From mboxrd@z Thu Jan 1 00:00:00 1970 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on polar.synack.me X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00 autolearn=ham autolearn_force=no version=3.4.4 X-Google-Language: ENGLISH,ASCII-7-bit X-Google-Thread: 107f24,582dff0b3f065a52 X-Google-Attributes: gid107f24,public X-Google-Thread: 103376,bc1361a952ec75ca X-Google-Attributes: gid103376,public X-Google-Thread: 109fba,582dff0b3f065a52 X-Google-Attributes: gid109fba,public X-Google-Thread: 1014db,582dff0b3f065a52 X-Google-Attributes: gid1014db,public X-Google-ArrivalTime: 2001-08-06 04:47:59 PST Message-ID: <3B6E8339.A65F94C0@baesystems.com> Date: Mon, 06 Aug 2001 12:44:57 +0100 From: David Gillon Organization: BAE SYSTEMS Avionics (Rochester) X-Mailer: Mozilla 4.5 [en] (WinNT; I) X-Accept-Language: en MIME-Version: 1.0 Newsgroups: comp.lang.ada,comp.lang.c,comp.lang.c++,comp.lang.functional Subject: Re: How Ada could have prevented the Red Code distributed denial of service attack. References: <9k9if8$rn3$1@elf.eng.bsdi.com> <3B687EDF.9359F3FC@mediaone.net> <5267be60.0108021911.7d8fe4@posting.google.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit NNTP-Posting-Host: rc3284.rochstr.gmav.gecm.com X-Trace: 6 Aug 2001 12:35:15 GMT, rc3284.rochstr.gmav.gecm.com Path: archiver1.google.com!newsfeed.google.com!newsfeed.stanford.edu!news.tele.dk!212.74.64.35!colt.net!newspeer.clara.net!news.clara.net!btnet-peer!btnet-peer0!btnet-feed5!btnet!newreader.ukcore.bt.net!pull.gecm.com!rc3284.rochstr.gmav.gecm.com Xref: archiver1.google.com comp.lang.ada:11346 comp.lang.c:72405 comp.lang.c++:80266 comp.lang.functional:7332 Date: 2001-08-06T12:44:57+01:00 List-Id: Tor Rustad wrote: > Hmm...in fact for that reason, I have always assumed that in extremely > critical systems, you simply use independent design teams (and programmers) > to develop the second unit, and *not* just duplicate the first unit (which > must have the same identical bugs or flaws). It's not quite that simple. An argument can be made that because the requirements for any critical system must necessarily be the same across each of the redundant channels the design decisions and implementations will strongly parallel each other no matter how independent the teams. In that case you may be better off with a single implementation team, single potential source of errors and more effort dedicated to finding them. There are also at least two different sorts of redundancy used in critical systems. In one there is a single live channel with one or more channels in the background ready to replace it if an error is discovered. In the other multiple channels are live at the same time and negotiate the action to be taken amongst themselves. In this second case the extremely close coupling of the channels pretty much demands a single set of requirements/code/design. -- David Gillon