wg icon indicating copy to clipboard operation
wg copied to clipboard
verified publisher icon rust-secure-code

RFC: Use `--cfg reduce_unsafe` to signal preference of safe code over fast code

Open WildCryptoFox opened this issue 6 years ago • 2 comments

(Cross posted on users.rust-lang.org and internals.rust-lang.org)

This complements #19 when the safe code can be produced but the performance cost is too high for a set of users willing to pay the safety cost.

Users could opt into this manually using RUSTFLAGS+='--cfg reduce_unsafe'; but I'd rather richer tooling - see below.

Crates branch on #[cfg(reduce_unsafe)].

Edit: I've implemented reduce_unsafe::(un)checked! macros with an example.

Alternatively a feature flag could be used instead and could be fine-grain for certain code.

Context: I've been using a custom RUSTC_WRAPPER and plan to promote this shell with Rust and add some more features. This complements cargo geiger, cargo crev and could be an early feature of cargo sandbox.

In addition to showing all unsafe code this also shows deprecation warnings and any other warnings or errors which are normally hidden because cargo uses --cap-lints allow (before RUSTFLAGS where it cannot be overridden without RUSTC_WRAPPER) to minimize damage of rustc's own changes.

(Use -Funsafe-code to catch uses of #[allow(unsafe_code)])

WildCryptoFox avatar Jan 17 '20 22:01 WildCryptoFox

Perhaps respect the following hints from crates.

# if this crate is not forbidden, then
[package.metadata.unsafe_policy]
# default is forbid (when the meta entry is present)
# allow foo to use unsafe code
foo = "allow"
# ask bar to reduce its unsafe code
bar = "reduce"
# forbid bar's dependency 'baz' from using unsafe code
bar.baz = "forbid"

[package.metadata.unsafe_policy.'cfg(feature = "something_which_needs_unsafe")']
quz = "allow"

WildCryptoFox avatar Jan 18 '20 00:01 WildCryptoFox

I think reduce_unsafe might mean wildly varying things to different crates, but your cargo wrapper and unsafe_policy idea give the right direction.

You might permit the unsafe code within a specific version or with a specific digital signature, but accept future crate versions that left alone the modules satisfying that restriction. I suppose micro crates like arrayref that release new versions rarely help achieve this more simply.

burdges avatar Jun 15 '20 09:06 burdges