Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

> which then turns up in the JSON decoder at (https://github.com/rust-lang-deprecated/rustc-serialize/blob...). There are no comments on the safety of that.

Maybe there's a reason it's in a repository labeled "deprecated", namely that it's deprecated. The replacement serialization framework, serde, has exactly one appearance of "unsafe", in a function that is only compiled when you explicitly enable the "unstable" feature flag and that in fact appears to be a reasonably safe use of unsafe.



The thing is, you cannot decide which crate someone will depend on, regardless how it is labeled.


But you can read the dependency list or even the code and decide whether to use it or not?


Not in the presence of binary dependencies.

Also the amount of CVEs in FOSS projects show that even the process of code review for patches isn't enough.


You mean, in projects written in languages that are unsafe from beginning to end rather than in small blocks?


I agree, just stating that plain code review isn't enough.

Those patches also come in small blocks.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: