bearophile wrote:
You have to think about proofs as another (costly) tool to avoid bugs/bangs,
but not as the ultimate and only tool you have to use (I think dsimcha was
trying to say that there are more costly-effective tools. This can be true,
but you can't be sure that is right in general).
I want to re-emphasize the point that keeps getting missed.
Building reliable systems is not about trying to make components that cannot
fail. It is about building a system that can TOLERATE failure of any of its
components.
It's how you build safe systems from UNRELIABLE parts. And all parts are
unreliable. All of them. Really. All of them.
