DIP 1028---Make @safe the Default---Community Review Round 1

[Manu]

On Wed, Jan 8, 2020 at 12:50 PM Walter Bright via Digitalmars-d
<digitalmars-d at puremagic.com> wrote:
>
> On 1/6/2020 3:59 PM, Manu wrote:
> > Well all feedback I've received is that it fails at the rule of least
> > surprise. Definitely not intuitive what it means.
>
> I'm frankly surprised at this. Yours is literally the first complaint about
> using `system` in 10 years that has come to my ears.

It's the kind of thing that people wouldn't bother complaining about,
because it has no material affect on their ability to get their job
done, it's just weird.
I mean, I've thought this the whole time, and I've never said it here.
The only reason that I feel it was worth raising the topic, is because
this is the one single moment that it would be possible to make this
change... so it seems worth the thought.

> Also, a safe/unsafe dichotomy can make sense. But a safe/trusted/unsafe makes
> less sense, like a 3 state boolean.

I don't think it makes any less sense. It seems reasonable that safe
code can't call unsafe code, unless we `trust` it.

> > I think it may be possible to see and consider the situation
> > differently when looking from a safe-by-default perspective; today
> > where 'system' is default, you wouldn't want to advertise the language
> > as "unsafe by default"... but if safe is default, than 'unsafe' feels
> > a lot more reasonable for the exceptions. I reckon the change in
> > default may change your judgement that you describe above.
>
> `static` in C makes no particular sense, but people are so used to it that they
> imagine it makes perfect sense :-)

We're not asking people to get on board with nonsense decisions that C
made 50 years ago, we're asking new users to feel that D is natural
and desirable.
My experience is this (with no exceptions): there is a finite number
of 'weird shit' experiences that a new user can digest before they
stop and lose interest, and there are lots of ways we burn through
that budget. At some point, we blow the threshold and they go away.
Every single person I've introduced to D has followed this pattern,
sadly.
Every... single... one.

This is indeed a very minor one, but these sorts of weird perceptions
still consume some of that balance. In this case, I see no reason for
anything other than a completely intuitive and expected language, and
they would be comfortable, accept that D makes perfect sense on this
matter, and the budget remains for other more important stuff which
certainly exists.

> Nobody expects to be able to implement a storage allocator in code that is
> provably correct. Nobody expects the implementation of atomic shared operations
> to to be provably. People have historically called such underpinnings "system"
> code (long before there was a notion of "unsafe"), where the dirty but necessary
> work happens. Steamships had white-glove service to the passengers, and the
> greasy dirty work went on in the "system" under the decks to support it all.
>
> Whether "system" is intuitive or not is how you frame it. It's a perfect
> moniker. It is not "unsafe", it just means the compiler cannot prove it safe.

Whatever you reckon. I was just offering that there's an opportunity here.