On Tuesday, June 07, 2016 06:47:39 H. S. Teoh via Digitalmars-d wrote: > I can't seem to find an issue I filed some years ago about @safe needing > to be whitelist-based rather than blacklist-based. Did it get closed > while I wasn't looking?
Walter closed it a day or two ago on the grounds that it wasn't a specific issue but more of a discussion topic: https://issues.dlang.org/show_bug.cgi?id=12941 In principle, I think that you're very right that @safe needs to be implemented as a whitelist. Security in general does not work as a blacklist, and I think that @safe has the same problem. The problem is code breakage. Even assuming that the change in implementation were straightforward (and I have no idea whether it is or not), it would be pretty much guranteed that we would break a lot of code marked @safe if we were to switch to a whitelist. Some of that code is not truly @safe and really should be fixed, but just throwing the switch like that is too sudden. We'd probably be forced to have both a whitelist and a blaklist and treat the whitelist results as warnings temporarily before switching fully to the whitelist implementation. And that's likely feasible, but it seems like it would be a bit of a mess. So, I don't know if we reasonably can switch to a whitelist or not. But I think that it's clearly that we ideally would. - Jonathan M Davis