On Sunday, 24 May 2020 at 03:28:25 UTC, Walter Bright wrote:
I'd like to emphasize:
1. It is not possible for the compiler to check any
declarations where the implementation is not available. Not in
D, not in any language. Declaring a declaration safe does not
make it safe.
Agree completely. Not in dispute that I've seen. In the same
vein, defaulting a declaration to @safe doesn't make it safe.
For the ultra paranoid, even the name mangling in D libraries is
not to be trusted because "the implementation is not available".
2. If un-annotated declarations cause a compile time error, it
is highly likely the programmer will resort to "greenwashing" -
just slapping @safe on it. I've greenwashed code. Atila has.
Bruce Eckel has. We've all done it. Sometimes even for good
reasons.
I don't believe that you or any other competent programmer
greenwashes safety critical code. Regardless, the safety
conscious must review their dependencies whatever default applies.
3. Un-annotated declarations are easily detectable in a code
review.
Automating this for the transitive closure of defaulted @safe
functions would help. Maybe that capability is there already and
I missed it?
[snip]
It is, in a not-at-all obvious way, safer for C declarations to
default to being safe.
I agree that it is not-at-all obvious.
On a positive note, the DIP discussion/clarification should
encourage the safety conscious to rebase code to a machine
checkable form whenever feasible.