Fantastic exchange from DConf

[Dominikus Dittes Scherkl via Digitalmars-d]

On Friday, 19 May 2017 at 22:06:59 UTC, Moritz Maxeiner wrote:
> On Friday, 19 May 2017 at 20:54:40 UTC, Dominikus Dittes 
> Scherkl wrote:

>> I take this to mean the programmer who wrote the library, not 
>> every user of the library.
>
> I take this to mean any programmer that ends up compiling it 
> (if you use a precompiled version that you only link against 
> that would be different).
Why? Because you don't have the source? Go, get the source - at 
least for open source projects this should be possible. I can's 
see the difference.

>> Hm - we should have some mechanism to add to some list of 
>> people who already trust the code because they checked it.
>
> Are you talking about inside the code itself?
> If so, I imagine digitally signing the functions source code 
> (ignoring whitespace) and adding the signature to the docstring 
> would do it.
Yeah. But I mean: we need such a mechanism in the D review 
process. It would be nice to have something standardized so that 
if I checked something to be really trustworthy, I want to make 
it public, so that
everybody can see who already checked the code - and maybe 
concentrate on reviewing something that was yet not reviewed by 
many people or not by anybody they trust most.

>> This is not my point of view. Especially if I had payed for 
>> some library, even legally it's not my fault if it fails.
>
> It is mine, because even if you payed for the library, when you 
> compile it, the compiler cannot know where the library came 
> from.
Yeah, but you (should) do. For me it doesn't matter who actually 
compiled the code - if anything my trust would be higher if I 
compiled it myself, because I don't know what compiler or what 
settings has been used for a pre-compiled library.

>[the compiler] only knows you (the programmer who invoked it), 
>as the
> one it extends trust to.
The compiler "trusts" anybody using it. This is of no value. The 
important thing is who YOU trust. Or who you want the user of 
your program to trust.
Oftentimes it may be more convincing to the user of your program 
if you want them to trust company X where you bought some library 
from than trusting in your own ability to prove the memory safety 
of the code build upon this - no matter if you compiled the 
library yourself or have it be done by company X.

> I am specifically not talking about what is legally your fault 
> or not, because I consider that an entirely different matter.
Different matter, but same chain of trust.

>> nobody can check everything or even a relevant portion of it.
> That entirely depends on how much @trusted code you have.
Of course.
But no matter how glad I would be to be able to check e.g. my 
operating system for memory safety, and even if it would be only 
1% of its code that is merely @trusted instead of @safe, it would 
still be too much for me.
This is only feasible if you shrink you view far enough.

And reverse: the more code is @safe the further I can expand my 
checking activities - but I still don't believe to ever being 
able to check everything.

> I specifically stated reviewing any @trusted code, not all code.
Yes. Still too much, I think.

> I agree in principal, but the statement I responded to was "D 
> is memory safe", which either does or does not hold.
And I say: No, D is not memory safe. In practice. Good, but no 
100%.

> I also believe that considering the statement's truthfulness 
> only makes sense under the assumption that nothing *below* it 
> violates that, since the statement is about language theory.
Ok, this is what I mean by "shrinking your view until it's 
possible
to check everything" - or being able to prove something in this 
case.
but by doing so you also neglect things. Many things.

> Of course anyone can choose to check whatever they wish. That 
> does not change what *I* consider negligent.
But neglecting is a necessity. Your view is reduced to a D 
specification to make statements about it in language theory 
where you check everything - and decide thereby to neglect 
everything else, below that. Including the buggy implementation 
of that spec running on a buggy OS on buggy hardware.

> In this context: It is one thing to be negligent (and I 
> explicitly do not claim *not* to be negligent myself), but 
> something completely different to pretend that being negligent 
> is OK.
It's not only ok. It's a necessity. The necessity of a limited 
being in an infinite universe.
We can only hope to not neglect the important things - and trust 
in others is one way to increase the number of things we have 
hope to be ok. Making things @safe instead of only @trusted is 
another way. Both increase the view we have largely. But trying 
to check everything yourself is still in vain.