@trust is an encapsulation method, not an escape

via Digitalmars-d digitalmars-d at puremagic.com
Fri Feb 6 07:48:43 PST 2015


On Friday, 6 February 2015 at 15:14:14 UTC, Wyatt wrote:
> So from my perspective, calling this situation "completely 
> impractical" reveals a stunning gift for understatement.  Is 
> this really the best we can do after however many years?  
> Because it blows.
>
> The current @trusted semantics (and accompanying politics) make 
> it exceedingly clear that @safe is meaningless for anything 
> beyond trivial, one-off tools that will never receive 
> maintenance.

I don't get this. If:

1. @safe actually works.

2. @trusted sections are written without dependencies

3. @trusted are formally proven safe

4. @trusted functions rarely change

5. @trusted is 0-2% of the codebase

Then how is this more work than implementing something like a 
linear type system that is both tedious for the programmer and 
has taken Rust 8 years to get into working shape...?

Jonathan recently said he would like to volunteer some, and he 
has mentioned a background with math/proofs. If he is willing to 
do safety review, then so I am, then so will someone else who 
feel like refreshing their training in program verification... 
Use the resources you have. Those resources, we do have, I think. 
Unused.

The resources we obviously don't have is experts on type systems 
and automated proof and verification engines.


More information about the Digitalmars-d mailing list