[racket-dev] syntax taints instead of syntax certificates

On Wed, Jun 29, 2011 at 9:19 PM, Matthew Flatt <mflatt at cs.utah.edu> wrote:
> I've pushed a change to Racket's macro system that throws out the
> syntax-certificate system and adds a syntax-taint system.
>
>
> Syntax taints, like syntax certificates before, are intended to
> protect macro expansions from abuse. "Abuse" means using
> `local-expand' to extract a piece of an expansion, then putting the
> piece in a new context or using `datum->syntax' to access unexported
> module bindings using the piece's lexical context. Meanwhile,
> program-processing tools like `errortrace' or languages like
> `typed/racket' are supposed to pull apart expansions and reorganize
> them; code inspectors remain the way to distinguish trusted tools and
> languages from potential abusers.
>
> Things you need to know:
>
>  * When writing a macro (without `syntax-rules', `define-syntax-rule',
>   or `syntax-id-rules'), apply `syntax-protect' to the macro's result
>   syntax object to protect it from abuse. The `syntax-rules', etc.,
>   forms use `syntax-protect' automatically.

Does this mean we should be updating all our old macros now, and
adding syntax-protect as boilerplate to (nearly) all of our new
macros?  How often is a manual syntax-protect necessary?  It's great
to have a system we can reason about, but the nice thing about
certificates was that they were invisible most of the time.  It looks
like you're suggesting that at least the use of syntax-protect is
going to become ubiquitous in this new system.

>  * If you write program-processing tools or languages that use
>   `syntax-recertify', you'll need to change them to use
>   `syntax-disarm' and possibly `syntax-rearm'.

--Carl