From: Georg Bauhaus <rm-host.bauhaus@maps.futureapps.de>
Subject: Re: Securing type extensions
Date: Tue, 14 Sep 2010 23:18:36 +0200
Date: 2010-09-14T23:18:37+02:00 [thread overview]
Message-ID: <4c8fe6ad$0$6759$9b4e6d93@newsspool3.arcor-online.net> (raw)
In-Reply-To: <2ka8sfdvyvil.1k714obgzgj3a.dlg@40tude.net>
On 9/14/10 2:22 PM, Dmitry A. Kazakov wrote:
> On Tue, 14 Sep 2010 12:02:28 +0200, Georg Bauhaus wrote:
>
>> I'm asking about visibility and how it can possibly help ascertaining
>> that user supplied subprograms are trustworthy---which is, by
>> definition, not the same thing as "safe".
>
> Hmm, how "trustworthiness" corresponds to correctness and type safety?
I'd consider the relation of trustworthiness, correctness and type
safety at least from two viewpoints, a technical one and one on
conflict:
1 - Technically, a program may have certain formal properties,
such as no type errors. (Like a program can suffer if written
in Python). Each formal property may exclude precisely the
corresponding class of errors, if there is such correspondence.
Suppose a partial program has "sockets" into which foreign code
can be plugged, to make it complete. Such as a type extension
with overridden subprograms. The completion is done on site.
At the very least the interfaces must match.
But the parent type's "plan" might require that the type's operations
be called in a certain order, sayoperation A
is called before operation D, no matter what comes in between.
An exception is thrown otherwise, or worse. So both, the programmer
who has written the partial program and the programmer who
has written the plug-in code may have an interest in following the plan.
How do you talk about this on site? Can you trust the plug-in code?
Suppose you don't use Ada, but Python or some other more dynamically
typed language. Can you even assume the type has the same interface
as its parent? When the absence of a statically known interface
destroys all hope for type safety, how can programmers sill trust
Google to continue providing meaningful Python objects for Google
App Engine?
2 - The utility function of a business might include a variable
that stands for cost of conflict. Cost of conflict is in part
negotiated, in part a consequence of the legal system.
The conflict here is triggered by a malfunctioning program:
who/what is to blame when a type extension (by party X) does not
work nicely with a partial program (by party Y)?
Demonstrable correctness and type safety can be turned into
arguments. "Clearly, our partial program is correct, and type
safe. Therefore, your type extension makes the product
malfunction." -- "But we only varied the order of calls and
your type specifies nothing in this area. Why didn't you
specify ordering requirements as preconditions?" ...
So do correctness and type safety make two parties trust
each other with their business?
In a more peaceful setting, the utility function of a business
might include a variable that stands for income that only high
quality software can generate. (Assuming that customers will pay
a higher price for a better product.)
Again, demonstrable correctness and type safety can be turned into
arguments. If correctness and type safety contribute to high
quality, if high quality entails a higher price, and if paying
a higher price expresses trustworthiness, then correctness and
type safety yield trust.
(There are other reasons for larger sums payed, but I'll
ignore them.)
Georg
next prev parent reply other threads:[~2010-09-14 21:18 UTC|newest]
Thread overview: 107+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-09-12 10:18 Preventing type extensions Florian Weimer
2010-09-12 11:59 ` Ludovic Brenta
2010-09-12 12:53 ` Florian Weimer
2010-09-12 21:23 ` Maciej Sobczak
2010-09-13 5:32 ` Florian Weimer
2010-09-13 7:13 ` Dmitry A. Kazakov
2010-09-13 9:19 ` Georg Bauhaus
2010-09-13 9:42 ` Dmitry A. Kazakov
2010-09-13 10:23 ` Niklas Holsti
2010-09-13 12:55 ` Cyrille
2010-09-13 13:55 ` Dmitry A. Kazakov
2010-09-13 21:13 ` J-P. Rosen
2010-09-21 13:57 ` Cyrille
2010-09-21 14:19 ` Dmitry A. Kazakov
2010-09-21 14:44 ` Cyrille
2010-09-21 16:25 ` Dmitry A. Kazakov
2010-09-21 17:11 ` Georg Bauhaus
2010-09-21 18:11 ` Dmitry A. Kazakov
2010-09-23 20:00 ` Simon Wright
2010-09-23 20:49 ` Dmitry A. Kazakov
2010-09-24 9:10 ` Georg Bauhaus
2010-09-24 10:24 ` Dmitry A. Kazakov
2010-09-24 13:30 ` Niklas Holsti
2010-09-24 16:27 ` Dmitry A. Kazakov
2010-09-24 17:47 ` Niklas Holsti
2010-09-24 19:42 ` Dmitry A. Kazakov
2010-09-21 14:32 ` J-P. Rosen
2010-09-21 15:02 ` Cyrille
2010-09-21 15:26 ` J-P. Rosen
2010-09-21 16:18 ` Cyrille
2010-09-22 8:01 ` J-P. Rosen
2010-09-22 17:28 ` Cyrille
2010-09-22 19:30 ` Ludovic Brenta
2010-09-22 19:51 ` Florian Weimer
2010-09-22 20:14 ` Dmitry A. Kazakov
2010-09-22 20:25 ` Florian Weimer
2010-09-22 20:38 ` Dmitry A. Kazakov
2010-09-22 21:25 ` Vinzent Hoefler
2010-09-22 21:20 ` Georg Bauhaus
2010-09-22 20:16 ` Ludovic Brenta
2010-09-22 20:34 ` Florian Weimer
2010-09-22 22:45 ` Britt Snodgrass
2010-09-23 8:02 ` Ludovic Brenta
2010-09-23 16:51 ` Pascal Obry
2010-09-23 18:37 ` Florian Weimer
2010-09-23 18:55 ` Pascal Obry
2010-09-23 20:28 ` Ludovic Brenta
2010-09-24 9:20 ` Ludovic Brenta
2010-09-24 14:49 ` Simon Wright
2010-09-24 15:09 ` Ludovic Brenta
2010-09-24 16:21 ` Robert A Duff
2010-09-25 7:10 ` Pascal Obry
2010-09-25 12:03 ` Brian Drummond
2010-09-24 8:16 ` J-P. Rosen
2010-09-24 8:39 ` Cyrille
2010-09-24 9:27 ` Cyrille
2010-09-29 16:47 ` J-P. Rosen
2010-09-30 10:08 ` Cyrille
2010-10-05 17:02 ` J-P. Rosen
2010-10-08 7:50 ` Cyrille
2010-10-08 13:58 ` Cyrille
2010-10-08 20:12 ` Dmitry A. Kazakov
2010-10-11 7:57 ` Cyrille
2010-10-11 8:24 ` Dmitry A. Kazakov
2010-10-12 5:23 ` Shark8
2010-10-13 9:06 ` J-P. Rosen
2010-10-13 17:37 ` Cyrille
2010-10-13 18:50 ` Dmitry A. Kazakov
2010-09-21 14:50 ` (see below)
2010-09-21 17:37 ` Cyrille
2010-09-21 19:07 ` (see below)
2010-09-13 13:05 ` Dmitry A. Kazakov
2010-09-13 20:21 ` Niklas Holsti
2010-09-13 21:00 ` Dmitry A. Kazakov
2010-09-13 21:10 ` J-P. Rosen
2010-09-14 12:16 ` Niklas Holsti
2010-09-14 16:46 ` Dmitry A. Kazakov
2010-09-14 18:08 ` Niklas Holsti
2010-09-14 18:32 ` Niklas Holsti
2010-09-15 8:18 ` Dmitry A. Kazakov
2010-09-14 17:04 ` J-P. Rosen
2010-09-13 15:12 ` Securing type extensions (was: Preventing type extensions) Georg Bauhaus
2010-09-13 15:29 ` Securing type extensions Dmitry A. Kazakov
2010-09-13 17:23 ` Simon Wright
2010-09-13 20:22 ` Georg Bauhaus
2010-09-13 20:41 ` Dmitry A. Kazakov
2010-09-14 10:02 ` Georg Bauhaus
2010-09-14 12:22 ` Dmitry A. Kazakov
2010-09-14 21:18 ` Georg Bauhaus [this message]
2010-09-15 8:15 ` Dmitry A. Kazakov
2010-09-15 20:47 ` Georg Bauhaus
2010-09-16 7:47 ` Dmitry A. Kazakov
2010-09-16 11:52 ` Georg Bauhaus
2010-09-16 12:45 ` Dmitry A. Kazakov
2010-09-16 20:53 ` Georg Bauhaus
2010-09-16 21:37 ` Dmitry A. Kazakov
2010-09-17 8:45 ` Georg Bauhaus
2010-09-17 9:39 ` Dmitry A. Kazakov
2010-10-05 5:59 ` Randy Brukardt
2010-09-13 18:32 ` Preventing " Florian Weimer
2010-09-13 20:30 ` Dmitry A. Kazakov
2010-09-22 19:41 ` Florian Weimer
2010-09-22 20:34 ` Dmitry A. Kazakov
2010-09-22 21:10 ` Georg Bauhaus
2010-09-17 0:16 ` Shark8
2010-09-17 7:04 ` AdaMagica
2010-09-17 21:05 ` Shark8
replies disabled
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox