DIP1028 - Rationale for accepting as is
Petar
Petar
Mon May 25 12:41:30 UTC 2020
On Monday, 25 May 2020 at 11:40:46 UTC, Johannes T wrote:
> On Monday, 25 May 2020 at 10:19:22 UTC, Johannes Loher wrote:
>> [..]
>> But with the DIP in its current form, we make @safe lose its
>> meaning and power, which is much worse in my opinion.
>> [..]
>
> The alternative, not making extern @safe, would result in more
> untrustworthy @trusted code we have to worry about. It's a
> vicious circle.
Wrong. The quantity of untrustworthy code remains the same, but
with DIP1028 (at least in the current form) the compiler sweeps
the previously @system code under the rug and makes it harder for
those who care about safety to trust @safe.
@safe must mean only one thing: compiler verified. Or otherwise
needing less manual review. @system and @trusted means that code
review should be prioritized. @safe non-extern (D) marked either
by the programmer, or the implicitly by the compiler should be
disallowed as it *is* greenwashing.
> I try to relax my view on extern annotations. They are @system.
> We *should* go ahead and diligently mark with @trusted. From
> experience, it doesn't normally happen.
It didn't happen, because it didn't need to. Naturally, most
things go through the path of least resistance. Most developers
are coming from other languages where they have never had the
requirement to write @safe code [external pressure]. Also
previously, @safe wasn't the default for D function definitions,
so there was less [internal pressure] to do so. With @safe being
the default of function definitions, it's more difficult to leave
code as @system (of course, modulo @trusted).
> I don't like @safe extern, but it seems like the lesser evil.
No, @safe extern is the worst possible option! It basically makes
@safe meaningless.
> Walter got a lot of flak. I tried to retrace his thoughts and
> see the merits.
On several occasions (e.g. on Reddit) I have defended Walter from
unfair accusations, however, in this case, he's rightfully
criticized.
He seems to think that he's taking an unpopular decision for the
greater good, but that's not the case. @safe-by-default on D
function definitions could be considered an unpopular decision
for the greater good. Implicitly @safe non-extern(D) functions is
greenwashing, where the responsibility for the action is removed
from the developer by a compiler switch. That's basically
negating all the benefits of @safe-by-default on function
definitions.
More information about the Digitalmars-d-announce
mailing list