Hacker Neue

Preferences
datenwolf parent
groan

"Fail early and hard, don't recover from errors" is a recipe for disaster.

That principle applied to critical systems software engineering leads to humans getting killed. E.g. in aerospace the result is airplanes falling out of the sky. Seriously. The Airbus A400M that recently crashed in Spain did so, because somewhere in the installation of the engine control software the control parameter files were rendered unusable. The result was, that the engine control software did fail hard, while this would have been a recoverable error (just have a set of default control parameters hardcoded into the software putting the engines into a fail safe operational regime); instead the engines shut off, because the engine control software failed hard.

In mission and life critical systems there are usually several redundant core systems and sensors, based on different working principles, so that there's always a workable set of information available. Failing hard renders this kind of redundancy futile.

No, Postel's Maxim holds as strong as ever. The key point here is: "Be conservative in what you send", i.e. your implementation should be strict in what it subjects other players to.

Also being string in what's expected can be easily exploited to DoS a system (Great Firewall RST packets anyone?)

jcranmer
You're missing the point. The problematic aspect of Postel's Maxim is not "be conservative in what you send" but "be liberal in what you accept"--as the draft points out, being liberal in what is accepted tends to cause people to become liberal in what they send and prevents implementers from tightening what they accept. HTML is the best poster child for the detrimental effects this causes (HTML5 mandates how you have to parse tag soup, since any HTML parser that wants to work has to parse tag soup that way since it is very much used in practice), but HTTP and MIME are easily in similar boats.

The point of the draft is best summarized as "if you can detect that the other side has a problem in its implementation, raise red flags early and noticeably." It's not safe to recover to some default, because that can make you think that things are working when they're not--imagine if the engine control software defaulted to assuming a different type of engine than what existed. The resulting confusion could equally destroy the engines; this is similar to what happened to the Ariane 5 rocket that caused it to explode.

pvg
E.g. in aerospace the result is airplanes falling out of the sky. Seriously.

You're misinterpreting 'fail fast' - it doesn't mean 'entire system should fail catastrophically at slightest problem' or 'systems should not be fault-tolerant'. It just means that components should report failure as soon as possible so the rest of the system can handle it accordingly instead of continuing operation with an unrecognized faulty component leading to unpredictable outcomes.

jerf
In particular, "Just Sort Of Keep Going And Hope It All Works Out Eventually" is also a great way to crash planes and kill people, if we're going to pretend that everything's safety critical.
ams6110
"One size fits all" is also a recipe, if not for disaster, then for unnecessary overengineering.

Fail hard and don't recover is absolutely fine in many scenarios, especially ones where no lives or expensive property are on the line.

Control software for jet engines is a whole different kettle of fish from sharing photos online. I would dare say most of us here have never worked on software that critical. The approach---from design to implementation to testing---is formalized to a degree most of us in the "agile" world of web apps could not tolerate.

aidenn0
It is a good maxim for internetworked software where the cost of failing early is much lower than the cost of leaking information due to buggy error code.
tel
That's fine if you make the assertion, explicitly not made here, that you have some control over who sends you things.

This item has no comments currently.