Typical security issues in C++: why the GC isn't your enemy

[Dom DiSc]

On Wednesday, 14 December 2022 at 23:29:00 UTC, 
areYouSureAboutThat wrote:
> No. To me, @safe does not mean I'm completely ok with 
> incorporating unsafe system code into my library (even if 
> someone has annotated it with @trusted).
@trusted is not there to make anything @save.
It is there to reduce the amount of code you need to check for 
correctness.

> It's not that I don't ever want it, but I would like to know 
> when it's occuring,
Then simply search for @trusted. This is really easy and very 
unlikely to find any false positives. The fewer you find it, the 
more trustworthy I would consider the code to be.
But to really consider the program @save you need to check these 
parts yourself - or find someone YOU trust to have checked it.

At least in D you can do that check yourself. In other languages 
you have no chance other than checking EVERYTHING you include - 
which tend to be millions of lines of code, so is completely 
unfeasible.

> It would be a great auditing tool, if the compiler had this 
> opt-in switch.
Don't know how much easier this would be than simply searching 
for @trusted. As this is already so easy, can't get us much. But 
at least the compiler can further reduce the search space by 
indicating which @trusted code is actually used by a program.

But I prefer to do the full search anyway for a new library, to 
decide if I want to use it or not.