DIP1028 - Rationale for accepting as is

[Bruce Carneal]

On Sunday, 24 May 2020 at 03:28:25 UTC, Walter Bright wrote:
> I'd like to emphasize:
>
> 1. It is not possible for the compiler to check any 
> declarations where the implementation is not available. Not in 
> D, not in any language. Declaring a declaration safe does not 
> make it safe.

Agree completely.  Not in dispute that I've seen.  In the same 
vein, defaulting a declaration to @safe doesn't make it safe.

For the ultra paranoid, even the name mangling in D libraries is 
not to be trusted because "the implementation is not available".

>
> 2. If un-annotated declarations cause a compile time error, it 
> is highly likely the programmer will resort to "greenwashing" - 
> just slapping @safe on it. I've greenwashed code. Atila has. 
> Bruce Eckel has. We've all done it. Sometimes even for good 
> reasons.

I don't believe that you or any other competent programmer 
greenwashes safety critical code.  Regardless, the safety 
conscious must review their dependencies whatever default applies.

>
> 3. Un-annotated declarations are easily detectable in a code 
> review.

Automating this for the transitive closure of defaulted @safe 
functions would help.  Maybe that capability is there already and 
I missed it?

> [snip]
> It is, in a not-at-all obvious way, safer for C declarations to 
> default to being safe.

I agree that it is not-at-all obvious.

On a positive note, the DIP discussion/clarification should 
encourage the safety conscious to rebase code to a machine 
checkable form whenever feasible.