From mboxrd@z Thu Jan 1 00:00:00 1970 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on inbox.vuxu.org X-Spam-Level: X-Spam-Status: No, score=-1.0 required=5.0 tests=MAILING_LIST_MULTI, RCVD_IN_DNSWL_NONE autolearn=ham autolearn_force=no version=3.4.4 Received: (qmail 20057 invoked from network); 12 Jul 2021 01:44:20 -0000 Received: from minnie.tuhs.org (45.79.103.53) by inbox.vuxu.org with ESMTPUTF8; 12 Jul 2021 01:44:20 -0000 Received: by minnie.tuhs.org (Postfix, from userid 112) id BE06C9BB5C; Mon, 12 Jul 2021 11:44:13 +1000 (AEST) Received: from minnie.tuhs.org (localhost [127.0.0.1]) by minnie.tuhs.org (Postfix) with ESMTP id EDC4894FC6; Mon, 12 Jul 2021 11:43:08 +1000 (AEST) Received: by minnie.tuhs.org (Postfix, from userid 112) id 36B8294FC6; Mon, 12 Jul 2021 11:43:05 +1000 (AEST) Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) by minnie.tuhs.org (Postfix) with ESMTPS id 6772D94FA0 for ; Mon, 12 Jul 2021 11:43:04 +1000 (AEST) Received: from callcc.thunk.org (50-204-178-178-static.hfc.comcastbusiness.net [50.204.178.178]) (authenticated bits=0) (User authenticated as tytso@ATHENA.MIT.EDU) by outgoing.mit.edu (8.14.7/8.12.4) with ESMTP id 16C1gweb014742 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Sun, 11 Jul 2021 21:43:00 -0400 Received: by callcc.thunk.org (Postfix, from userid 15806) id 89EDD420BB1; Sun, 11 Jul 2021 21:42:58 -0400 (EDT) Date: Sun, 11 Jul 2021 21:42:58 -0400 From: "Theodore Y. Ts'o" To: arnold@skeeve.com Message-ID: References: <202107071828.167ISgdN2686558@darkstar.fourwinds.com> <20210710115135.22FDC21C4E@orac.inputplus.co.uk> <20210710141217.8795F21CD1@orac.inputplus.co.uk> <202107101657.16AGvIHu2818628@darkstar.fourwinds.com> <20210711085346.1951E21F16@orac.inputplus.co.uk> <202107110904.16B94rKu012217@freefriends.org> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <202107110904.16B94rKu012217@freefriends.org> Subject: Re: [TUHS] Death by bug X-BeenThere: tuhs@minnie.tuhs.org X-Mailman-Version: 2.1.26 Precedence: list List-Id: The Unix Heritage Society mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: tuhs@minnie.tuhs.org Errors-To: tuhs-bounces@minnie.tuhs.org Sender: "TUHS" On Sun, Jul 11, 2021 at 03:04:53AM -0600, arnold@skeeve.com wrote: > Ralph Corderoy wrote: > > > Given some devices are present in large numbers for many years in > > hospitals, and there's a lot of hospitals, an unnoticed bug could be > > steadily chipping away at its human overlords. > > This is why I have purposely stayed away from jobs at companies doing > stuff like this. I know I don't write perfect code; I don't want to > be responsible for devices that can affect human life. This is also > discussed in the new edition of "The Pragmatic Programmer", which I've > just finished reading. (Highly recommended.) We should never be depending on a human being able to write "perfect code". Instead, we need to come up with processes so that imperfect code doesn't escape into production *despite* the fact that humans are fallible. Such processes might include requiring unit tests, integration tests, stress tests, etc., requiring code reivews by a second pair of eyes, perhaps using formal proofs, having multiple implementations of critical algorithms, cross-checking the results from those independent implementations, and so on. The space shuttle used a number of these techniques. It did *not* depend on super-human, Über-programmers. - Ted