On Fri, Feb 19, 2010 at 03:31:10PM -0700, Steven Dake wrote:
> There are millions of lines of C code involved in directing a power
> fencing device to fence a node. Generally in this case, the system
> directing the fencing is operating from a known good state.
> There are several hundred lines of C code that trigger a reboot when a
> watchdog timer isn't fed. Generally in this case, the system directing
> the fencing (itself) has entered an undefined failure state.
> So a quick matrix:
> model LOC operating environment
> power fencing millions well-defined
> self fencing hundreds undefined
I completely agree with you that less code is more trustworthy than more
in general. But your thesis seems to be based entirely on the hundreds
vs millions difference which I simply don't see. Anyone can configure a
watchdog to replace power fencing today, it's simple, and there will be
negligible difference in the amount of code that's involved.
Openais mailing list