On Fri, Feb 19, 2010 at 03:31:10PM -0700, Steven Dake wrote: > There are millions of lines of C code involved in directing a power > fencing device to fence a node. Generally in this case, the system > directing the fencing is operating from a known good state. > > There are several hundred lines of C code that trigger a reboot when a > watchdog timer isn't fed. Generally in this case, the system directing > the fencing (itself) has entered an undefined failure state. > > So a quick matrix: > model LOC operating environment > power fencing millions well-defined > self fencing hundreds undefined
I completely agree with you that less code is more trustworthy than more in general. But your thesis seems to be based entirely on the hundreds vs millions difference which I simply don't see. Anyone can configure a watchdog to replace power fencing today, it's simple, and there will be negligible difference in the amount of code that's involved. Dave _______________________________________________ Openais mailing list Openais@lists.linux-foundation.org https://lists.linux-foundation.org/mailman/listinfo/openais