coq-club AT inria.fr

Subject: The Coq mailing list

List archive

Re: [Coq-Club] Fwd: "Lean is like Coq but better"

From: Adam Chlipala <adamc AT csail.mit.edu>
To: coq-club AT inria.fr
Subject: Re: [Coq-Club] Fwd: "Lean is like Coq but better"
Date: Sun, 12 Jan 2020 12:25:06 -0500
Authentication-results: mail2-smtp-roc.national.inria.fr; spf=None smtp.pra=adamc AT csail.mit.edu; spf=Pass smtp.mailfrom=adamc AT csail.mit.edu; spf=None smtp.helo=postmaster AT outgoing-stata.csail.mit.edu
Ironport-phdr: 9a23:hjp+WBO0lD2C5248oVkl6mtUPXoX/o7sNwtQ0KIMzox0Lfj6rarrMEGX3/hxlliBBdydt6sfzbCI4+uxCCQp2tWoiDg6aptCVhsI2409vjcLJ4q7M3D9N+PgdCcgHc5PBxdP9nC/NlVJSo6lPwWB6nK94iQPFRrhKAF7Ovr6GpLIj8Swyuu+54Dfbx9HiTagb75+Ngu6oATSu8UZhYZvLrs6xwfUrHdPZ+lY335jK0iJnxb76Mew/Zpj/DpVtvk86cNOUrj0crohQ7BAAzsoL2465MvwtRneVgSP/WcTUn8XkhVTHQfI6gzxU4rrvSv7sup93zSaPdHzQLspVzmu87tnRRn1gyoBKjU38nzYitZogaxGvhyhqRxxzY3abo6bO/VxfL/Sc9wBSGpdXctcTTBNDp+yYoYNCecKIOZWr5P6p1sLtRazGRSjC/nqyjRVmHL23ak60+U5EQ7c2AwvBc8FvXPOo9roLqgSVPy6wbLUwjXYdfxW2DP95JLNchAgvfGAR6x/ftfMyUQ2EQ7Ok1aeqZT9Mj+IyOgAsHKX4uR8We61lWIrsR99riWzyss0lIXFmoIYxkra+Sll3Yo5P8C0RUphbdOqDpddsTyROZFsTcM4WW5ovT43yr0Ytp6/eygH0JMnxwPDa/yIdIiI4xTjVOmILTdjmHJqYq6/iAyo/Ue80e3zTMi00FJQoipAk9nMqmoB2ALO5ciaUvd9/0Gh1iiT1w3L9+1IP0M5mbDVJpI92LI8iIAfvVreEiPqgEn2ibWZdkQg+uim8eTnZbDmq4eGOIBpkA7+N7ghl9ejDuQjKAcOXmyb9f651L3i4U31WqtFgeArkqXBqpDVOdwbprKlAw9Syoss9xG/Dy6/3NsEmXkHMUlKdQmcj4npPlHOOOr3Ae2+g1SqijdrxurJMqfvApXXfTD/l+Lqeq844EpBwiIyy8pe7tRaEOIvOvX2D2b9vdmQJR89MhS9x++vXNxx34YVcWmUC66ddqbTrRmF6v95cLrEX5McpDuoc6tt3PXpl3JswQZML5ns5oMebTWDJtojJkyYZXT2hdJYTDUBpQM/SKrviUHEXDJONS/rA/AMowojAYfjNr/tA5i3ieXcjiygF5xSIGVHFhaBHWq6L9zZCcdJUzqbJ4paqhJBVbWlTNR5hxazqAD9yrxoa/HI8zER85n43dlxoejSiVc/+SEmV8k=

I do think it's worth drawing a distinction between the mathematician's goal of understanding a proof to attain "insight" (honestly driven primarily by aesthetic criteria in many cases, as far as I can tell) and the formal-methods engineer's goal of understanding a proof to be able to maintain it. We measure success very differently in these two cases, I would claim. Insight can be a tool to put a person in a good position to do maintenance, but good enough automation can remove the need to develop any insight about many details in a long proof.

On 1/12/20 11:45 AM, Stefan Monnier wrote:

This is why I do not really care if Coq (or lean or agda or anything
else's) proofs are readable or not when it comes to program verification.

As a user of the program, that makes sense. But if you ever intend to
work (extend, modify, ...) on that program (or pay someone else to do
it), then you'll need this proof to be readable, just like you need the
code to be readable, otherwise you won't be able to update the proof to
match the new code.

Re: [Coq-Club] Fwd: "Lean is like Coq but better", (continued)