Re: Would You Fly an Airplane with a Linux-Based Control System?

[bitbucket@invalid-domain-see-sig.nil (Robert Kaiser)]

In article <sa48y8tv7do.fsf@snoopy.apana.org.au>,
	Brian May <bam@snoopy.apana.org.au> writes:
>>>>>> "Simon" == Simon Clubley <clubley@remove_me.eisner.decus.org-Earth.UFP> writes:
> ....
> 
> However, the article seems to be getting various issues confused. For
> example:
> 
> * yes, the kernel has a huge number of lines in total. Now delete all
>   the lines for other architectures, delete all lines for drivers not
>   required, and count again; I think you will end up with a
>   significantly smaller number.

I did that some time ago and arrived at some 1 Million LOC. This
is significantly less than the 5.5 Million mentioned in the slides
but still a bit too much for my taste.

> 
> * number of switches to "ls" seems irrelevant, I don't think any of
>   these systems would need ls. Even if ls was required, it would be
>   easy to write a cut down version that just has the required
>   operations.

True. However, the same argument (complexity) could just as well be
applied to sections of kernel code, but the kernel can not be
adapted/simplified so easily (because it is a monolith).

> 
> * IMHO if open source software was designed from the ground up to be
>   used in mission critical applications, by people who know what they
>   are doing, then just because these people may be volunteers doesn't
>   mean it cannot be trusted.

Very True. In fact, I think open source even has (or could have) an
advantage in mission critical applications because of the potentially
huge number and skill of reviewers. On the other hand, I have yet to see
an open source project that does work the way you describe. I believe this
is because volunteers tend to work on things that they consider "fun",
and very few people consider documenting a fun thing to do..


> * security issues can be related to bugs that are life threatening,
>   but not always. Security issues are when somebody deliberately and
>   intensionally attempts to break something. On the other hands,
>   people involved with aircraft, generally speaking, want the aircraft
>   to stay in the air.

That is one of the differences between safety and security. You are right
that people involved with aircraft are concerned mainly with safety.
However, a huge and complex trusted code base (such as 1 Million lines
of kernel code) is a concern for both safety and security.

>     Simon> I recommend that Ada advocates with high blood pressure not
>     Simon> read page 21 of the PDF, especially the last line. :-)
> 
> "Pilot (driver, walker) asserts intent"?
> 
> Did I get the wrong page?

Probably. The last two lines of that page read (Ada
advocates with high blood pressure please look away):

<snip>
 * Ada is smart - it knows better!
 * C would have just corrupted memory and flown
<snap>

Rob

-- 
Robert Kaiser                     email: rkaiser AT sysgo DOT com
SYSGO AG                          http://www.elinos.com
Klein-Winternheim / Germany       http://www.sysgo.com