[nycbug-talk] interesting read

Bob Ippolito bob
Sun May 22 12:06:33 EDT 2005 

On May 22, 2005, at 8:16 AM, Marc Spitzer wrote:

> On 5/21/05, Bob Ippolito <bob at redivi.com> wrote:
>
>>
>> On May 21, 2005, at 11:28 AM, alex at pilosoft.com wrote:
>>
>>
>>> On Sat, 21 May 2005, Bob Ippolito wrote:
>>>
>>>>>> Let's keep in mind that the trustworthiness of a life-critical
>>>>>> application has everything to do with how that program was  
>>>>>> written
>>>>>> and absolutely nothing to do with the license under which it was
>>>>>> released.
>>>>>>
>>>>>>
>>>>>>
>>>>> Okay. Back to original question. What is the benefit for you to be
>>>>> able to recompile source code for your pacemaker?
>>>>>
>>>>>
>>>>
>>>> Independent audits.
>>>>
>>>>
>>> Orthogonal to open source.
>>>
>>
>> I don't know where you learned the word orthogonal, but that's
>> certainly not what it meant in my math classes.  Open source implies
>> that audits are possible, so they're not statistically independent.
>>
>
> I have to go with Alex on this one, to audit the code you would  
> need to know:

So, because audits are difficult, you agree with an incorrect usage  
of a word?

> 1: enough about how the heart works to comment on design decisions,
> optimizing for speed where needed and space everywhere else.
>
> 2: know the hardware and software *very* well and these are, I would
> think, all fairly to very custom embedded systems, for example X is
> stupid in C but great in forth.

I said *possible*, not easy, cheap, or generally accessible.  Nowhere  
in this thread did I ever say that open source is inherently a better  
solution, but it does inherently have a way to measure its worth  
because the source is available.  Finding a person qualified to  
perform that measurement is another story.

Again, I never said that a closed source solution can't have this  
either, only that open source implies that this is available.

> And you would need to accept the fact you might just get sued out of
> existence for your opinion.  Think about it someone dies and a lawyer
> smells money so he decided to sue all involved because it costs him
> nothing to add you to the suit.  Now you need a good lawyer for a long
> time and they want cash generally.

Open source solutions probably fare better here (for the auditor),  
because the license implies redistribution rights for the code.

> ike,
>
> even if it is in python you are not qualified to have an opinion about
> the code that runs your granddads heart.

Well there is a species of "obvious" bugs that you can find without  
knowing the hardware and software very well.  If you perform a naive  
audit of the code and find one or more examples of these, I'd get  
that solution the hell away from anyone I care about.

-bob

More information about the talk mailing list