> That might be nice, but when would we run this check?  After loading
> each new system?  That seems a lot harder than running a check when a
> new OPERATION subclass is instantiated (as Pascal's suggestion).
>
Actually check at instantiation time is all the better for operation since we do our best to memorize them, so the warning would happen only once rather than constantly.

Remains the problem of making a difference between "good" and "bad" operation classes. This I have no idea how to do, short of maintaining a white list for current and past systems, and some new declaration for future systems. And even then, for old systems you might want to see if there's version information that distinguishes working versions from broken ones. So far I've tried to avoid whitelists that require constant maintenance.

> [I am quite concerned about this because I am 95% sure that we have
> other systems like this out there that are just waiting to bite me.  We
> have lots of systems that interact with outside software in ways that
> require ASDF to initiate, e.g., some make operations, something to build
> some Java code, starting up a server, etc.]
>
I would just require the handful of asdf operation defining hackers who haven't upgraded yet to do an audit asap, which they need do anyway. And I would bet against anyone being in need of an audit who isn't reading us. But then again, you're the one to make bets now.