Aelxx Wrote: > > "Andrei Alexandrescu" <[email protected]> ÓÏÏÂÝÉÌ/ÓÏÏÂÝÉÌÁ × > ÎÏ×ÏÓÔÑÈ ÓÌÅÄÕÀÝÅÅ: news:[email protected]... > > Jesse Phillips wrote: > >> On Tue, 03 Nov 2009 17:55:15 -0600, Andrei Alexandrescu wrote: > >> > >>> There's a lot more, but there are a few useful subspaces. One is, if an > >>> entire application only uses module(safe) that means there is no memory > >>> error in that application, ever. > >>> > >>> Andrei > >> > >> Does that mean that a module that uses a "trusted" module must also be > >> marked as "trusted?" I would see this as pointless since system modules > >> are likely to be used in safe code a lot. > > > > Same here. > > > >> I think the only real option is to have the importer decide if it is > >> trusted. > > > > That can't work. I can't say that stdc.stdlib is trusted no matter how > > hard I try. I mean free is there! > > > >> I don't see a reasonable way to have third party certification. It is > >> between the library writer and application developer. Since the library > >> writer's goal should be to have a system module that is safe, he would > >> likely want to mark it as trusted. This would leave "system" unused > >> because everyone wants to be safe. > > > > Certain modules definitely can't aspire to be trusted. But for example > > std.stdio can claim to be trusted because, in spite of using untrusted > > stuff like FILE* and fclose, they are encapsulated in a way that makes it > > impossible for a safe client to engender memory errors. > > > >> In conclusion, here is a chunk of possible import options. I vote for the > >> top two. > >> > >> import(system) std.stdio; > >> system import std.stdio; > >> trusted import std.stdio; > >> import(trusted) std.stdio; > >> import("This is a system module and I know that it is potentially unsafe, > >> but I still want to use it in my safe code") std.stdio; > > > > Specifying a clause with import crossed my mind too, it's definitely > > something to keep in mind. > > > > > > Andrei > > > How about this: > system module foo ; > ... (code) > trusted module foo2 ; > ... (code) > safe module bar ; > ... (code) > > import foo, foo2, bar ; // status defined automatically from module > declaration. > // error: used system module 'foo' in safe application. > >
What stops an irritated programmer from marking every one of his modules as trusted? An even worse scenario would be if they create a safe facade module and importing all his pseudo-trusted code. As described so far, trust isn't transitive/viral.
