June 29, 2026

Proof or it didn’t happen

Article URL →HN comments →

You Don't Know Jack About Formal Verification

Math-proof software is having a moment, but the comments are absolutely not sold

TLDR: The article says software can increasingly be built so key business rules are mathematically guaranteed, not just tested, and AI may make that easier. Commenters weren’t fully buying it: some called the pitch overhyped, some mocked the AI angle, and others said it’s still too limited for everyday app work.

A big idea just landed in software land: instead of merely testing programs and hoping for the best, this article argues we can now prove some important rules can never break. The example is deliciously scary in a real-world way: a permissions bug that looked safe in tests but could quietly turn narrow access into almost-everywhere access. The authors’ pitch is simple enough for civilians: if your app handles money, secrets, or other high-stakes rules, maybe “it passed the tests” isn’t good enough anymore.

But the real fireworks were in the comments, where readers instantly split into camps. One side basically said, “Cool dream, but let’s not pretend this works for normal app developers yet.” That skepticism came in hot from people pointing out that the messy parts of software — screens, databases, internet calls — are still where plenty of chaos lives. Another commenter threw shade at the whole presentation, grumbling that ACM sounded like a clickbait YouTube channel, which is the kind of insult that lands hard in nerd circles.

Then came the spiciest subplot: AI hype backlash. The article suggests AI could remove the pain of writing these proofs, and commenters were not ready to clap on cue. One person basically translated the pitch to: “Sure, if you can afford to pay the robot.” Still, not everyone was booing from the balcony — one reader fondly remembered using Dafny in college, and another popped in with a project link for a formally verified web frontend, because of course every comment war also has that one builder saying, “Fine, I made one myself.”

Key Points

  • The article says formal verification is becoming more accessible due to improved tooling and AI-assisted proof generation.
  • It uses a secrets-management permissions example to show how a passing test suite can still miss a serious authorization bug.
  • The authors identify a key invariant for permission systems: derived permissions must always be a subset of the granting permission's scope.
  • Formal verification is presented as expressing desired software properties as precise contracts in a verification-aware language and proving code satisfies them.
  • The article names several formal methods tools and languages, including Dafny, Lean, Rocq, Isabelle, F*, and TLA+.

Hottest takes

"ACM now stooping to the level of clickbait youtubers" — 03284782470
"... and the budget to pay the AI to prove it" — pron
"Formal verification is still too limited to be useful for most app developers" — dfabulich

Save News

Made with <3 by @siedrix and @shesho from CDMX. Powered by Forge&Hive.