From mboxrd@z Thu Jan 1 00:00:00 1970 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on polar.synack.me X-Spam-Level: X-Spam-Status: No, score=-1.3 required=5.0 tests=BAYES_00,INVALID_MSGID autolearn=no autolearn_force=no version=3.4.4 X-Google-Language: ENGLISH,ASCII-7-bit X-Google-Thread: fac41,f66d11aeda114c52 X-Google-Attributes: gidfac41,public X-Google-Thread: 103376,f66d11aeda114c52 X-Google-Attributes: gid103376,public From: dewar@merv.cs.nyu.edu (Robert Dewar) Subject: Re: Critique of Ariane 5 paper (finally!) Date: 1997/08/20 Message-ID: #1/1 X-Deja-AN: 268339658 References: <33E503B3.3278@flash.net> <33E8FC54.41C67EA6@eiffel.com> <33E9B217.39DA@flash.net> <33EA5592.5855@flash.net> <33EB4935.167EB0E7@eiffel.com> <33EB754E.446B9B3D@eiffel.com> <33EBE46D.2149@flash.net> <33EF9487.41C67EA6@eiffel.com> <33F22B91.167EB0E7@eiffel.com> <33F7C3C0.446B9B3D@eiffel.com> <33FA748A.35FE@flash.net> Organization: New York University Newsgroups: comp.lang.ada,comp.lang.eiffel Date: 1997-08-20T00:00:00+00:00 List-Id: Bertrand Meyer wrote: > > Robert Dewar writes: > > > This is demonstrably false. There are lots of examples of highly reliable > > software written by people who don't even know what a specification is, > > let alone how to carefully associate them with software elements. > > > > If you want details on this, I can send you hundreds of thousands of > > lines of COBOL code. This code is completely inpenetrable in places, > > and I consider it pretty horrible, but it is from a completely reliable > > system, where reliability is measured in the terms that matter, i.e. > > it does what it is supposed to do in a highly reliable manner. > > This is eloquently said, but incorrect all the same. > > The definition of reliability which this implies is that a system > is "highly reliable" if it has been working satisfactorily for, > say, 30 {seconds | minutes | hours | days | weeks | months | years} > -- pick one. This is one possible definition of reliability, which gets > more and more interesting as it moves to the right of the list > of choices; but it is by no means the only "terms that matter". > This is complete nonsense. I am talking about systems which are reliabale by any conceivable measure. Now of course if your measure of reliability includes that it must explicitly use DBC, then you reduce your argument to a meaningless tautology. Personally I find obviously bloated claims like this (my method is the only one that can generate reliable code, and it is impossible to generate reliable code any other way) to be highly counter-productive. I have occasionally heard people make similar bogus absolute claims for Ada -- and in my opinion nothing is more damaging, since it causes people who know better to simply ignore not only the obviously incorrect claim, but also more reasonable claims. In this particular case, the very reasonable point that DBC may be a useful tool in helping to achieve reliability in some circumstances is getting submerged by the more absurd claim that it is the only way to achieve this goal.