Trusted Manifesto

[Zach the Mystic via Digitalmars-d]

On Tuesday, 10 February 2015 at 12:27:29 UTC, Marc Schütz wrote:
> On Tuesday, 10 February 2015 at 06:35:08 UTC, Zach the Mystic 
> wrote:
>> I never used the named @trusted function for its original 
>> purpose anyway. I dont' see it as a big sacrifice, but anyway, 
>> you have three choices:
>>
>> 1. Keep *named* @trusted functions for their original purpose, 
>> continue to rely on the programmer for manual verification of 
>> all @trusted code, and break no code. (status quo)
>>
>> 2. Give up on *named* @trusted functions as a lost cause, 
>> begin using @trusted lambdas to isolate all @system code, and 
>> break no code.
>>
>> 3. Keep named @trusted functions, introduce @system blocks to 
>> isolate @system code, and break a lot of code.
>>
>> The way I see it, number 2 is the way to go, or at least the 
>> way Andrei is headed. 3 is elegant, and if I were in charge, 
>> I'd probably investigate how to make it work. 1, the status 
>> quo, is the worst, because it preserves the thing of low value 
>> (named @trustedness) at the expense of the thing of greatest 
>> value (isolating unsafe code).
>>
>> I would say "destroy", but this isn't even an idea, just an 
>> analysis of the tradeoffs. So, ENJOY!
>
> As already pointed out in the other thread, there is a 
> non-breaking variant of (3):
>
> 3a. Keep named @trusted functions, allow @system blocks inside 
> them, but only treat those with @system blocks with the new 
> semantics.

But they *have* no semantics without disallowing @system code in 
the rest of the @trusted function.

> This could either be kept indefinitely, or @trusted functions 
> without @system blocks could slowly be deprecated and phased 
> out, leading to (3).

This is a transition to the inevitable breaking change of 3. It's 
the equivalent of making a DIP and then having a compiler switch 
"-DIPxxx" to turn it on or off.