Typical security issues in C++: why the GC isn't your enemy

[Siarhei Siamashka]

On Tuesday, 13 December 2022 at 05:26:23 UTC, areYouSureAboutThat 
wrote:
> My concern really is:
>
> How do I know my @safe code is calling @safe code and not 
> @trusted code?

You can be sure that your @safe code is always calling at least 
some small amount of @trusted code inside of Phobos.

> @safe interfaces are nice - but all of Phobos could just as 
> well be marked as @trusted, since @safe implicately trusts 
> @trusted, and my @safe code would still compile just fine.

Yes, it could be all marked as @trusted, but it isn't. Also 
Phobos or any other third-party library theoretically could do a 
lot of various bad things with or without @safe annotations. Some 
libraries have better code quality than the others and that's 
just how it is.

> But when I -release it, I discover something that is not so 
> welcome...cause all of that @trusted code is no longer subject 
> to runtime memory safety checks.

If these @trusted parts of Phobos are bug free, then everything 
is fine. Your code shouldn't be able to trigger memory safety 
bugs in Phobos by feeding incorrect input to it.

> I would like the compiler to tell me I'm calling code that has 
> been marked as @trusted, and that if I want to proceed, then I 
> need to compile with: -enableTrusted

As I already said before, you will effectively have to always use 
this switch for compiling each and every application.

I guess, you probably want the @trusted parts of Phobos to be 
annotated as @supertrusted and ignored by this switch, because 
it's the standard library deserving special privileges? And only 
complain about the @trusted attribute usage in your own code or 
in third-party libraries written by plebeians ;-)