-
-
Notifications
You must be signed in to change notification settings - Fork 117
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add forbid(unsafe_code) #273
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Closing as a duplicate of #261.
I support @mleonhard in this. There is a place and time for unsafe code, I agree with that. But that is not what we are talking about. There is no unsafe code here. And thus adding the I think we should invite others to state there opinion so we take more peoples opinion into account. (@alexcrichton ) @mleonhard I would like to suggest to add Because the alternative is a fork of this crate, but doing that over such a small issue is hardly what we want. This divides and pollutes the package manager. This will be a loss for the the rust community if things are always forked over discussions. |
Note that it is a cargo-geiger bug that cargo-geiger requests Build scripts and proc-macros have a totally different attack model than normal code, they can run or insert arbitrary code at build time. (Even if the macro itself does not contain unsafe code, it does not mean that the macro is safe.) (I feel the behavior of cargo-geiger that not ignoring proc-macro and its dependencies is also actually like a bug.) |
If this will be solved in cargo geiger, that is perfect! Then there is no need for the I don't know what you mean by:
Could you clarify? |
Adding this change involves misleading people about the safe code posture of this crate, and my belief is that it's a net negative in the long term. Proc-macro2 has used some unsafe code in a previous version. It went away at some point not because we became opposed to unsafe code, but purely because the public API it supported was no longer needed. It's reasonably likely that a future API addition will cause this crate to use unsafe code once again in a future version. The thing that will happen if we put
I do actually want that. There is a set of safe code zealots for whom a crate having Denying a
I agree with you that it's a nuanced argument against the attribute. If it's confusing for people that we have no current unsafe code in the crate but also no
Geiger is using a dark pattern to mislead people that it does. Meanwhile this crate uses the standard library heavily, including things like |
My personal opinion on this is that I agree with everything @dtolnay says, and I don't have anything to add to it over what's already been said. |
@dtolnay You make some very good arguments in your post, I like it. I'm not entirely sure what would be the misleading part about "Adding this change involves misleading people about the safe code posture of this crate". Does it not mean that everything is typechecked, borrow checked, ... by the compiler? I think it does. Had not considered the future adding of unsafe code and the removal of the tag. I hope it is not the case that unsafe is needed, as people can always make mistakes. And unsafe is there to limit the amount of mistakes. (it is there for a reason) Let me be clear, I have no intention to fork this repo, add the
Well I would not go that far. Then people will actively come and check the create if unsafe was used correctly and will open Issues because it is dead code. So that just moves the problem.
Yeah maybe, have not made my mind up over that. I think it is an interesting tool. I have checked other creates out that use extensive use of unsafe to see what is up with them. And I think having no unsafe code in something like Yes, I hope the standard library is well checked. But the problems are most likely not in the standard library but in the 55,387 crate on cargo. Thanks for you posting and very nice answer! You made a strong case, and has changes my view a bit. |
@dtolnay If you have suggestions on rewording the readme file please do send a PR to fix it, there is no intention to "mislead people".
Everyone who choose to use Rust also knowingly or unknowingly choose to trust the standard library and the compiler, with the exception of no_std projects. Comparing the trustworthiness of libraries on crates.io to the standard library seems like a stretch to me even when the library in question is written by well known authors who have been or are involved with the standard library. I stumbled across this thread and I hope you don't feel annoyed by my reply and I hope to see a PR fort that readme. |
Hi proc-macro2 Maintainers,
I am developing a safe regular expression library. Of its dependencies, only
proc_macro2
is lacking aforbid(unsafe_code)
declaration. Can we please add it?Best,
Michael
Cargo Geiger Safety Report