On Mon, Mar 3, 2014 at 8:17 PM, Nathan Myers <n...@cantrip.org> wrote: > (Arguably, BTW, the keyword should be "safe", because you are > asserting to the compiler that it should consider what is being > done there to be safe, despite any misgivings it may have, and > challenging the reader to contradict it. But that's a bridge > already burnt.)
This is an interesting point. There's an analogy between "safe"/"unsafe" and "trusted"/"untrusted". When something is part of a so-called trusted computing base, it means that we can't prove (within the system) that it won't do something wrong, and so we just have to assert that it's trustworthy. On the other hand, when it's "untrusted code" outside of the TCB, that typically means that it's code that we don't *have* to "trust", because we have proof that it won't do something wrong. If we wanted to go by analogy to "trusted"/"untrusted" terminology, then we would indeed annotate with "safe" those regions that we have to assert are safe. But I like the "unsafe" keyword, for reasons similar to those that Mark Miller gives for not liking "trusted": http://marc.info/?l=e-lang&m=107574590813949&w=4 Lindsey _______________________________________________ Rust-dev mailing list Rust-dev@mozilla.org https://mail.mozilla.org/listinfo/rust-dev
