DIP1028 - Rationale for accepting as is
RazvanN
razvan.nitu1305 at gmail.com
Wed May 27 11:45:36 UTC 2020
On Wednesday, 27 May 2020 at 10:40:18 UTC, Walter Bright wrote:
> On 5/27/2020 3:07 AM, Johannes Loher wrote:
>> This is a very specific situation. There are a lot of teams /
>> developers
>> that do not work in this manner. I don't know the numbers so I
>> will make
>> no statement about what is more common but my personal
>> experience is a
>> different one.
>
> I've seen larger companies operate this way. Smaller ones
> cannot afford to.
>
>
>> Also what is the difference between your QA department telling
>> you to
>> correctly annotate C declarations and the compiler telling you
>> that?
> > If you expect people to ignore what the compiler is telling
> them, why do
> > you expect them to listen to the QA department?
>
> The QA dept is motivated to not be taken in by greenwashing.
>
> (Back in my days at Boeing, I worked in the design department.
> There was an entirely separate organization call the Stress
> Group. Their job was to sign off on every nitpicky detail. If
> they signed off on something that turned out to be wrong, it
> was bad for their careers. Your designs did not move forward
> without Stress signoff. If you tried to trick Stress, that was
> the end of your career at Boeing.)
>
> So yeah, there's a huge difference between tricking the
> compiler and tricking the QA department.
>
>
>> In my opinion, the
>> compiler actually _is_ one of the best QA departments.
>
> Indeed it is, and that's the whole point to @safe. My
> motivation here is make suspicious code stand out. @trusted
> code does not stand out so much, because it is required to
> exist.
>
I'm utterly confused by this.
Trusted code is always suspicious and always stands out because
it is not formally verified whereas @safe code should be
bulletproof. Why would anyone bother to manually check code that
is supposed to be @safe? Trusted code is the villain here;
wherever you see @trusted you know that the code might contain
vulnerabilities because it was audited by a human and not by a
machine.
If you have @safe code that has memory safety issues (from
callinc C functions) then what's the point of @safe?
>
>> Also in my opinion, a competent QA department should carefully
>> look at
>> any @trusted code /declarations. Maybe it is not a "red flag"
>> but it is
>> definitely something that needs to be checked with extra care.
>
> Looking at un-annotated declarations should be the first step.
> If it is annotated with @trusted, at least there's the coffee
> stain on the drawing indicating that somebody looked at it.
More information about the Digitalmars-d-announce
mailing list