Fantastic exchange from DConf
Dominikus Dittes Scherkl via Digitalmars-d
digitalmars-d at puremagic.com
Fri May 19 16:56:55 PDT 2017
On Friday, 19 May 2017 at 22:06:59 UTC, Moritz Maxeiner wrote:
> On Friday, 19 May 2017 at 20:54:40 UTC, Dominikus Dittes
> Scherkl wrote:
>> I take this to mean the programmer who wrote the library, not
>> every user of the library.
>
> I take this to mean any programmer that ends up compiling it
> (if you use a precompiled version that you only link against
> that would be different).
Why? Because you don't have the source? Go, get the source - at
least for open source projects this should be possible. I can's
see the difference.
>> Hm - we should have some mechanism to add to some list of
>> people who already trust the code because they checked it.
>
> Are you talking about inside the code itself?
> If so, I imagine digitally signing the functions source code
> (ignoring whitespace) and adding the signature to the docstring
> would do it.
Yeah. But I mean: we need such a mechanism in the D review
process. It would be nice to have something standardized so that
if I checked something to be really trustworthy, I want to make
it public, so that
everybody can see who already checked the code - and maybe
concentrate on reviewing something that was yet not reviewed by
many people or not by anybody they trust most.
>> This is not my point of view. Especially if I had payed for
>> some library, even legally it's not my fault if it fails.
>
> It is mine, because even if you payed for the library, when you
> compile it, the compiler cannot know where the library came
> from.
Yeah, but you (should) do. For me it doesn't matter who actually
compiled the code - if anything my trust would be higher if I
compiled it myself, because I don't know what compiler or what
settings has been used for a pre-compiled library.
>[the compiler] only knows you (the programmer who invoked it),
>as the
> one it extends trust to.
The compiler "trusts" anybody using it. This is of no value. The
important thing is who YOU trust. Or who you want the user of
your program to trust.
Oftentimes it may be more convincing to the user of your program
if you want them to trust company X where you bought some library
from than trusting in your own ability to prove the memory safety
of the code build upon this - no matter if you compiled the
library yourself or have it be done by company X.
> I am specifically not talking about what is legally your fault
> or not, because I consider that an entirely different matter.
Different matter, but same chain of trust.
>> nobody can check everything or even a relevant portion of it.
> That entirely depends on how much @trusted code you have.
Of course.
But no matter how glad I would be to be able to check e.g. my
operating system for memory safety, and even if it would be only
1% of its code that is merely @trusted instead of @safe, it would
still be too much for me.
This is only feasible if you shrink you view far enough.
And reverse: the more code is @safe the further I can expand my
checking activities - but I still don't believe to ever being
able to check everything.
> I specifically stated reviewing any @trusted code, not all code.
Yes. Still too much, I think.
> I agree in principal, but the statement I responded to was "D
> is memory safe", which either does or does not hold.
And I say: No, D is not memory safe. In practice. Good, but no
100%.
> I also believe that considering the statement's truthfulness
> only makes sense under the assumption that nothing *below* it
> violates that, since the statement is about language theory.
Ok, this is what I mean by "shrinking your view until it's
possible
to check everything" - or being able to prove something in this
case.
but by doing so you also neglect things. Many things.
> Of course anyone can choose to check whatever they wish. That
> does not change what *I* consider negligent.
But neglecting is a necessity. Your view is reduced to a D
specification to make statements about it in language theory
where you check everything - and decide thereby to neglect
everything else, below that. Including the buggy implementation
of that spec running on a buggy OS on buggy hardware.
> In this context: It is one thing to be negligent (and I
> explicitly do not claim *not* to be negligent myself), but
> something completely different to pretend that being negligent
> is OK.
It's not only ok. It's a necessity. The necessity of a limited
being in an infinite universe.
We can only hope to not neglect the important things - and trust
in others is one way to increase the number of things we have
hope to be ok. Making things @safe instead of only @trusted is
another way. Both increase the view we have largely. But trying
to check everything yourself is still in vain.
More information about the Digitalmars-d
mailing list