forbid unsafe_code in the library code?

[daboross]

Right now, bitflags contains no unsafe blocks. User code can #![forbid(unsafe_code)]. But it would be nice to have #![forbid(unsafe_code)] here too, to add to the assurance that the library doesn't contain any user-facing unsafe code if the user also uses #![forbid(unsafe_code)]. Would this be reasonable for bitflags?

I think it would have to be #![cfg_attr(not(test), forbid(unsafe_code))] to allow for tests using unsafe, but same difference.

[ralpha]

Was also going to suggest this. This will make the package green in https://github.com/anderejd/cargo-geiger

[KodrAus]

Hmm, it's a bit of a philosophical question. I'm not totally against the idea, but as a fundamental library that's effectively polyfilling a language feature I'm not sure it's entirely reasonable for bitflags to guarantee it'll never contain any unsafe code blocks. If there's unsafe that needs to be written it'd be better for it to live in bitflags than in consumers (or better yet in the standard library).

Having said that, the library has been stable for a while now without any unsafe, so it's something we could consider if it's important to enough users. It wouldn't be worth adding unless we were really going to commit to never introducing any unsafe code without some kind of major version bump.

[KodrAus]

It looks like we’re going to deprecate/remove the one unsafe function in bitflags so I think it’s reasonable now to commit to never introducing any unsafe code.

[ralpha]

That would be wonderful news! :smiley: Removing even the potential for problems/bugs would make the foundation even more stable so we can build bigger things on top of it. And thanks for taking a look at this.