inspection and testing [Re: OVC-discuss Digest, Vol 37, Issue 7]

From: Hamilton Richards <hrichrds_at_swbell_dot_net>
Date: Fri Nov 02 2007 - 16:08:10 CDT

At 12:00 PM -0700 2007/11/2, ovc-discuss-request@listman.sonic.net wrote:
>[...]
>Message: 1
>Date: Fri, 2 Nov 2007 11:03:59 -0700
>From: Fred McLain <mclain@zipcon.net>
>Subject: Re: [OVC-discuss] disclosure; no OS? [Re: OVC-discuss Digest,
> Vol 36, Issue 10]
>To: Open Voting Consortium discussion list
> <ovc-discuss@listman.sonic.net>
>Message-ID: <71958B38-14BA-40B6-9F71-D77FBCA61B16@zipcon.net>
>Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes
>
>Responses are inline below.
>
>On Nov 1, 2007, at 12:52 PM, Hamilton Richards wrote:
>
>[...]
>>> I would also assert based on my 25+ years of active software
>>> development and my 4 years in voting software development that there
>>> is *no need for an operating system* in voting equipment. In fact,
>>> it
>>> would be best to write this without an OS since the inspection
>>> becomes
>>> far simpler and more reliable.
>>
>> On the other hand, the API is kind of brutal. :)
>
>True, but it is done every day. Every time you fly on an airplane you
>rely on software that was built without an OS. Safety critical
>software on aircraft must conform to DO-178B level A. At that level
>of certification it is nearly impossible to use an OS since the FAA
>requires *every line of code* to be tested with test artifacts proving
>it was. Thus no closed source (at least from the manufactures and
>FAA's perspective).
>
>As I said before, we can simply require DO-178B level A certification
>as well as Common Criteria SA-2/3 security analysis on these systems.
>The open source aspect is an additional benefit and provides for more
>public confidence.

How much does such intense testing add to the software's cost? I
don't have the number, but I'd guess it's at least a factor of 10.
For software that's controlling an airplane in which I'm flying, of
course, it's worth the cost, but there's a good chance that it would
price election systems out of reach for most counties.

One might argue that in a democracy no price is too high for valid
elections, but

     1. Few taxpayers seem to think there's anything for which no
price is too high.

     2. Testing can never guarantee validity (despite extensive
testing, moon-lander,
         Mars-lander, and space-shuttle software have all suffered failures)

     3. For election systems, voter-verified paper ballots can deliver much
         more reliable and transparent results, at much lower cost,
than inspection
         and testing.

For flight-control software, nothing analogous to voter-verified
paper ballots is available, so we make do with testing [aside: formal
verification is finding niches here and there, but in the highly
conservative software industry its progress is painfully slow].

> > If the election software were decently modularized, you'd end up with
>> modules that are OS in everything but name. True, it would be an
>> open-source OS, but so is Linux, so why not take advantage of all
>> that development that's already done, has many years of field testing
>> behind it, and costs nothing?
>
>I'm also in favor of this approach. The risk is that you are
>introducing a vast amount of code that never will be used. Some would
>say source inspection is impossible because of the millions of lines
>of OS code. When you write the code from scratch all you really
>reproduce from the OS are a few drivers and some basic libraries.

The argument that "source inspection is impossible because of the
millions of lines
of OS code" makes sense if you believe in source inspection.

Which I don't.

Regards,

--Ham

-- 
------------------------------------------------------------------
Hamilton Richards, PhD           Department of Computer Sciences
Senior Lecturer (retired)        The University of Texas at Austin
ham@cs.utexas.edu                hrichrds@swbell.net
http://www.cs.utexas.edu/users/ham/richards
------------------------------------------------------------------
_______________________________________________
OVC-discuss mailing list
OVC-discuss@listman.sonic.net
http://lists.sonic.net/mailman/listinfo/ovc-discuss
By sending email to the OVC-discuss  list, you thereby agree to release the content of your posts to the Public Domain--with the exception of copyrighted material quoted according to fair use, including publicly archiving at  http://gnosis.python-hosting.com/voting-project/
==================================================================
= The content of this message, with the exception of any external 
= quotations under fair use, are released to the Public Domain    
==================================================================
Received on Fri Nov 30 23:17:05 2007

This archive was generated by hypermail 2.1.8 : Fri Nov 30 2007 - 23:17:31 CST