[OffTopic] A vulnerability postmortem on Network Security Services

Tejas notrealemail at gmail.com
Thu Dec 2 17:21:58 UTC 2021

On Thursday, 2 December 2021 at 17:11:09 UTC, Paul Backus wrote:
> On Thursday, 2 December 2021 at 16:44:42 UTC, Tejas wrote:
>> Wish the `@safe` by default DIP had passed :(
>> Any hope of reviving it and merging into master??
> Only if someone can (a) come up with a better solution for 
> handling `extern(C)` functions, and (b) convince Walter to 
> accept it.
> I think a more likely path forward is to allow the programmer 
> to specify default attributes in such a way that they can still 
> be overriden by inference. For example:
> ```d
> // Make @safe the default for the rest of this scope
> default(@safe):
> // defaults to @safe
> int foo(int n) { return n; }
> // error: can't cast integer to pointer in a @safe function
> int* bar(int n) { return cast(int*) n; }
> // ok: inferred as @system (because of `auto`)
> auto baz(int n) { return cast(int*) n; }
> ```
> This is the same idea as [Adam D. Ruppe's attribute 
> proposal][1], but with new syntax to avoid potential breakage 
> to existing code.
> As Adam explains in his article, we cannot do this by simply 
> applying the `@safe` attribute globally, because doing so will 
> *override* the compiler's attribute inference, and cause 
> compilation of functions like `baz` to fail. (Example: 
> https://run.dlang.io/is/s9iuKq)
> [1]: 
> https://dpldocs.info/this-week-in-d/Blog.Posted_2020_01_13.html

Hmm... not a fan of that solution

Still feel marking `extern (C)` stuff as `@trusted` is better.

Introducing a new feature for such a fundamental, yet obvious 
thing seems overkill, IMHO. Forcing not `@safe` stuff to be 
annotated seems better to me.

Maybe we should relent and just let Walter mark the `extern` 
stuff as `@safe` even though it's not... ideal??

Or disallow marking any `extern` function as `@safe`, only 
`@trusted`? That's again introducing unnecessary complexity 
though :(

Gah, I say let him have his way, it's not worth adding a new 
feature/syntax for, but not something we should just let sit on 
ice either, else "it will break old code" will rear it's ugly 
head again

More information about the Digitalmars-d mailing list