On Thursday, 18 May 2017 at 18:15:28 UTC, Stanislav Blinov wrote:
On Thursday, 18 May 2017 at 17:53:52 UTC, H. S. Teoh wrote:
In the long run, I fear that if there are too many @trusted
blocks in a given codebase (not necessarily Phobos), it will
become too onerous to review, and could lead to hidden
exploits that are overlooked by reviewers. I don't know how
to solve this conundrum.
Simple. You reject such codebase from the get-go ;)
To be honest, I don't think you *can* solve this problem
(rejecting such a codebase is a workaround that may or may not
work, depending on the use case and what the codebase as to do;
there are valid reasons for why the majority of a codebase may
need to be @trusted, such as OS abstractions). As long as we
build software on top of operating systems with APIs that may or
may not be unsafe we *need* such an unsafe layer and any codebase
that heavily interacts with the OS will be littered with
@trusted. All you can do is educate people to spot when @trusted
is actually necessary and when something could genuinely be
written @safe without @trusted and educate them to choose the
latter when and if possible.
