Fantastic exchange from DConf
Moritz Maxeiner via Digitalmars-d
digitalmars-d at puremagic.com
Fri May 19 02:19:48 PDT 2017
On Thursday, 18 May 2017 at 18:15:28 UTC, Stanislav Blinov wrote:
> On Thursday, 18 May 2017 at 17:53:52 UTC, H. S. Teoh wrote:
>
>> In the long run, I fear that if there are too many @trusted
>> blocks in a given codebase (not necessarily Phobos), it will
>> become too onerous to review, and could lead to hidden
>> exploits that are overlooked by reviewers. I don't know how
>> to solve this conundrum.
>
> Simple. You reject such codebase from the get-go ;)
To be honest, I don't think you *can* solve this problem
(rejecting such a codebase is a workaround that may or may not
work, depending on the use case and what the codebase as to do;
there are valid reasons for why the majority of a codebase may
need to be @trusted, such as OS abstractions). As long as we
build software on top of operating systems with APIs that may or
may not be unsafe we *need* such an unsafe layer and any codebase
that heavily interacts with the OS will be littered with
@trusted. All you can do is educate people to spot when @trusted
is actually necessary and when something could genuinely be
written @safe without @trusted and educate them to choose the
latter when and if possible.
More information about the Digitalmars-d
mailing list