Typical security issues in C++: why the GC isn't your enemy
Dom DiSc
dominikus at scherkl.de
Thu Dec 15 07:19:14 UTC 2022
On Wednesday, 14 December 2022 at 23:29:00 UTC,
areYouSureAboutThat wrote:
> No. To me, @safe does not mean I'm completely ok with
> incorporating unsafe system code into my library (even if
> someone has annotated it with @trusted).
@trusted is not there to make anything @save.
It is there to reduce the amount of code you need to check for
correctness.
> It's not that I don't ever want it, but I would like to know
> when it's occuring,
Then simply search for @trusted. This is really easy and very
unlikely to find any false positives. The fewer you find it, the
more trustworthy I would consider the code to be.
But to really consider the program @save you need to check these
parts yourself - or find someone YOU trust to have checked it.
At least in D you can do that check yourself. In other languages
you have no chance other than checking EVERYTHING you include -
which tend to be millions of lines of code, so is completely
unfeasible.
> It would be a great auditing tool, if the compiler had this
> opt-in switch.
Don't know how much easier this would be than simply searching
for @trusted. As this is already so easy, can't get us much. But
at least the compiler can further reduce the search space by
indicating which @trusted code is actually used by a program.
But I prefer to do the full search anyway for a new library, to
decide if I want to use it or not.
More information about the Digitalmars-d
mailing list