zlacker

[parent] [thread] 7 comments
1. notaco+(OP)[view] [source] 2022-10-02 19:13:26
> What about a medical procedure that WILL kill the patient if interrupted? What about life support in space?

The proper answer to those is redundancy, not continuing in an unknown and quite likely harmful state.

replies(2): >>yencab+4e >>John23+Ob1
2. yencab+4e[view] [source] 2022-10-02 20:45:18
>>notaco+(OP)
The leap second bug would have crashed all nodes of a redundant system, at the same time...
replies(1): >>notaco+8h
◧◩
3. notaco+8h[view] [source] [discussion] 2022-10-02 21:05:38
>>yencab+4e
Perhaps. On the other hand, letting a medical device continue moving an actuator or dispensing a medication when it's known to be in a bad "never happen" state could also be fatal. Ditto for the "life support in space" example. Ditto for anything reliant on position, where the system suddenly realizes it has no idea whether its position is correct. Imagine that e.g. on a warship. Limiting responses to external inputs (including time adjustments) can ameliorate such problems. So can software diversity. Many safety-critical systems require one or both, and other measures as well. Picking one black-swan event while ignoring literally every day scenarios doesn't seem very helpful. That's especially true when the thing you're advocating is what actually happened and led to its own bad outcomes.
replies(1): >>yencab+WR
◧◩◪
4. yencab+WR[view] [source] [discussion] 2022-10-03 01:49:43
>>notaco+8h
Picking medical devices and warships is also quite the cherry picking. Most Linuxes aren't like that. Critical embedded systems tend to have a hard realtime component, and if Linux is on the system it sits under e.g. seL4, or on a different CPU.

At the end of the day, what Linux does is what Linus wants out of it. He's stated, often, that halting the CPU at the exact moment something goes wrong is not the goal. If your goal is to do that, you might not be able to use Linux. If your goal is to put Rust in the Linux kernel, you might have to let go of your goal.

replies(1): >>notaco+l22
5. John23+Ob1[view] [source] 2022-10-03 05:29:45
>>notaco+(OP)
Right. It's clear that many people have not heard of, or considered, Therac-25[1].

[1] https://en.wikipedia.org/wiki/Therac-25

replies(1): >>eesmit+fo1
◧◩
6. eesmit+fo1[view] [source] [discussion] 2022-10-03 07:36:29
>>John23+Ob1
Therac-25 removed redundancy. Quoting the Wikipedia article: "Previous models had hardware interlocks to prevent such faults, but the Therac-25 had removed them, depending instead on software checks for safety."
replies(1): >>John23+Asb
◧◩◪◨
7. notaco+l22[view] [source] [discussion] 2022-10-03 13:13:33
>>yencab+WR
> Picking medical devices ... is also quite the cherry picking

It wasn't my example. It was mike_hock's, and I was responding in the context they had set.

> Most Linuxes aren't like that.

Your ally picked the medical-device and space-life-support examples. If you think they're invalid because such systems don't use Linux, why did you forego bringing it up with them and then change course when replying to me? As I said: not helpful.

The point is not specific to Linux, and more Linux systems than you seem to be aware of do adopt the "crash before doing more damage" approach because they have some redundancy. If you're truly interested, I had another whole thread in this discussion explaining one class of such cases in what I feel was a reasonably informative and respectful way while another bad-faith interlocutor threw out little more than one-liners.

◧◩◪
8. John23+Asb[view] [source] [discussion] 2022-10-06 01:25:07
>>eesmit+fo1
Right, that is the point I was making.
[go to top]