DIP1028 - Rationale for accepting as is

[bachmeier]

On Friday, 22 May 2020 at 03:36:03 UTC, Paul Backus wrote:
> Someone has created bindings for a C library and published them 
> on
> code.dlang.org. Because they were written prior to DIP 1028, 
> the author assumed
> that @system was the default, and didn't bother to add explicit 
> annotations to
> @system functions. Their code looks like this:
>
> --- clibrary.d
>
>     void monkey_around(...); // assumed @system-by-default
>
> ---
>
> Months or years later, I decide to write a D program that makes 
> use of these
> bindings. By then, @safe-by-default has been fully implemented. 
> I add
> `clibrary` as a dependency to my Dub project and write the 
> following code:
>
> --- app.d
>
>     import clibrary;
>
>     void main() // @safe-by-default
>     {
>         /* ... code ... */
>
>         monkey_around(...);
>
>         /* ... more code ... */
>     }
>
> ---
>
> My program compiles with no errors...and then corrupts memory 
> at run-time, even
> though every line of code I've written is @safe. Oops.
>
> This is the nightmare scenario that people are worried about: 
> safety violations
> being introduced *silently* into existing, correct D code.

Honest question: What is the use case for an 
absolutely-positively-has-to-be-safe program that calls C code? 
Why would anyone ever do that? C is not and will never be a safe 
language. "Someone looked at that blob of horrendous C code and 
thinks it's safe" does not inspire confidence. Why not rewrite 
the code in D (or Rust or Haskell or whatever) if safety is that 
critical?