From db6301fd399d4236ebaf26b25c519008d590c957 Mon Sep 17 00:00:00 2001
From: "Shane F. Carr" <shane@unicode.org>
Date: Thu, 21 Nov 2024 19:19:56 -0800
Subject: [PATCH] Add policy about Writeable / TryWriteable to docs (#5851)

Fixes #5494
---
 documents/design/data_safety.md | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/documents/design/data_safety.md b/documents/design/data_safety.md
index d7e9d4c7c88..103c1c49074 100644
--- a/documents/design/data_safety.md
+++ b/documents/design/data_safety.md
@@ -39,6 +39,8 @@ Additional points:
 1. As a rule of thumb, validation that requires a single linear pass over the data with no memory allocations is fine, similar to UTF-8 validation, but validation that requires memory allocations, runs in superlinear time, or pulls in large amounts of code or dependencies is discouraged.
 2. If performing binary search on a vector from data, it is not necessary to validate that the vector is sorted. The binary search will fail to find elements in an unsorted vector, but it won't panic, so this is consistent with GIGO.
 3. The best data structs are those that don't need to be validated. See the below example on how to write data structs without internal invariants.
+4. Formatters that are fallible only in the case of invalid data, such as DateTimeFormatter, should implement `Writeable` with GIGO behavior if necessary. If the failure mode can happen with default data and valid inputs, prefer `TryWriteable`.
+5. These principles about invalid data could also apply to trait impls that do not follow trait invariants.
 
 ## Example