is one the software engineer will be well aware. Asking a software engineer if he is sure of the quality compiler he is using is like asking a racing driver is he concerned about the quality of fuel he is using.


It's probably mostly just async/await, but I bet they were hoping it'd make it into stable before they launched.


https://github.com/libra/libra/blob/master/scripts/nightly_f...

From Reddit:

> The intention of that particular script is to eventually help us move towards eliminating the use of nightly features and limit depending on new ones so that we can eventually be on stable. Some features (like async/await) we'll need to wait until they've graduated to stable while others we should be able to make sufficient changes to stop relying on them.


It's cool to see a congressman who has this level of software dev knowledge.


He's a Republican from Virginia. Former Air Force Intelligence Office and NSA contractor: https://en.wikipedia.org/wiki/Denver_Riggleman


I looked him up and I was still somewhat surprised by his knowledge because Wikipedia doesn't say anything about him having a development background. I suppose part of being in intelligence is being able to quickly learn information about your targets and identify risk factors. He does well!


Beto O'Rourke, POTUS candidate and currently in COTUS, was part of cDc.


His term ended in January. Currently, Beto doesn't hold an office.


The center for disease control or the cult of the dead cow?


The latter.


Yes.


Yeah, the DoD actually commissioned a safe (for the time) programming language with known, reliable semantics for its software systems. The result was Ada.

Compared to that environment, even Rust is very move-fast-break-things. I think I understand ESR's gripes about Rust much better now.


I'm having trouble understanding implications to answers of these 2 questions when deciding legitimacy of Libra.

To elaborate my confusion:

* Why does choice of a programming language plays a part of deciding such product (a currency platform) is valid? If this is written in now-antagonized programming language (say, JavaScript, PHP etc), does such decision makes the product less legitimate?

* Similar with version/release of a programming language, how does knowing the answer to this question plays a part?


Traditionally, government people have trust issues with programming languages as the compiler is, itself, an attack vector. If you are using a nightly release of the compiler, it may be assumed by some that the compiler is not vetted for security and could inject unstable or malicious code into another critical codebase. Also, Rust is considered very young for security type work, people rightly assume there are unfound weaknesses due to the newness of the language and related libraries.

Nevertheless, the government has allowed people to use Java for decades for highly secure codebases and it has had all kinds of issues.


> Nevertheless, the government has allowed people to use Java for decades for highly secure codebases and it has had all kinds of issues.

That's interesting. What sorts of issues? Do you have sources for further reading?


It's just a passing swipe at Java, everyone's favorite language to hate. All languages have "had all kinds of issues", which are remedied by regular maintenance cycles that patch the required elements (JVM, libs, etc) when CVEs are announced. Java is in a unique position because it has been used extensively in government contract work. Some of that work was done well and some of it wasn't, which largely was based on the capability of the contractor used to do the work. It doesn't matter (well to an extent) what language you're writing your code in if you don't apply proper security precautions (SQL injection for example). Additionally, a number of years ago _desktop_ and _applet_ Java caused major security problems for businesses and governments (similar to the problems with Adobe Flash).


I don't hate Java, it is a tool like any other. I only bring it up because I have extensive experience with it being used in the government realm.

It was not a passing comment. Exporting sensitive systems to other countries takes special care. There are hoops to jump through and Java made that job more difficult throughout the years. Many times you don't know a system will be exported until you have already built the system.

Additionally, Java went through a period where vulnerabilities were found frequently but the patches took time to develop and deploy.


I apologize if that came off wrong, the "everyone's favorite language to hate" was tongue-in-cheek and not intended to infer you had an outright hatred of Java. As a parallel in the past I did government contract work (though mine was probably more limited than what you seem to be implying) with Java systems as well.


No worries; I'm just trying to be clear.


Governments have issues with non-stable code because it changes rapidly, is untested and a security risk. Facebook moves fast and break things.

I think it exposes a key difference between a FAANG company and a lot of other development though. Because most of use simply use the programming languages as tools, but Facebook is actually going to change the Rust language to fit their needs.


> Facebook is actually going to change the Rust language to fit their needs.

... hm?


Related:

> Facebook was initially coded in pure, vanilla PHP, but over the years, [they] needed more capabilities [...] so, FB developed their own proprietary programming language based on PHP, which they dubbed Hack."

https://www.quora.com/Is-Facebook-still-coded-in-PHP


Okay, so this is speculation, basically. I thought that may be what the parent was saying, but wasn't sure.


Beyond applets, which sandbox wasn't as good a thought out, and even JavaScript suffers from issues to this day like cross site scripting and bitcoin mining,what are those Java issues in regular desktop and JEE/Spring servers?


I think they just ask questions for the sake of asking questions. Had FB picked any other language, I am fairly certain that it would have been scrutinized as well.

Are politicians concerned about Libra? I think so. But I also think that they try to "attack" it from all possible angles and the programming language is one of these angles. Because if Libra gets out of hand, they do not want to be responsible for not having done their due diligence.


I think the congressman doesn’t quite understand that Rust nightly is far more stable than nightly anything else. It’s really more of a beta than a nightly sort of build assuming projects using it exercise even a small amount of restraint in which nightly features they use.


I don't think I've ever heard of a Congressman going to GitHub, poking around in some open source code, and then asking very cogent and relevant questions about it. This video is incredible if only because of that.


Yeah that's the most interesting part of this video. Good to know at least 1 person in Congress knows what "code" is and what "GitHub" is, and even more good that they're knowledgeable enough to know what Rust is, that different languages exist and may have different features and stability, and what nightly builds are. Since overseeing software and data security regulations is part of their job.


i have noticed over the past few years that more and more people with a technical and science background go into politics. it happened in singapore, china, a few countries in europe and it's probably happening more and more everywhere.

in general i think this is a positive sign.


Perhaps they did their own research on Libra and prepared those questions before and then asked Facebook basic questions about the design & implementation of Libra.


Congresspeople often come from backgrounds other than law. It could have also been his aides helping with this.


In country, that background is acting, singing and dancing (and punching).


Probably an intern on his staff did the research.


No it sounds like he was either an engineer or engineering manager somewhere in the DoD.


https://en.wikipedia.org/wiki/Denver_Riggleman

Associate of Science (AS) in Avionics Systems from the Community College of the Air Force in 1996.

Graduate Certificate (GradCert) in Project Managment from Villanova University in 2007.

Air Force for eleven years, serving as an intelligence officer. He then worked as a contractor for the National Security Agency


>Riggleman was in the Air Force for eleven years, serving as an intelligence officer. He then worked as a contractor for the National Security Agency.

He may just be familiar with programming.


Most people in the government that I've dealt with oversee projects and are really risk and contract managers. I took the question more as "why are you using a new language and nightly builds of that language." It's exactly the kind of thing that most program managers wouldn't even consider.


This congressman (or his aides) is surprisingly knowledgeable. I'm impressed with whoever thought to ask about nightly builds.

Edit: for reference, this is the congressman who was accused of writing "Bigfoot erotica" during his campaign.


> Edit: for reference, this is the congressman who was accused of writing "Bigfoot erotica" during his campaign.

That was mostly a smear campaign by his political opponents.

https://www.nytimes.com/2018/07/30/us/politics/bigfoot-porn....


That edit took a real turn.


He's a bigfoot nerd. He posted a stupid book on his instagram feed and his opponent tried to make him out like a weirdo. It would be like a candidate posting the cover of star wars fan fiction and their opponent accusing them of being a alien conspiracy theorist.


I really hope he invites a cryptozoologist to appear before the House.


This is a good question to ask, especially about the nightly builds from upstream. There have been NPM exploits targeted at crypto currency developers (e.g. the event-stream breach), so it seems FB would be placing a lot of trust in the Rust developers. This is not to say Rust maintainers are dishonest, but all it takes is one person who's authentication credentials gets comprised.


Also, it's not just an issue of an intentionally backdoored compiler. The nightly could have some experimental optimization enabled, and if there's a bug in the optimization, it could introduce a vulnerability into the compiled Libra binaries.


Wouldn't the same apply to practically any programming language and development tools? What if they'd chosen Microsoft Visual C++? Would that be less exploitable?


The specific point about nightly isn't about Rust per say. It's more about using what is essentially a development version of a compiler, updated nightly. Exploits aren't necessarily even the biggest threat. Nightly could have bugs, and in the context of cryptocurrency, compiler bugs can mean large amounts of lost money.


With nightly builds, there’s more of a chance that a piece of malware could sneak in and get used to build a release of Libra. I’m sure the Rust maintainers would find it fairly quickly, but even within a few days there would be tons of Libra users with compromised wallets.

More scrutiny goes into stable release builds than nightly builds, and more mature languages and tools have more experienced maintainers who are often (but of course, not always) better at scrutinizing releases. It’s not that MSVC++ can’t be compromised, but it’s pretty unlikely that it would be.


I don’t think anyone actually runs nightly against what’s on the latest / master. I know at work, we use nightly rust, but we pin to a specific date release, usually when the around latest stable is cut.


Yes, but who runs against nightly builds of MVC++? The idea is, presumably, that nightly builds have undergone less scrutiny (partly just due to time in existence) and so if there was something it has a higher chance of being caught and reverted before a stable release.


I just tried to build libra on stable rust. At least the first thing that failed is that it's depending on futures 0.3. So it's almost certainly using async/await.


https://github.com/perfectmak/libra-core

It seems the Congressman mistook an unofficial 3rd-party js repo whose author is Nigerian as an official Libra project...


I feel like this is blindly upvoted. The video is underwhelming, and doesn't come close to answering the question.

That said, I'm very impressed by the congressman in the video, as it sounds like he knows what he's talking about. Wikipedia doesn't mention much about programming in his bio...


Looks like he comes from an NSA background. Have to say, I'm very heartened to see someone in congress ask such detailed technical questions about cybersecurity issues.


The title is misleading although technically correct. They did respond just not with anything more than a "we'll get back to you".

I do like the basics of his questions "who is committing code to Libra" and "why are using nightly build of Rust". I get the feeling he is not happy with it given his mention of "not how we usually did releases in the DOD" and pointing out the non-US coder. It will be interesting to see the technical response and his response to that.


Of course Rust is international. Windows is international; Linux is international; VMS might possibly not be international. You'd think DoD would be buying Talos systems as fast as Raptor could spit them out, given all the talk about wanting things to be made in the USA, but even those will likely have parts from dozens of countries.

I don't want to knock Rep. Riggleman too hard, since knowing what Github is (let alone how to use it) puts him in the top one or two percent of Congress; but DoD is by no means a paragon of software development practice. It cares far too much about compliance for the sake of compliance and far too little about whether that compliance enables business objectives such as security or reliability. (And waivers are easy to obtain when compliance makes things better, but difficult when compliance makes things worse.)


In the video, Rep. Riggleman doesn't find issue with Rust being international; he instead notes that one of the primary committers to _Libra Core_ (not Rust) is Nigerian.

I had a similar response to yours when I read the top-level comment, but watching the video it's clear that his issue is very much _not_ with Rust having an international development team.


His issue is Libra having a international development (or more specifically random international development), and his issue with Rust is using the nightly builds instead of a stable release.


Same. They’re grasp of the ecosystem and the involved bits of tech is exactly what more representatives needs to grasp.


For those wondering the Congressman in question is Denver Riggleman, (R) representing VA's 5th district.


There's hope for Congress after all. We can now be sure we have at least one congressman there who can tell a nightly build from a hole in the ground. It's very unusual to see congressional inquiry where the person _asking_ questions is more competent than the person(s) answering them. Most congress(men|women) struggle to complete coherent sentences, let alone talk about anything technically sophisticated.


Didn't expect a congressman to be so technical


Even if it was well-rehearsed, he's earned my respect for bringing about questions that are pointedly relevant, both materially and topically.


I was dispointed by the facebook side, they should answer the question in details.


I spent several minutes looking at the video for signs of editing, believing that's a joke do demonstrate some new kind of deepfake AI. I have no idea who those guys are, but it is astonishing to see politicians being competent in technology outside of MS-Word power user level


Is there a reason that it matters what the reference implementation of Libra is written in?

A blockchain network is usually not considered healthy until it has multiple implementations of nodes running non-negligible parts of the network. I would say that Libra having such alternate impls is almost inevitable.

Exploiting any flaw in a particular blockchain node impl, when there are multiple such impls, would then require either finding the same vulnerability in all other clients; or else, attacking that one client, forcing a hard fork, and then having that client’s version of events “win” such that other node software choose to adopt it by hardcoding a switchover. Neither is ever very likely.


> Is there a reason that it matters what the reference implementation of Libra is written in?

If a language implementation is new, then it is (in the pragmatic sense) more susceptible to security issues.


Two counters:

1. You entirely ignored the thesis of the comment you responded to. Which is that other nodes can be implemented in more "mature" languages.

2. I don't buy for a second that new languages are more susceptible. You can attach pragmatic all you want to the sentiment but it's not an argument.


the rust nightly build has the ECC curve functionality. Most of the crypto related prototyping on rust requires the nightly atm. Heres hoping integration onto wide release for the sake of the crypto dev community


This is a deeply technical and insightful question to ask. However, is this question on implementation detail the best question he could ask to determine the impact of Libra on the people he represents, or does it serve to satisfy his curiosity?


I agree that unless the point of the question was more of a power move to show he's not an idiot and that they shouldn't try jerking him around, the question doesn't seem particularly useful.

The action of creating Libra could be interpreted as an attempt to undermine US federal currency. Facebook is the first company with enough clout to actually succeed at widespread cryptocurrency adoption to attempt something like this. I think there are bigger issues to deal with than quibbling about languages and release cycles. I know that the congressman's unspoken question is really whether Facebook has considered the security ramifications of allowing foreign nation-states to meddle directly with our system of currency like they were able to meddle with our news media, etc. But we all know that great programs can be written in terrible languages and terrible programs can be written in great languages. If the congressman is thinking what I think he's thinking, I wish he'd come out and say it instead of beating around the bush.


He is their elected representative. Is there a measurable difference? Should there be a measurable difference?


[flagged]


They're going to pass but encouraged him to circle back in six months.




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: