[HN Gopher] "Durable Computronics"
___________________________________________________________________
"Durable Computronics"
Author : velcrovan
Score : 43 points
Date : 2022-09-23 15:55 UTC (7 hours ago)
(HTM) web link (github.com)
(TXT) w3m dump (github.com)
| yjftsjthsd-h wrote:
| I think the rings concept should be extended to have further down
| rings. It's kind of fun as a fantasy, but the pain point on this
| is that for a lot of things it genuinely doesn't matter if the
| computer side of things kind of sucks. I would be totally 100% in
| favor of all electronics sold on the mass market having a
| designated mark on them that says what level of assurance they
| were built with, but I don't think I mind people being allowed to
| sell things at ring three or four all the way down to the
| equivalent of what happens today. Obviously there are some cases
| where this isn't acceptable; medical, avionics, anything where
| humans can die obviously needs to be in ring zero, and I agree
| with other commenters in this thread that financial stuff should
| be at a fairly high assurance level as well.
| velcrovan wrote:
| I had more rings in mind, just haven't thought it through yet.
| There might not need to be that many more though. Anything
| involving any communication at all would probably get an
| instant Ring 1. Possibly anything and everything else could go
| in a catch-all Ring 2. (PRs welcome)
| [deleted]
| wyager wrote:
| This is an incredibly lame and uncreative vision for the future.
| Imagine wishing for additional bureaucratic overhead when we have
| technologies like formal verification which can achieve greater
| things at lower cost.
|
| Industries should play to their comparative advantages. A huge
| and mostly untapped comparative advantage of computers is that
| they reify _formal systems_ , completely unlike a suspension
| bridge or an office building. If your vision of the future of
| computers doesn't take that into account, it's worth little.
| velcrovan wrote:
| Can you clarify what you mean by formal verification, and why
| this scheme necessarily excludes its use?
| rictic wrote:
| Someone writing a new blog engine would need review from two
| people (one of whom is a government agent) in order to serve
| traffic outside the home?
| nomel wrote:
| With the presented ethos, it seems demonstrably [1]
| appropriate.
|
| 1. Wordpress, being an example of thousands:
| https://cyraacs.com/privilege-escalation-by-exploiting-wordp...
| thenthenthen wrote:
| A quick search didn't yield any matches so i will just leave it
| here, maybe some more inspiration: https://permacomputing.net/
| johngalt wrote:
| Quality standards are certainly required, and the
| software/technology ecosystem is brittle in avoidable ways.
| However, I'm not sure we can simply roll forward with methods we
| used to build bridges and use them to build software.
|
| I expect that we will see quality management going the other way.
| Deriving new and more capable ways of dealing with the complexity
| of modern technology stacks. Then those methods backpropagate to
| how we manage other complex systems. As we saw with the 737 MAX,
| in many cases the "engineer signing off" is merely a
| figurehead/scapegoat. Could one person realistically know the
| details of every system (to a detailed engineering level) in a
| modern airliner? Even if they could, is that the best approach?
|
| Our methods for durability are already overextended. Technology
| will be the area that makes us admit it, and provides the tools
| to manage it better.
| selfsimilar wrote:
| I've often thought this makes a lot of sense not just for medical
| devices/software, but for any government and financial software
| as well. But it's somewhat predicated on the 'provable correct'
| part, which is not well adopted.
| al2o3cr wrote:
| If a system deviates from its design, the contractor becomes
| liable for any such failure, whether related to the specific
| deviation or not.
|
| This seems a recipe for an eternal blame-game where the "engineer
| of record" aims to produce a plausible-but-impossible
| specification and manufacturers spend 99% of their time looking
| for loopholes.
|
| If your aim is to explain why your scifi setting has an entire
| planet covered with a kilometer-thick layer of used triplicate
| forms, this would be a great place to start. :P
| velcrovan wrote:
| This is a fair point, probably more so if applied to our own
| existing tech landscape, which is weighted in favor of
| innovation and proliferation. But in other fields (i.e.
| electrical engineering) a similar division of responsibility
| has been in use for decades and has not proven totally
| unmanageable.
| daniel-cussen wrote:
| Yes there's many different cultures in different fields.
| kcb wrote:
| But that's not all electrical engineering. Most electrical
| engineering jobs don't require a professional license.
| velcrovan wrote:
| Sure. The same would probably be the case here. Someone has
| to be the engineer of record. But not everyone who works in
| software would have to be a PE.
| tyingq wrote:
| _" The computers that control your car"_
|
| That maybe used to be a good example of _" durable
| computronics"_. It's increasingly not true. Seems to be for a
| variety of reasons though, not just one. Things like DRM, lower
| expectations of usable lifespan of a car, higher performance
| needs for complex safety systems, expectations around things like
| large displays, etc.
| Arainach wrote:
| >A design may include other certified hardware or software
| designs as components or layers, but liability for failures in a
| design remains fully with that design's engineer of record; it
| cannot legally be passed through to its components' engineer of
| record.
|
| How can this ever make sense? So if a bridge fails because the
| supplier of rebar messed up the heat treatment, the bridge
| designer is liable? What this means in practice is no systems
| larger than those that can be practically understood by a single
| person - possibly from atoms and first principles - and no
| systems that can't be audited by one person in time shorter than
| the project would become irrelevant.
| EvanAnderson wrote:
| Manufacturers independently test raw materials coming from
| suppliers, sub-assemblies from contract manufacturers, etc. If
| we're going to consider software a "supply chain" it seems like
| a good idea to subject it to the same rigor.
|
| Speaking about real world manufacturing: I'm ignorant of the
| details but I would assume there's some construct in law or
| regulation for liability to be assigned back "up the chain" if
| due diligence in statistically sound testing "down the chain"
| is demonstrated.
| velcrovan wrote:
| Earlier on it says "If a system deviates from its design, the
| contractor becomes liable for any such failure, whether related
| to the specific deviation or not."
|
| And yes, you're probably right that systems would have to be
| much more legible. I'm interested in imagining what that tech
| landscape would look like.
| linkdink wrote:
| That's already how the world works. The bridge design company
| takes out insurance reflecting their liability. If something
| happens, they pay. If their supplier messed up a component,
| they can turn around and sue the supplier. Licensed
| professional engineers are already personally responsible for
| their projects to some extent, which can be very big and
| complicated. They're covered by professional liability
| insurance. All of this has been around for a long time.
| atoav wrote:
| I mean if something I design as an electrical engineer kills
| people because it was faulty, it doesn't matter if the
| components sucked, because it is _my_ responsibility to choose
| components that do not suck and to test them as well.
|
| As someone who also does web development I know that this
| degree of liability is completely foreign to a big part of the
| software world, and IMO this is an part of the reason software
| still sucks big time in terms of efficiency, reliabilty, safety
| and security.
|
| Because if you have to think about liability suddenly the
| simple rugged system starts to look lot more attractive.
| abeppu wrote:
| > liability for failures in a design remains fully with that
| design's engineer of record
|
| > So if a bridge fails because the supplier of rebar messed up
| the heat treatment
|
| Is a failure of a bridge necessarily a failure in a design? Or
| do we distinguish between a physical project which uses a
| design from the design itself? If the materials were bad,
| whether or not the construction team had some responsibility to
| re-test those materials prior to using them (is this common?),
| it doesn't seem like evidence that the _design_ failed.
| AdamH12113 wrote:
| Messing up the heat treatment isn't a design failure, it's a
| construction failure. The design specifies acceptable
| parameters for the rebar. If the rebar is within those
| parameters but the bridge fails because the parameters were
| wrong, the designer is responsible. If the rebar was out of the
| specified parameters, the contractor is responsible.
|
| If I'm reading the article right, "design" would encompass
| interaction boundaries as well as things like CPU/memory
| requirements, information storage, and security.
___________________________________________________________________
(page generated 2022-09-23 23:01 UTC)