[lang-team-minutes] private-in-public rules

petrochenkov · December 28, 2016, 12:11pm

opened 10:01PM - 28 Jun 16 UTC

A-typesystem A-lint T-lang B-unstable C-future-compatibility

#### What is this lint about [RFC 136](https://github.com/rust-lang/rfcs/blob…/master/text/0136-no-privates-in-public.md) describes rules for using private types and traits in interfaces of public items. The main idea is that an entity restricted to some module cannot be used outside of that module. Private items are considered restricted to the module they are defined in, `pub` items are considered unrestricted and being accessible for all the universe of crates, [RFC 1422](https://github.com/rust-lang/rfcs/pull/1422) describes some more fine-grained restrictions. Note that the restrictions are determined entirely by item's declarations and don't require any reexport traversal and reachability analysis. "Used" means different things for different entities, for example private modules simply can't be named outside of their module, private types can't be named and additionally values of their type cannot be obtained outside of their module, etc. To enforce these rules more visible entities cannot contain less visible entities in their interfaces. Consider, for example, this function: ``` mod m { struct S; pub fn f() -> S { S } // ERROR } ``` If this were allowed, then values of private type `S` could leave its module. Despite the RFC being accepted these rules were not completely enforced until https://github.com/rust-lang/rust/pull/29973 fixed most of the missing cases. Some more missing cases were covered later by PRs https://github.com/rust-lang/rust/pull/32674 and https://github.com/rust-lang/rust/pull/31362. For backward compatibility the new errors were reported as warnings (lints). Now it's time to retire these warnings and turn them into hard errors, which they are supposed to be. This issue also tracks another very similar lint, `pub_use_of_private_extern_crate`, checking for a specific "private-in-public" situation. #### How to fix this warning/error If you _really_ want to use some private unnameable type or trait in a public interface, for example to emulate [sealed traits](https://internals.rust-lang.org/t/pre-rfc-sealed-traits/3108), then there's a universal workaround - make the item public, but put it into a private inner module. ``` mod m { mod detail { pub trait Float {} impl Float for f32 {} impl Float for f64 {} } pub fn multiply_by_2<T: detail::Float>(arg: T) { .... } // OK } ``` The trait `Float` is public from the private-in-public checker's point of view, because it uses only local reasoning, however `Float` is unnameable from outside of `m` and effectively private, because it isn't actually reexported from `m` despite being potentially reexportable. You'll also have to manually document what kind of mystery set of arguments your public function `multiply_by_2` accepts, because unnameable traits are effectively private for rustdoc. #### Current status - [x] https://github.com/rust-lang/rust/pull/29973 introduces the `private_in_public` lint as warn-by-default - [x] https://github.com/rust-lang/rust/pull/34206 makes the `private_in_public` lint deny-by-default - [x] https://github.com/rust-lang/rust/pull/36270 makes the `private_in_public` lint warn-by-default again due to [relatively large](https://internals.rust-lang.org/t/regression-report-stable-2016-08-16-vs-beta-2016-08-26/3930/8) amount of breakage - [ ] PR ? makes the `private_in_public` lint deny-by-default - [ ] PR ? makes the `private_in_public` lint a hard error

what did you mean by "reexport checking in resolve"

Checks preventing pub use Private;. They are performed early and work on "name level"/"path level" (as opposed to "type level") and prevent suddenly turning private items into public items by reexporting them. By checking types alone we cannot prevent leaking "frontend" entities like modules through reexports. (The exact rules implemented as part of RFC 1560 are slightly more complex than "pub use Private; is an error", because they need to work with pub(restricted), globs and imports in several namespaces).

I think that (as I explained in the internals thread) we do need some checking for associated types in impls, at least.

I don't think associated types need any special treatment (modulo linking, see below) because they are equivalent to impl Trait from privacy and stability point of view when used in generic context. Suppose we have a private associated type:

trait PubTrait {
    type A: Bounds;
}
impl PubTrait for PubType {
    type A = PrivType;
}

When this type is used in concrete, non-generic context

let a: PubType::A = ...;

we leak everything about PrivType - we can call its inherent methods, copy it several times if it's Copy, cast it to other implemented non-Bounds traits, transmute it to something, etc, etc, etc. The author of PrivType can't change anything about PrivType backward compatibly, because all the details of PrivType can be used by third parties. This is wrong, you can't name a type private if it has to adhere to such severe restrictions. That's why concrete, "normalizable" associated types need to be checked for privacy on use.

When the associated type A is used in generic context, like TypeParam::A it's equivalent to public anonymized type impl Bounds for users. impl Bounds is the only knowledge we have about PrivType when TypeParam is suddenly equal to PubType. The author of PrivType can change it in arbitrary ways and even completely purge it and provide some other implementation of his public contract impl PubTrait for PubType.

Link time visibility is very useful, but under-appreciated perspective on privacy issues. Here are some points.

We want to minimize link time visibility of all crate symbols.
Language privacy is the primary fuel for this minimization.
Impls of public traits for private types is the tricky case.
We want all the numerous #[derive(Clone, PartialEq, Debug, Hash)] impls for private types to be "internalized" and not to stick out from our crates.
We still want impl Trait to work for private types at link time, so impls participating in impl Trait need to be "externalized".

The last point is relevant to private associated types in generic contexts as well, because they are so similar to impl Trait. If impls participating in Bounds for these associated types are "externalized" as if they participate in impl Bounds, then we are good and don't need any additional interface checks for associated types.

Topic		Replies	Views
[Pre-RFC] Warn about inaccessible types in public function signatures language design	28	5050	March 25, 2019
Older RFCs up for discussion this week	4	1691	March 25, 2019
Private struct returned by public fn	23	3099	March 25, 2019
Does "private in public" work with paths?	4	1124	March 25, 2019
[RFC] Reduce false positives for "private type in public interface" language design	5	1477	March 25, 2019

[lang-team-minutes] private-in-public rules

Related Topics