<div dir="auto">It sounds nice, but keeping the verified version up to date requires a steady supply of very highly skilled labor. I personally don't think it reasonable to even consider making containers itself the verified version unless the verifiers are able to<div dir="auto"><br></div><div dir="auto">1. Stay fairly up to date for a good while (say five or six years, after the current researchers have gotten their degrees/professorships), AND</div><div dir="auto">2. At the end of that period, explain their plan for continuing the effort.</div></div><div class="gmail_extra"><br><div class="gmail_quote">On Feb 1, 2018 9:50 PM, "Tom Murphy" <<a href="mailto:amindfv@gmail.com">amindfv@gmail.com</a>> wrote:<br type="attribution"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">(My 2 cents, not as a containers developer) <br><br>First of all, bravo! This is great news.<br><div><div class="gmail_extra"><br><div class="gmail_quote">On Wed, Jan 31, 2018 at 11:17 PM, Joachim Breitner <span dir="ltr"><<a href="mailto:mail@joachim-breitner.de" target="_blank">mail@joachim-breitner.de</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><br>
- we’d still welcome contributions that break the proofs, but let them<br>
sit in pull requests until someone updates the proofs on the PR and<br>
then merge<br></blockquote></div><br></div><div class="gmail_extra">If we imagine, as David does, that updating proofs will take a couple of weeks (or months), I'd imagine an advantage of this option is that:<br></div><div class="gmail_extra"> - The percent of containers users who only use features older than weeks or months from bleeding edge: 95+%<br></div><div class="gmail_extra"> - The percent of end-users who will realistically switch their code from containers to containers-verified: certainly less than 20%<br><br></div><div class="gmail_extra">If we can seamlessly switch the vast majority of users to this new verified code, and be able to say that a ubiquitous component of Haskell development is formally verified, I'd say that's a huge accomplishment.<br></div><div class="gmail_extra"><br></div><div class="gmail_extra">An alternative proposal would be to have a "containers-unverified" *upstream* instead of a "containers-verified" downstream. This would also neatly sidestep the problem of if "containers-verified" should export unverified code: it's just "containers" as usual, just with some extra verification.<br><br></div><div class="gmail_extra">Tom<br></div><div class="gmail_extra"><br></div></div></div>
<br>______________________________<wbr>_________________<br>
Libraries mailing list<br>
<a href="mailto:Libraries@haskell.org">Libraries@haskell.org</a><br>
<a href="http://mail.haskell.org/cgi-bin/mailman/listinfo/libraries" rel="noreferrer" target="_blank">http://mail.haskell.org/cgi-<wbr>bin/mailman/listinfo/libraries</a><br>
<br></blockquote></div></div>