Per #18130 (comment), I believe that it would be difficult to eliminate the possibility that packages that do not explicitly import unsafe can obtain an unsafe.Pointer via some combination of interface{}, type-assertion, and/or reflection. At the very least, I think you'd need to ensure that no exported function can return an unsafe.Pointer, which is a pretty invasive change.

It may be more viable to disallow all conversions from unsafe.Pointer and instead make it assignable from any pointer type:

package unsafe

type Pointer

func Convert(Pointer) *T

Then unsafe becomes a sort of black-hole: the caller can obtain as many values of unsafe.Pointer as they want, but they only way to dereference one is by first importing unsafe in order to Convert it.

@bcmills I don't think we make this bullet-proof - but at least I want it to be water-proof.

But I agree that if we reconsider the unsafe package interface entirely, we may find better solutions. Even with your suggestion, it's possible to encapsulate the desired conversions in functions exported by a package that's not the unsafe package. A client would only need to import that package.

Note that now that we have type aliases, we'd also have to disallow conversions involving T where

type T = unsafe.Pointer

as well. And that's a bit harder to defend.

@rsc An alternative (for Go 2) is to rethink how unsafe operations work. For instance, we could remove the Pointer type altogether and make all unsafe operations function-based.

Indeed. That would fit with #19367.