Facebook and open source: 'we've come a long way'

LXF: Is your work on the OpenID and OAuth standards used at Facebook?

DR: Our platform engineering team did a lot of work on OAuth 2.0 this past year. OAuth was created to standardise an API design pattern where people could grant websites access to act on their behalf without having to share their password. While OAuth 1.0 was used in just about every new API over the past two years, it was too complex for many developers. We helped create OAuth 2.0 to fix that.

OAuth 2.0 relies on SSL to protect an access token when making API requests versus HMAC signatures, which were used in 1.0. This removes a great deal of complexity, because developers interacting with your API no longer needed to normalise, sort, and then sign all of their HTTP request parameters.

We were the first to ship OAuth 2.0 as a part of the Graph API announced at f8 in April after working within the IETF community to write a good deal of it. Also at f8, we introduced the Open Graph Protocol (http://ogp.me), which uses a very simple subset of the RDFa framework to represent any web page as a part of a social graph.

LXF: People think of Facebook as a closed-source site. How else do you contribute to open source?

DR: Facebook engineers actively contribute within the Apache Hadoop ecosystem and to MySQL and PHP, and have created a number of features that allow memcached to scale on modern hardware.

But we don't just contribute to other projects or release developer tools, we open source entire pieces of production infrastructure. HipHop, FlashCache, Apache Hive and Cassandra, Thrift, Scribe, and others were all created at Facebook. I don't think that there's another web company of our size that's done the same.

LXF: On the flip side, what's difficult about working on open source within a company?

DR: It's easy for companies to fall into believing the myth that open source doesn't take additional time and effort. It really does take time if you're going to do a good job. And it's important to properly set expectations around projects in terms of the spectrum between just sharing your source code under an open source licence and fully sharing control over the project itself.

I almost think the decision here is less important in comparison to companies appropriately setting expectations.

LXF: What's your view on Facebook clone Diaspora?

DR: I have a lot of respect for those guys. They're obviously passionate about what they're working on and are actually building a product. I think there are a lot of challenges in what they're trying to create.

An open source social network is about far more than status updates and sending messages between sites; it's also about having a global sense of identity and bringing both your friends and your content with you around the web, while keeping you in control over who can see what you've shared. It's about building a platform.

LXF: Do you feel that Facebook is currently embracing the open web?

DR: Yes, I think we've come a long way in the past year. Whether it's OAuth 2.0, HTML 5, or the Open Graph Protocol, we've used standards where they exist and worked with the community to create them in some of the areas they don't.

We'll often get criticised for not implementing a given technology, but the best standards are created following working implementations and not the other way around. As I wrote over the summer in reference to emerging standards: "Don't be afraid to rip them apart as needed if you'll end up with a better product, a better technology, and ultimately a better standard. We did this recently with OAuth 2.0 and the internet is better for it"