• Bruce Carneal (30/30) May 27 2020 DIP 1028 is unsound.
• Bruce Carneal (12/42) May 27 2020 As Mike Parker, the DIP manager, has just confirmed via email
• Les De Ridder (2/4) May 27 2020 s/Andre/Andrei/?
• Bruce Carneal (2/7) May 27 2020 Yep.
• Daniel Kozak (5/8) May 28 2020 No it is not
• Timon Gehr (18/25) May 28 2020 That's technically true. The issue is an existing hole in @safety, but
• Paulo Pinto (9/37) May 28 2020 Specially when all other modern system programming language do
• Walter Bright (10/11) May 28 2020 There's a lot of imprecise language in the D spec, as I'm not very good ...
• Dibyendu Majumdar (8/15) May 28 2020 I offered last year to work on the spec. But even a simple PR got
• Les De Ridder (4/11) May 28 2020 Not exactly proof, but:
• Johannes Loher (6/22) May 28 2020 I'm really missing a third option in that poll: The default for all
• Les De Ridder (5/16) May 28 2020 The OP of the poll said: "People that think it should be
• Johannes Loher (5/22) May 28 2020 It is absolutely not. It is a completely different thing. I'm
• IGotD- (8/38) May 28 2020 I think one of the biggest problems is the expectations of the
• Mike Parker (9/16) May 28 2020 The DIP went through one round of community review and one round
• Bruce Carneal (10/58) May 28 2020 The duopoly model has strengths and weaknesses as do others. In
• Bruce Carneal (16/36) May 28 2020 For ease of reference, I repeat here the two proposals I've made

Bruce Carneal <bcarneal gmail.com> writes:

DIP 1028 is unsound.
DIP 1028 is deeply unpopular.
DIP 1028 is ridiculous.

How do we lessen the likelihood that DIPs like 1028 are accepted 
in the future?

DIP 1028 survived veto because the DIP author had a very low bar 
to jump over; he only had to convince one person that silently 
and globally calling extern(C) safe was sane.  Here are some ways 
to raise that bar:

1) Appoint an at-large language maintainer (LM) that steps in 
whenever either of the two LMs author a DIP.

2) Appoint an "emeritus" LM that can veto DIPs but is not 
required to actively approve them.  Andre?

3) Increase the number of LMs.

4) Some combination of the above.

If you have other, preferably simple, ideas on how to improve the 
DIP process, please chime in.  We may hit on something that could 
actually work.

If the LMs refuse amendment, and the governing docs provide no 
relief, DIP process dysfunction will remain a "vote with your 
feet" issue (the disaffected bleed away, growth stagnates, the 
community becomes ever more cynical and withdraws from DIP 
commentary, ...).

Finally, the elephant in the room: The DIP process would work 
much much better if Walter could somehow learn to communicate 
effectively in the forums.  Crucially, Walter often says that he 
believes he's answered a concern when the other, often highly 
respected, party most definitely believes he has not.  Evidently 
it requires the patience of Job and the clarity of Timon to get 
through to Walter.  Even that is not always enough.

Bruce Carneal <bcarneal gmail.com> writes:

On Thursday, 28 May 2020 at 00:05:19 UTC, Bruce Carneal wrote:
 DIP 1028 is unsound.
 DIP 1028 is deeply unpopular.
 DIP 1028 is ridiculous.

 How do we lessen the likelihood that DIPs like 1028 are 
 accepted in the future?

 DIP 1028 survived veto because the DIP author had a very low 
 bar to jump over; he only had to convince one person that 
 silently and globally calling extern(C) safe was sane.  Here 
 are some ways to raise that bar:

 1) Appoint an at-large language maintainer (LM) that steps in 
 whenever either of the two LMs author a DIP.

 2) Appoint an "emeritus" LM that can veto DIPs but is not 
 required to actively approve them.  Andre?

 3) Increase the number of LMs.

 4) Some combination of the above.

 If you have other, preferably simple, ideas on how to improve 
 the DIP process, please chime in.  We may hit on something that 
 could actually work.

 If the LMs refuse amendment, and the governing docs provide no 
 relief, DIP process dysfunction will remain a "vote with your 
 feet" issue (the disaffected bleed away, growth stagnates, the 
 community becomes ever more cynical and withdraws from DIP 
 commentary, ...).

 Finally, the elephant in the room: The DIP process would work 
 much much better if Walter could somehow learn to communicate 
 effectively in the forums.  Crucially, Walter often says that 
 he believes he's answered a concern when the other, often 
 highly respected, party most definitely believes he has not.  
 Evidently it requires the patience of Job and the clarity of 
 Timon to get through to Walter.  Even that is not always enough.

As Mike Parker, the DIP manager, has just confirmed via email 
there are no governing documents regarding changing the DIP 
process, you just make suggestions to him directly.  That's 
refreshingly direct.  Here are the two that I've proposed:

1) Recruit an "at large" LM to stand in whenever a DIP authored 
by a regular LM is being considered.

2) Recruit Andre, or Timon or ... as a tie-breaker LM who can 
weigh in to break a tie between the two LMs (2 out of 3 wins).

It may be too much of an ask to get even these "part time" LMs 
but it's a start.  Whatever it takes to reduce cynicism and get 
things moving.

Les De Ridder <les lesderid.net> writes:

On Thursday, 28 May 2020 at 02:30:11 UTC, Bruce Carneal wrote:
 [...]

 2) Recruit Andre, or Timon or ... as a tie-breaker LM who can

s/Andre/Andrei/?

Bruce Carneal <bcarneal gmail.com> writes:

On Thursday, 28 May 2020 at 02:33:35 UTC, Les De Ridder wrote:
 On Thursday, 28 May 2020 at 02:30:11 UTC, Bruce Carneal wrote:
 [...]

 2) Recruit Andre, or Timon or ... as a tie-breaker LM who can

 s/Andre/Andrei/?

Yep.

Daniel Kozak <kozzi11 gmail.com> writes:

On Thu, May 28, 2020 at 2:10 AM Bruce Carneal via Digitalmars-d
<digitalmars-d puremagic.com> wrote
 DIP 1028 is unsound.

No it is not

 DIP 1028 is deeply unpopular.

Show me the numbers. I do not see any proof

 DIP 1028 is ridiculous.

You have typo, you mean awesome?

Timon Gehr <timon.gehr gmx.ch> writes:

On 28.05.20 09:52, Daniel Kozak wrote:
 On Thu, May 28, 2020 at 2:10 AM Bruce Carneal via Digitalmars-d
 <digitalmars-d puremagic.com> wrote
 DIP 1028 is unsound.

 
 No it is not
 ...

That's technically true. The issue is an existing hole in  safety, but 
one that gets exacerbated by a change in defaults.

https://dlang.org/spec/memory-safe-d.html

"Therefore, the safe subset of D consists only of programming language 
features that are guaranteed to never result in memory corruption."

`extern(C)` is not such a feature, so the existing behavior is in 
violation of the specification.

The hole can be plugged by changing a couple of lines of DMD's source 
code. Instead, Walter is now defending the  safety hole.

This is sending a weird message. Is this how we are going to deal with 
holes in ` safe` going forward? If so, what is the justification for the 
additional overhead necessary to make code ` safe` the proper way? At 
that point it seems like a reasonable solution to just opt out using 
` system:` and/or use ` safe` merely as a linting mechanism and 
` trusted` as a way to make the compiler shut up when it is convenient, 
which is exactly what Walter is worried about.

I think it is important that we can explain ` safe` with a straight face.

Paulo Pinto <pjmlp progtools.org> writes:

On Thursday, 28 May 2020 at 09:56:11 UTC, Timon Gehr wrote:
 On 28.05.20 09:52, Daniel Kozak wrote:
 On Thu, May 28, 2020 at 2:10 AM Bruce Carneal via Digitalmars-d
 <digitalmars-d puremagic.com> wrote
 DIP 1028 is unsound.

 
 No it is not
 ...

 That's technically true. The issue is an existing hole in 
  safety, but one that gets exacerbated by a change in defaults.

 https://dlang.org/spec/memory-safe-d.html

 "Therefore, the safe subset of D consists only of programming 
 language features that are guaranteed to never result in memory 
 corruption."

 `extern(C)` is not such a feature, so the existing behavior is 
 in violation of the specification.

 The hole can be plugged by changing a couple of lines of DMD's 
 source code. Instead, Walter is now defending the  safety hole.

 This is sending a weird message. Is this how we are going to 
 deal with holes in ` safe` going forward? If so, what is the 
 justification for the additional overhead necessary to make 
 code ` safe` the proper way? At that point it seems like a 
 reasonable solution to just opt out using ` system:` and/or use 
 ` safe` merely as a linting mechanism and ` trusted` as a way 
 to make the compiler shut up when it is convenient, which is 
 exactly what Walter is worried about.

 I think it is important that we can explain ` safe` with a 
 straight face.

Specially when all other modern system programming language do 
mark such external code as unsafe. Even Zig has a couple of open 
tickets regarding this.

D will need a very good marketing strategy to sell itself to 
security conscious crowd if this DIP is integrated this way.

Consider that D wasn't even mentioned on Chromium security post 
regarding what languages the team might consider to improve its 
security surface.

Walter Bright <newshound2 digitalmars.com> writes:

On 5/28/2020 2:56 AM, Timon Gehr wrote:
 [...]

There's a lot of imprecise language in the D spec, as I'm not very good at 
language lawyering, and much of it was written hastily. A couple years ago I 
started doing this section by section, but ran out of steam as my PRs were met 
with indifference and languished.

There's also the factor of experience showing weaknesses in the spec.
Subsequent 
language changes often do not show up in the spec. The  safe stuff was written
a 
seeming lifetime ago.

The precise language for  safe can certainly be improved, as has been done 
already for what a " safe interface" is.

Dibyendu Majumdar <mobile majumdar.org.uk> writes:

On Thursday, 28 May 2020 at 21:35:38 UTC, Walter Bright wrote:
 On 5/28/2020 2:56 AM, Timon Gehr wrote:
 [...]

 There's a lot of imprecise language in the D spec, as I'm not 
 very good at language lawyering, and much of it was written 
 hastily. A couple years ago I started doing this section by 
 section, but ran out of steam as my PRs were met with 
 indifference and languished.

I offered last year to work on the spec. But even a simple PR got 
stuck because the only person who can apparently say anything 
about the language is yourself and despite repeated requests 
there was no response. I eventually gave up. I am again willing 
to try but it is not possible to make progress without your 
prompt input as no one else really understands why things are as 
they are.

Les De Ridder <les lesderid.net> writes:

On Thursday, 28 May 2020 at 07:52:17 UTC, Daniel Kozak wrote:
 On Thu, May 28, 2020 at 2:10 AM Bruce Carneal via Digitalmars-d 
 <digitalmars-d puremagic.com> wrote
 DIP 1028 is unsound.

 No it is not

 DIP 1028 is deeply unpopular.

 Show me the numbers. I do not see any proof

Not exactly proof, but:
https://www.strawpoll.me/20184671/r

(The " safe" option is what's proposed in DIP 1028.)

Johannes Loher <johannes.loher fg4f.de> writes:

Am 28.05.20 um 12:49 schrieb Les De Ridder:
 On Thursday, 28 May 2020 at 07:52:17 UTC, Daniel Kozak wrote:
 On Thu, May 28, 2020 at 2:10 AM Bruce Carneal via Digitalmars-d
 <digitalmars-d puremagic.com> wrote
 DIP 1028 is unsound.

 No it is not

 DIP 1028 is deeply unpopular.

 Show me the numbers. I do not see any proof

 
 Not exactly proof, but:
 https://www.strawpoll.me/20184671/r
 
 (The " safe" option is what's proposed in DIP 1028.)

I'm really missing a third option in that poll: The default for all
declarations should be  safe, but extern(not-D)  safe declarations
should be a compile error, regardless of if  safe is explicit or
implicit. That forces an explicit decision between  system and  trusted
for every extern(non-D) declaration.

Les De Ridder <les lesderid.net> writes:

On Thursday, 28 May 2020 at 11:13:07 UTC, Johannes Loher wrote:
...
 
 Not exactly proof, but:
 https://www.strawpoll.me/20184671/r
 
 (The " safe" option is what's proposed in DIP 1028.)

 I'm really missing a third option in that poll: The default for 
 all declarations should be  safe, but extern(not-D)  safe 
 declarations should be a compile error, regardless of if  safe 
 is explicit or implicit. That forces an explicit decision 
 between  system and  trusted for every extern(non-D) 
 declaration.

The OP of the poll said: "People that think it should be 
 trusted, vote
 safe, it's pretty much the same thing." ...

Johannes Loher <johannes.loher fg4f.de> writes:

On Thursday, 28 May 2020 at 11:31:35 UTC, Les De Ridder wrote:
 On Thursday, 28 May 2020 at 11:13:07 UTC, Johannes Loher wrote:
 ...
 
 Not exactly proof, but:
 https://www.strawpoll.me/20184671/r
 
 (The " safe" option is what's proposed in DIP 1028.)

 I'm really missing a third option in that poll: The default 
 for all declarations should be  safe, but extern(not-D)  safe 
 declarations should be a compile error, regardless of if  safe 
 is explicit or implicit. That forces an explicit decision 
 between  system and  trusted for every extern(non-D) 
 declaration.

 The OP of the poll said: "People that think it should be 
  trusted, vote
  safe, it's pretty much the same thing." ...

It is absolutely not. It is a completely different thing. I'm 
saying that if you don't annotate extern(non-D) explicitly with 
 system or  trusted, it should be a compile error. That means, 
there is no „default“ at all.

IGotD- <nise nise.com> writes:

On Thursday, 28 May 2020 at 00:05:19 UTC, Bruce Carneal wrote:
 DIP 1028 is unsound.
 DIP 1028 is deeply unpopular.
 DIP 1028 is ridiculous.

 How do we lessen the likelihood that DIPs like 1028 are 
 accepted in the future?

 DIP 1028 survived veto because the DIP author had a very low 
 bar to jump over; he only had to convince one person that 
 silently and globally calling extern(C) safe was sane.  Here 
 are some ways to raise that bar:

 1) Appoint an at-large language maintainer (LM) that steps in 
 whenever either of the two LMs author a DIP.

 2) Appoint an "emeritus" LM that can veto DIPs but is not 
 required to actively approve them.  Andre?

 3) Increase the number of LMs.

 4) Some combination of the above.

 If you have other, preferably simple, ideas on how to improve 
 the DIP process, please chime in.  We may hit on something that 
 could actually work.

 If the LMs refuse amendment, and the governing docs provide no 
 relief, DIP process dysfunction will remain a "vote with your 
 feet" issue (the disaffected bleed away, growth stagnates, the 
 community becomes ever more cynical and withdraws from DIP 
 commentary, ...).

 Finally, the elephant in the room: The DIP process would work 
 much much better if Walter could somehow learn to communicate 
 effectively in the forums.  Crucially, Walter often says that 
 he believes he's answered a concern when the other, often 
 highly respected, party most definitely believes he has not.  
 Evidently it requires the patience of Job and the clarity of 
 Timon to get through to Walter.  Even that is not always enough.

I think one of the biggest problems is the expectations of the 
management model. DIP 1028 has issues where a lot of people 
disagreed and valid criticism, yet it was accepted on the first 
round. Is this a community development model? Perhaps D should go 
towards a committee model instead. This might be a better model 
for Walter and those who has a clear vision of how D should 
evolve, despite unpopular changes.

Mike Parker <aldacron gmail.com> writes:

On Thursday, 28 May 2020 at 13:01:43 UTC, IGotD- wrote:

 I think one of the biggest problems is the expectations of the 
 management model. DIP 1028 has issues where a lot of people 
 disagreed and valid criticism, yet it was accepted on the first 
 round. Is this a community development model? Perhaps D should 
 go towards a committee model instead. This might be a better 
 model for Walter and those who has a clear vision of how D 
 should evolve, despite unpopular changes.

The DIP went through one round of community review and one round 
of final review just like every other DIP does. Some go through 
multiple rounds of community review when the DIP author 
significantly modifies the DIP after the first round in response 
to feedback. It is *always* up to the DIP auhtor to accept that 
feedback or to reject it.

Please read the DIP process documentation:

https://github.com/dlang/DIPs

Bruce Carneal <bcarneal gmail.com> writes:

On Thursday, 28 May 2020 at 13:01:43 UTC, IGotD- wrote:
 On Thursday, 28 May 2020 at 00:05:19 UTC, Bruce Carneal wrote:
 DIP 1028 is unsound.
 DIP 1028 is deeply unpopular.
 DIP 1028 is ridiculous.

 How do we lessen the likelihood that DIPs like 1028 are 
 accepted in the future?

 DIP 1028 survived veto because the DIP author had a very low 
 bar to jump over; he only had to convince one person that 
 silently and globally calling extern(C) safe was sane.  Here 
 are some ways to raise that bar:

 1) Appoint an at-large language maintainer (LM) that steps in 
 whenever either of the two LMs author a DIP.

 2) Appoint an "emeritus" LM that can veto DIPs but is not 
 required to actively approve them.  Andre?

 3) Increase the number of LMs.

 4) Some combination of the above.

 If you have other, preferably simple, ideas on how to improve 
 the DIP process, please chime in.  We may hit on something 
 that could actually work.

 If the LMs refuse amendment, and the governing docs provide no 
 relief, DIP process dysfunction will remain a "vote with your 
 feet" issue (the disaffected bleed away, growth stagnates, the 
 community becomes ever more cynical and withdraws from DIP 
 commentary, ...).

 Finally, the elephant in the room: The DIP process would work 
 much much better if Walter could somehow learn to communicate 
 effectively in the forums.  Crucially, Walter often says that 
 he believes he's answered a concern when the other, often 
 highly respected, party most definitely believes he has not.  
 Evidently it requires the patience of Job and the clarity of 
 Timon to get through to Walter.  Even that is not always 
 enough.

 I think one of the biggest problems is the expectations of the 
 management model. DIP 1028 has issues where a lot of people 
 disagreed and valid criticism, yet it was accepted on the first 
 round. Is this a community development model? Perhaps D should 
 go towards a committee model instead. This might be a better 
 model for Walter and those who has a clear vision of how D 
 should evolve, despite unpopular changes.

The duopoly model has strengths and weaknesses as do others. In 
the case of 1028 the duopoly model was abused.  We no longer had 
2 experts looking out for the community, we only had one, Atila.  
We can fix that in the future by altering the DIP process.  I 
have proposed such a modification to Mike.

Per email with Mike other modification proposals are welcome and 
can be submitted in this thread.

Side note: I think Mike has done a very good job.  It's the DIP 
process itself that could use some help.

Bruce Carneal <bcarneal gmail.com> writes:

On Thursday, 28 May 2020 at 14:16:00 UTC, Bruce Carneal wrote:
 On Thursday, 28 May 2020 at 13:01:43 UTC, IGotD- wrote:
 On Thursday, 28 May 2020 at 00:05:19 UTC, Bruce Carneal wrote:
 [snip]

 I think one of the biggest problems is the expectations of the 
 management model. DIP 1028 has issues where a lot of people 
 disagreed and valid criticism, yet it was accepted on the 
 first round. Is this a community development model? Perhaps D 
 should go towards a committee model instead. This might be a 
 better model for Walter and those who has a clear vision of 
 how D should evolve, despite unpopular changes.

 The duopoly model has strengths and weaknesses as do others. In 
 the case of 1028 the duopoly model was abused.  We no longer 
 had 2 experts looking out for the community, we only had one, 
 Atila.  We can fix that in the future by altering the DIP 
 process.  I have proposed such a modification to Mike.

 Per email with Mike other modification proposals are welcome 
 and can be submitted in this thread.

 Side note: I think Mike has done a very good job.  It's the DIP 
 process itself that could use some help.

For ease of reference, I repeat here the two proposals I've made 
to Mike:

1) Recruit an "at large" LM to stand in whenever a DIP authored 
by a regular LM is being considered.

2) Recruit Andrei, or Timon or ... as a tie-breaker LM who can 
weigh in to break a tie between the two LMs (2 out of 3 wins).

As noted in the email to Mike, even asking someone to be one of 
these "part time" LMs is a big ask but we've got to start 
somewhere.

The first proposal addresses the duopoly weakness exposed by 
1028.  The second proposal is a much bigger deal and is intended 
to get us past single person veto mistakes.  It should also 
reduce cynicism and promote engagement.

If you've got other ideas on how the DIP process could be 
improved, please submit them here.