Comment by sitkack
5 years ago
Related to what you are looking for is https://github.com/rust-secure-code/cargo-geiger which analyzes the dependency tree for unsafe but afaik it doesn't actually show each individual block.
The readme is quite good.
5 years ago
Related to what you are looking for is https://github.com/rust-secure-code/cargo-geiger which analyzes the dependency tree for unsafe but afaik it doesn't actually show each individual block.
The readme is quite good.
Wow, yeah, that's exactly the technological aspect of what I had in mind.
I guess all that's left is the socialogical aspect: packages' "geiger" status ought to be treated as being as important as their dependencies. In other words, lib.rs/docs.rs/crates.io ought to display these data in all the sorts of places where they list the dependencies of a package.
It would also be great if this tool were made a standard part of cargo. I think it's important enough to deserve that status.
I think this would be a docs.rs or lib.rs feature, I used to think crates.io was that place but it is not.
I could see there being all kinds of scans of dependencies, like enforcing test coverage, builds and tests passing on certain platforms (risc-v, wasi, etc).
No, see, my point is that this is as important as dependencies.
Anything that tracks dependencies ought to be tracking transitive unsafeness.
That's the mindset shift the Rust world needs. Otherwise we're going to keep getting these (in some sense valid) complaints about how Rust isn't memory-safe because it has unsafe-blocks.
1 reply →