5 Jul
2012
5 Jul
'12
11:05 a.m.
On Thu, 5 Jul 2012, Simon Marlow wrote:
The choice to use the module boundary was made for pragmatic reasons - it reduces complexity in the implementation, but also it makes things much simpler from the programmer's point of view. The programmer has a clear idea where the boundary lies: in a Safe module, they can only import other Safe/Trustworthy modules. The Safe subset is a collection of modules, not some slice of the contents of all modules. The Haddock docs for a module only have to say in one place whether the module is considered safe or not.
I found it quite natural to have the safety property per module. Maybe I am too much used to Modula-3.