unofficial mirror of help-gnu-emacs@gnu.org
 help / color / mirror / Atom feed
From: "Óscar Fuentes" <ofv@wanadoo.es>
To: help-gnu-emacs@gnu.org
Subject: Re: CVE-2017-14482 - Red Hat Customer Portal
Date: Wed, 27 Sep 2017 01:31:57 +0200	[thread overview]
Message-ID: <87d16drq8i.fsf@qcore> (raw)
In-Reply-To: 4d048ea0-5c54-f5ba-c903-78614480ac76@yandex.com

Mario Castelán Castro <marioxcc.MT@yandex.com> writes:

> On 25/09/17 18:58, Óscar Fuentes wrote:
>> Mario Castelán Castro <marioxcc.MT@yandex.com> writes:
>>> This depends on what exactly is meant by “correct”.
>> 
>> "correct" means that the client (the people who required the software)
>> says that the program fulfills his requirements. Sometimes you need to
>> wait an infinite amount of time for obtaining client's approbation :-)
>
> The same answer applies: If a client either provides himself or accepts
> a formula in formal logic as a description of his requirements, then
> yes, we can prove that a program is correct according to this concept.
>
> If the client can not provide an *absolutely accurate* description (this
> is necessarily a specification in formal logic) of what his requirements
> are, then we can not assure the client that the program meets his
> requirements. This is not a fault of the programmer, but of the client
> for being vague about what his requirements are.
>
>>> If by “correctness” it is meant a formula in *formal logic*, then yes,
>>> we can prove that the program behaves correctly.
>> 
>> Ever heard of a chap named Kurt Gödel? Or his cousin Alan Turing? :-)
>
> What you are doing here is intellectual fraud. You are conveying the
> impression that there is an obstacle that prevents formal verification,
> yet you did not even _mention_ what this obstacle is.
>
> Given that you mentioned Gödel, I guess (I can merely *guess* your
> intent because you did not explain it; this is your fault, not mine)
> that you believe that either the Gödel-Rosser incompleteness
> theorem[Mend, p. 210] or one of the many variations is an obstacle for
> formal verification. This is incorrect. What these theorems state is
> that in any formal system that meets certain prerequisites, there is an
> assertion P such that neither P nor ¬P are a theorem of the formal
> system. Also, it seems that you are confusing algorithmic undecidable
> problems (like the halting problem) with formally undecidability
> propositions (like the axiom of choice within ZF).
>
> In practice, using well-established logic systems (e.g.: HOL and ZFC)
> one does not _accidentally_ runs into formally undecidable statements.
> Moreover, suppose that you are “sure” that a certain proposition P that
> is undecidable in (say) HOL is “true”. What should you do? Since you are
> sure that P is “true”, then you must have proved P it in _some_ formal
> system (otherwise your claim has no logical basis) and you trust that
> this formal system is consistent. You can then either embed your formal
> system within HOL, or add the appropriate axioms (both options are a
> routine procedure in most proof assistants), and then prove P within
> your embedding in HOL or within your HOL+axioms system.
>
> Also, it is dubious whether it is a good idea to write a program whose
> correctness depends on baroque axioms like large cardinals. This
> commentary holds regardless of whether you are interested in formally
> proving its correctness.
>
>> […] it
>> is almost certain that there are "correct" informal specifications that
>> do not admit a verifiable formal specification.
>
> This is yet more intellectual fraud (an unjustified claim).
>
> *****
> I have spent already enough time addressing your misconceptions. If you
> reply to this message with even more misconceptions, I will not reply
> because I am unwilling to spend even more time explaining what you
> should already know. It is *YOUR* task to make sure you know what you
> are talking about (and you have failed so far), not mine!.
>

Well, as a humble software developer who is happy whenever I get things
done "well enough", let me ask a few simple questions. You can simply
respond with "yes" or "no", if you wish:

* Is there a proof that demonstrates that every program admits a
  verifiable formal specification, or a method for knowing in advance
  which programs admit such specification?

* Is there a proof that demonstrates that the verification will take a
  maximum amount of computing resources? (let's say polinomial on some
  metric of the program's code).

* Are there reliable methods for estimating the amount of man/hours
  (give or take one order of magnitude) required for creating a
  verifiable formal specification from some informal specification
  language used in the industry?

* Are there studies that, based on past practice, demonstrate that the
  formal approach is more economic than the traditional one, either
  along the development phase or along the complete life cycle of the
  software?

>> […] We must provide what is requested from us, in
>> terms of functionality, performance and cost […]
>
> Somebody has to take a decision between cheap software and reliable
> software. Those are mutually exclusive.
>
> The predominating choice is cheap software. As evidence for this claim I
> note the very high frequency of bug reports including security
> vulnerabilities.

Categorizing software as "cheap" or "reliable" misses the point
entirely. Either the software is adequate or not. And the adequateness
criteria varies wildly, but two things are always present: if your
sofware is more expensive than the value it provides, it is inadequate;
if your software takes too much time to develop, it is inadequate.

I've seen too many academics that fail to understand those simple facts.

> If you are interested in formal logic, either because of genuine
> interest or just to criticize, I suggest [Mend] as a starting point.
>
> [Mend] E. Mendelson “Introduction to Mathematical Logic”, 6th edition
> (2015).

Many years ago I felt in love with mathematical logic and devoted many
many (that's two manys) hours to its study. In the end I decided that
was impractical and sterile and forgot almost everything. Since,
automatic theorem provers got much better to the point of being usable
for certain types of problems. Right now, I'm looking forward to
implementing dependent types on my programming language. I have Coq and
Idris around and played with it but so far I failed to see them as an
improvement on my work. That means that it is exciting and feels
promising, but I see no clear gain from using them.

With age, I turned skeptic about new things. If formal methods is the
silver bullet, the proponents are those who must provide evidence and so
far it is missing, apart from some niche cases (and then the evidence is
dubious, as shown on the paper that I mentioned on a previous message).




  reply	other threads:[~2017-09-26 23:31 UTC|newest]

Thread overview: 68+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2017-09-21 21:51 CVE-2017-14482 - Red Hat Customer Portal ken
2017-09-21 22:03 ` Kaushal Modi
2017-09-21 23:07   ` ken
2017-09-22  7:37     ` Alberto Luaces
2017-09-22  7:48       ` Emanuel Berg
2017-09-22 20:12         ` Mario Castelán Castro
2017-09-22 22:14           ` Emanuel Berg
2017-09-24  2:08             ` Mario Castelán Castro
     [not found]             ` <mailman.1063.1506218941.14750.help-gnu-emacs@gnu.org>
2017-09-24  6:47               ` Emanuel Berg
2017-09-24 13:38                 ` Mario Castelán Castro
2017-09-24 14:42                   ` Óscar Fuentes
2017-09-24 14:54                     ` tomas
2017-09-26 18:57                       ` Narendra Joshi
2017-09-24 23:06                     ` Emanuel Berg
2017-09-25 21:23                       ` Mario Castelán Castro
2017-09-25 21:49                         ` Emanuel Berg
2017-09-26  1:43                           ` Mario Castelán Castro
2017-09-26  2:17                             ` Emanuel Berg
2017-09-25 21:11                     ` Mario Castelán Castro
2017-09-25 23:58                       ` Óscar Fuentes
2017-09-26 14:46                         ` Mario Castelán Castro
2017-09-26 23:31                           ` Óscar Fuentes [this message]
2017-09-29 20:21                             ` Mario Castelán Castro
2017-09-29 12:43                           ` Eli Zaretskii
2017-09-29 14:59                             ` dekkzz78
2017-09-29 16:51                               ` Óscar Fuentes
2017-09-29 17:20                                 ` Emanuel Berg
2017-09-29 18:27                                   ` Óscar Fuentes
2017-09-29 19:45                                     ` Emanuel Berg
2017-09-29 20:06                                       ` Óscar Fuentes
2017-09-29 23:24                                         ` Emanuel Berg
2017-09-29 18:03                               ` Eli Zaretskii
2017-09-24 23:07                   ` Emanuel Berg
2017-09-23 10:05           ` Charles A. Roelli
2017-09-23 12:53             ` Óscar Fuentes
2017-09-23 13:12               ` Eli Zaretskii
2017-09-23 17:18                 ` Glenn Morris
2017-09-23 17:34                   ` Eli Zaretskii
2017-09-23 20:50                     ` Yuri Khan
2017-09-24  2:53                       ` Eli Zaretskii
2017-09-24  7:13                         ` Philipp Stephani
2017-09-24 18:29                           ` Robert Thorpe
2017-09-29  8:17                             ` Eli Zaretskii
2017-09-29 20:28                             ` Stefan Monnier
2017-09-29 23:28                               ` Emanuel Berg
2017-10-03  0:52                                 ` Stefan Monnier
2017-10-03  1:04                                   ` Emanuel Berg
2017-09-29  7:11                           ` Eli Zaretskii
     [not found]                         ` <mailman.1068.1506237251.14750.help-gnu-emacs@gnu.org>
2017-09-24  7:48                           ` Emanuel Berg
2017-09-25 21:26                         ` Glenn Morris
2017-09-25 22:02                           ` Emanuel Berg
2017-09-25 22:08                           ` Ludwig, Mark
2017-09-26  5:50                             ` Emanuel Berg
2017-09-26 13:40                               ` Ludwig, Mark
2017-09-26 17:46                             ` Philipp Stephani
2017-09-26 19:00                               ` Ludwig, Mark
2017-09-29 13:23                               ` Eli Zaretskii
2017-09-29  9:48                           ` Eli Zaretskii
2017-09-26 18:44                   ` Narendra Joshi
2017-09-26 18:51                     ` Philipp Stephani
     [not found]           ` <mailman.988.1506161159.14750.help-gnu-emacs@gnu.org>
2017-09-24  6:31             ` Emanuel Berg
2017-09-22 16:40       ` ken
2017-09-22 19:07         ` Emanuel Berg
2017-09-23 20:27     ` Bob Proulx
     [not found]     ` <mailman.1053.1506198486.14750.help-gnu-emacs@gnu.org>
2017-09-24  6:38       ` Emanuel Berg
2017-09-24 17:17         ` Maxim Cournoyer
2017-09-24 22:38           ` Emanuel Berg
  -- strict thread matches above, loose matches on Subject: below --
2017-09-27 10:51 Richard Melville

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

  List information: https://www.gnu.org/software/emacs/

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=87d16drq8i.fsf@qcore \
    --to=ofv@wanadoo.es \
    --cc=help-gnu-emacs@gnu.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).