Dependent types can prove your code is correct up to a specification. But how do you prove the specification is correct?

Question

Dependent types are often advertised as a way to enable you to assert that a program is correct up to a specification. So, for example, you are asked to write a code that

Answer 1

Coming late to the party, but AFAICT, noone has yet mentioned another important aspect: in the context of program verification, having a bug in the spec is not always too terrible, because you can use the code to check the spec.

IOW, the proof doesn't say "the code is right", but "the code and the spec are mutually consistent". So, in order for a bug in the spec to go unnoticed, it has to be one of:

• an underspecified spec.
• a bug in the spec matched by a corresponding bug in the code.

As someone else pointed out: the problem is the same for tests.