misplaced @trust?

[Dicebot via Digitalmars-d]

On Thursday, 5 February 2015 at 23:47:00 UTC, Andrei Alexandrescu 
wrote:
> On 2/5/15 3:22 PM, Dicebot wrote:
>> To put it differently - there is no way I would have ever 
>> taken the risk
>> merging a 50-line @trusted function, be it Phobos or work 
>> project.
>
> Surely you're exaggerating.

Not even slightly. I have revoked my Phobos access for a specific 
reason that I can't do the reviewer job properly with such 
requirements and would have been forced to ignore all pull 
requests that tackle @trusted anyway.

> We're looking at a function that performs system calls and 
> reads into a memory buffer allocated appropriately (and 
> economically). Claiming that that function is safe then 
> enumerating the numerous unsafe and unprovable escape hatches 
> it uses is someone claiming "I'm a virgin - of course save for 
> those six one-night stands I've had."

So what? I don't care how justified it is, I simply don't trust 
my attention span enough do verify that foo() is a virgin. I am 
not a rock-star programmer and I know my limits. Verifying 50 
lines of @trusted with no help from compiler at all is beyond 
those limits.

When all exceptions to safety are explicitly listed I can review 
the implementation knowing "ok, this will be safe _unless_ it 
gets screwed by data coming from those trusted wrappers". And 
that is big mentality switch that helps to maintain focus.

> It's unclear what you're advocating here. I don't think your 
> previous arguments stand scrutiny. One possible new argument 
> might be an analysis on how this:
>
> https://github.com/D-Programming-Language/phobos/blob/accb351b96bb04a6890bb7df018749337e55eccc/std/file.d#L194
>
> is easier to reason about than this:
>
> https://github.com/D-Programming-Language/phobos/blob/master/std/file.d#L194


It will be a very short analysis considering I am not able to 
reason about the latter one at all - it simply requires too much 
of a time investment to me to even consider it.