However the author never actually makes a good case for FV other than to satisfy hard-core OCD engineers like ourselves. Maybe the author feels like we all know their opinion - but it seems like the author is arguing against a poster of claude shannon.
If the system is - for all intents and purposes - deterministically solving the subset of problems for the customer, and you never build the state machine, then who cares?
My argument is “there isn’t one” — that’s provided we’re in a business context where new features are ALWAYS more beneficial to the business inputs than formal verification.
If a business requirement requires formal verification then the argument is also moot - because it is part of the business requirement - and so it’s not optional it’s a feature.
Come to think of it I’m not really sure I’ve ever seen software created on behalf of a business, that has formal verification, where FM is not mandatory requirement of the application or it’s not a research project.
The last time I saw formal state machines built against a Formally Verfied system it was from a bored 50 year old unicorn engineer doing it on a simple C application.
Another way of framing this is "what is the impact (to the business / to the customers / to the users) of shipping a defect?". In a lot of contexts the impact of shipping defects is relatively low -- say SaaS applications providing a non-critical service, where defects, once noticed, can usually be fixed by rolling back to the last good version server side. In some contexts the impact of shipping defects is very high, say if the defect gets baked into hardware and ships before it is detected, and fixing it would require a recall that would bankrupt the company, or if a defect could kill the customers/users or crash the space probe or so on.
I agree however I think that many overestimate how frequent those environments are. Almost everything can be updated (and that includes dumb appliances with hardware chips replaced by technician) and the only real question is what is your reliability vector.
At the end of the spectrum there’s Two Generals Problem and Space Bit Flip and so much complexity that’s mind blowing. I’ve seen on my own eyes industry wide screwups that were fixed with month full of phone calls and paper slips exchange, so it’s not like we (as humans) cannot live with unreliable systems.
I’ve been researching formal verification for a while and IMO they are not fit for general use through lack of ergonomics. I might have some ideas how to solve it but I rather try to put in a commercial box <insert dr evil meme>
Bugs are on the spectrum - some might increase resource usage, or some might crash for a percent of users. Some might always manifest for specific cohort of users and it might not be profitable to fix it for them. It's an ocean of possibilities between "perfect system" and "complete failure".
Sanity test are degrees of magnitude easier than FV and they can assure at least that.
I mentioned exactly that:
> If a business requirement requires formal verification then the argument is also moot - because it is part of the business requirement - and so it’s not optional it’s a feature.
I think you could stick with construction metaphors for a lot of learning. Scaffolding key stones is particularly instructive. You will build a large structure that is intended to be torn down in order to build another structure. And there is basically no avoiding it.
I'm not clear how to move those ideas to formal methods. Typically you do that by keeping different layers that you formalize to different degrees? Along with processes to confirm compliance at the different layers.
Software seems to get tough as we often wind up trying to expand solution and construction models to be fully inclusive of each other. We don't necessarily do this for any other construction. Do we?
firesteelrain•10mo ago
In most live production environments today, requirements do keep changing — security, compliance, customer behavior, scaling — even when teams think they're done.
Agile isn’t making an empirical prediction ("all requirements will mutate endlessly"); it’s a philosophical posture toward uncertainty
Wayne misses this interpretative nuance.
fredo2025•10mo ago
I don’t agree on testing. It’s been a long time since I bought into that, and even tests for uncertain behavior to have confidence is a form of tech debt, as the developer that follows you must make a decision whether to maintain the test or to delete it; its value doesn’t usually last. An exception would be verifying expected behavior of a library or service that must stay consistent, but that is not the job of most developers.
tbrownaw•10mo ago
At some point this philosophy has to result in something concrete.
How much ongoing effort should be put into handling the possibility that this particular requirement might change?
rTX5CMRXIfFG•10mo ago
Swizec•10mo ago
How likely is it that the world freezes and stops changing around your software? This includes business processes, dependencies, end-user expectations, regulations, etc.
In general that’s the difference between a product and a project. Even Coca Cola keeps tweaking its recipe based on ingredient availability, changes in manufacturing, price optimizations, logistics developments, etc.
Hell, COBOL and FORTRAN still get regular updates every few years! Because the software that runs on them continues to stay under active maintenance and has evolving needs.
rightbyte•10mo ago
Ye and they should stop. Has there been any big changes except the "New Coke" that never reached my home town?
virgilp•10mo ago
"they should stop" is a fine rant to express your personal taste preferences, but objectively speaking, I would bet on Coca-Cola having good reasons when tweaking the recipes. If that happens, it's probably more necessary than a layman realizes.
rightbyte•10mo ago
They might also argue they know better than me and AB test the soda into something silly if they get hubris.
Swizec•10mo ago
Yes and no. We’ll never know. There are small changes all the time. You and I wouldn’t even notice the difference.
But if you compared today’s flavor to the flavor of 100 years ago side-by-side, I bet it’s pretty noticeable. Today they use corn syrup instead of sugar, for example. Many of the flavoring ingredients from back then aren’t even legal for human consumption anymore either.
Exact ingredients also differ between markets so we’re not even all talking about the same coca cola.
rightbyte•10mo ago
It would have been interesting to do a blind test if that.
arkh•10mo ago
And due to Conway's law: plan the organization for change.
From those ideas you derive Agile (make an organization easily changeable) and the tactical part of DDD (all the code architecture meant to be often and easily refactored).
cjfd•10mo ago
firesteelrain•10mo ago