Re: DIP1028 - Rationale for accepting as is

Sun, 24 May 2020 07:15:30 -0700 

On Sunday, 24 May 2020 at 03:28:25 UTC, Walter Bright wrote:

I'd like to emphasize:
1. It is not possible for the compiler to check any declarations where the implementation is not available. Not in D, not in any language. Declaring a declaration safe does not make it safe.
That's why Rust has gotten rid of declarations all together, except for C, which are implicitly marked unsafe, and they cannot be marked "safe" (there is no such feature).
2. If un-annotated declarations cause a compile time error, it is highly likely the programmer will resort to "greenwashing" - just slapping @safe on it. I've greenwashed code. Atila has. Bruce Eckel has. We've all done it. Sometimes even for good reasons.
Having extern(C) be @safe by default doesn't stop greenwashing. As others have pointed out, you are doing the greenwashing for the programmer. That's not better.
3. Un-annotated declarations are easily detectable in a code review.
Declarations annotated with @trusted are even easier to detect. And arguably declarations that aren't annotated aren't that easy to detect. 


4. Greenwashing is not easily detectable in a code review.
5. Greenwashing doesn't fix anything. The code is not safer. It's an illusion, not a guarantee.
6. If someone cares to annotate declarations, it means he has at least thought about it, because he doesn't need to. Hence it's more likely to be correct than when greenwashed.
7. D should *not* make it worthwhile for people to greenwash code.
It is, in a not-at-all obvious way, safer for C declarations to default to being safe.
This whole situation just makes it more obvious to me, you shouldn't be able to mark extern(C) declarations as @safe or @trusted at all. If that truly is your fear, it should just not be possible to mark them as @safe/@trusted.
8. D should make incorrect code *more* difficult, not easier. Or are you conveniently ignoring this ideology?
Code is going to break no matter what. That's the cost you are going to pay for making @safe default. You can't fix that. The difference is what the aftermath will look like.

Reply via email to