I just wrote this way-too-long proposal for how `staticExec`/`staticRead` could
be made more auditable. You can read it [here if you
want](https://gist.github.com/iffy/2558525fe9bf4fffccda47ecb0781582).
But then I wondered if the problem could be generalized. How much complexity
would it add to allow compiler users to forbid/allow specific proc/func calls
(at compile time or run-time). For instance, imagine this:
> `nim c --forbid:*:staticExec --allow:myfile.nim:staticExec("/bin/ls")
> myfile.nim`
* `--forbid:*:staticExec` means: "In `*` (all) nim files, forbid the use of
`staticExec`"
* `--allow:myfile.nim:staticExec("/bin/ls")` means: "In `myfile.nim` allow
the use of `staticExec("/bin/ls")`
If a forbidden invocation is found during compilation, it could produce an
error message like:
> ERROR: Forbidden call in myfile.nim:4 staticExec("/bin/ls"). To allow, use:
>
> `--allow:myfile.nim:staticExec("/bin/ls")`
>
> or add `switch("allow", """myfile.nim:staticExec("/bin/ls")""")` to
> config.nims
Or maybe your company decides that no one should use `writeFile` for whatever
reason:
> `nim --forbid:*:writeFile thecode.nim`
Maybe this could exist as a macro I could make myself... maybe.
