12 Jul
2021
12 Jul
'21
12:39 p.m.
"Theodore Y. Ts'o" <tytso(a)mit.edu> wrote:
On Sun, Jul 11, 2021 at 03:04:53AM -0600,
arnold(a)skeeve.com wrote:
I strongly agree with all that. But given that many places don't use such
practices (especially startups), I prefer not to put myself into
situations where safety of the product depends entirely on the skills
of the programming team.
Arnold
This is why I have purposely stayed away from
jobs at companies doing
stuff like this. I know I don't write perfect code; I don't want to
be responsible for devices that can affect human life. This is also
discussed in the new edition of "The Pragmatic Programmer", which I've
just finished reading. (Highly recommended.)
We should never be depending on a human being able to write "perfect
code". Instead, we need to come up with processes so that imperfect
code doesn't escape into production *despite* the fact that humans are
fallible. Such processes might include requiring unit tests,
integration tests, stress tests, etc., requiring code reivews by a
second pair of eyes, perhaps using formal proofs, having multiple
implementations of critical algorithms, cross-checking the results
from those independent implementations, and so on.
The space shuttle used a number of these techniques. It did *not*
depend on super-human, Über-programmers.