[trustable-software] What is Trustable About ?

Tue Apr 2 13:48:52 BST 2019

Hi Dan,

I very much appreciate the points you've raised in this and other recent 
emails. Please see my comments on this one below...

On 2019-03-31 12:51, Dan Shearer wrote:
> On Sun, 31 Mar 2019 at 11:26, <trustable at panic.fluff.org> wrote:
> 
>> As i've raised several times on this list, it is my view that 
>> trustable is
>> about 'harm' and this exists large number of realms, and not just
>> personal, but corporate and societal. My particularly concern is that
>> complexity cannot and is not to be avoided, but by its nature often 
>> brings
>> with it difficulties in understanding the implications and as seen by
>> behaviour of complex systems their societal impact in the end harms
>> society and so the individual.
> 
> Complexity, cascade failures and the like are very important. But I
> also like to use specific examples of code, and here's one. Because
> otherwise theoretical notions of Good Software end up dancing on the
> head of a pin.

Agreed. "Which is better, theory or practice? In theory, theory, but in 
practice, practice."

> SQLite considered the most widely used database in the world. The
> SQLite code is found in all sorts of surprising places because it is
> quick, simple, free and also often found in libraries that the user
> may not even be aware of. It is very easy to demonstrate that SQLite
> is corruptible, indeed it is corruptible by design according to the
> documentation: https://www.sqlite.org/isolation.html , and that is
> without its many other well-known limitations. Therefore for many
> purposes SQLite cannot be regarded as trustable, whatever the
> definition. I will not try to get a list of safety critical places
> SQLite is used, as the most popular database by a long shot, the
> answer is "all kinds of embedded and IoT devices and desktop software
> besides".
> 
> Could Trustable move the needle on this sort situation?

It may be a barely visible, but my own needle has already moved since I 
wrote the original call to action.

In general I was worrying (and continue to worry) about "safety" and 
"security". Through the discussions here and elsewhere I've come to 
conclude that these topics are not relevant for software on its own. 
They can only be considered meaningfully in the context of a specific 
system/service. This has led me into arguments with (amongst others) 
"safety professionals" who cite established guidance for supposed 
creation of "safe software" independent of any context, which appears to 
me to be a pointless exercise.

I'm hoping that we (humanity in general, not just Trustable) can move 
the needle towards establishing clear norms around the need for

1) system-level thinking about risks/hazards
2) supported by architecture/design to demonstrate how these are to be 
mitigated
3) leading to clear expectations on software behaviours and properties.

Since the spread of the cult of "Agile", I believe we've seen a dramatic 
decrease in the level of systems thinking relating to typical software, 
hence the IoT and the other use-cases you refer to are typically 
deployed without credible risk analysis, let alone consideration of 
mitigations.

For your specific example, I expect that we can agree that SQLite is 
excellent software which can be trusted to perform reliably in a wide 
range of scenarios. I think that gap/issue in this specific case is not 
about the software - it's about ensuring an architectural approach to 
avoid hazards due to SQLIte's 'corruptible' design. However I do believe 
our community can help to address it (even if only by triggering smarter 
folks in other communities to run with the ball).

br
Paul