From: Miguel Ojeda <miguel.ojeda.sandonis@gmail.com>
To: Daniel Almeida <daniel.almeida@collabora.com>
Cc: "Benno Lossin" <benno.lossin@proton.me>,
"Jonathan Corbet" <corbet@lwn.net>,
"Miguel Ojeda" <ojeda@kernel.org>,
"Alex Gaynor" <alex.gaynor@gmail.com>,
"Wedson Almeida Filho" <wedsonaf@gmail.com>,
"Boqun Feng" <boqun.feng@gmail.com>,
"Gary Guo" <gary@garyguo.net>,
"Björn Roy Baron" <bjorn3_gh@protonmail.com>,
"Andreas Hindborg" <a.hindborg@samsung.com>,
"Alice Ryhl" <aliceryhl@google.com>,
linux-doc@vger.kernel.org, linux-kernel@vger.kernel.org,
rust-for-linux@vger.kernel.org,
"Chapot Clément (M.)" <clement.chapot@polytechnique.edu>,
"Baptiste Lepers" <baptiste.lepers@gmail.com>
Subject: Re: [RFC PATCH 1/5] doc: rust: create safety standard
Date: Fri, 19 Jul 2024 19:56:56 +0200 [thread overview]
Message-ID: <CANiq72mxh-7sSj9kTVGENWbcJtbrbzSfksYhKPOap2UrvgZ47A@mail.gmail.com> (raw)
In-Reply-To: <99DF6A0F-BAE9-4341-8B42-6C1F1C69E2C6@collabora.com>
On Fri, Jul 19, 2024 at 6:24 PM Daniel Almeida
<daniel.almeida@collabora.com> wrote:
>
> For these corner cases, a simple safety comment should suffice. By all means,
> let's strive to push as much of the unsafe bits into the kernel crate. But,
> IMHO, we shouldn’t treat Rust drivers as some unprivileged entity, they’re
> also kernel code, after all.
The intention has never been to forbid unsafe blocks, but rather to
minimize the amount of unsafe code as much as possible.
That is why mixing Rust and C in ways that make the amount of unsafe
blocks increase a lot may not be the best approaches. Sometimes it may
be needed nevertheless, i.e. there is no hard rule here.
Relatedly, on the topic of drivers being "unprivileged" entities:
anything we can do to make any code as "unprivileged" as possible (in
"number of unsafe blocks" or other ways) is likely a good thing, as
long as it does not detract from what actually needs to be done and is
not too onerous.
In other words, part of the idea of using Rust has always been trying
to see how much we could tight things up while still making things
work in practice.
For instance, other ways to tight things up would be disallowing to
call certain APIs/subsystems/... (i.e. visibility, which we will add),
marking certain crates as `#![deny(unsafe_code)]` or other lints, or
verification of certain properties (there are researchers looking into
this).
But, yeah, I agree it will be one of the interesting discussions at
Kangrejos... :)
Cheers,
Miguel
next prev parent reply other threads:[~2024-07-19 17:57 UTC|newest]
Thread overview: 32+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-07-17 22:12 [RFC PATCH 0/5] Introduce the Rust Safety Standard Benno Lossin
2024-07-17 22:12 ` [RFC PATCH 1/5] doc: rust: create safety standard Benno Lossin
2024-07-18 4:45 ` Greg KH
2024-07-24 19:13 ` Benno Lossin
2024-07-25 4:57 ` Greg KH
2024-07-18 12:20 ` Alice Ryhl
2024-07-24 19:36 ` Benno Lossin
2024-07-19 16:24 ` Daniel Almeida
2024-07-19 16:46 ` Alice Ryhl
2024-07-19 17:10 ` Danilo Krummrich
2024-07-19 18:09 ` Daniel Almeida
2024-07-19 19:20 ` Danilo Krummrich
2024-07-19 17:28 ` Miguel Ojeda
2024-07-19 18:18 ` Daniel Almeida
2024-07-19 17:56 ` Miguel Ojeda [this message]
2024-07-24 20:31 ` Benno Lossin
2024-07-24 21:20 ` Miguel Ojeda
2024-07-24 21:28 ` Benno Lossin
2024-08-08 13:01 ` Daniel Almeida
2024-08-08 13:08 ` Miguel Ojeda
2024-07-19 22:11 ` Boqun Feng
2024-07-24 22:01 ` Benno Lossin
2024-07-20 7:45 ` Dirk Behme
2024-07-17 22:12 ` [RFC PATCH 2/5] doc: rust: safety standard: add examples Benno Lossin
2024-07-19 16:28 ` Daniel Almeida
2024-07-19 16:36 ` Daniel Almeida
2024-07-25 7:47 ` Benno Lossin
2024-08-08 13:10 ` Daniel Almeida
2024-08-08 14:33 ` Benno Lossin
2024-07-17 22:12 ` [RFC PATCH 3/5] doc: rust: safety standard: add guarantees and type invariants Benno Lossin
2024-07-17 22:12 ` [RFC PATCH 4/5] doc: rust: safety standard: add safety requirements Benno Lossin
2024-07-17 22:13 ` [RFC PATCH 5/5] doc: rust: safety standard: add justifications Benno Lossin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CANiq72mxh-7sSj9kTVGENWbcJtbrbzSfksYhKPOap2UrvgZ47A@mail.gmail.com \
--to=miguel.ojeda.sandonis@gmail.com \
--cc=a.hindborg@samsung.com \
--cc=alex.gaynor@gmail.com \
--cc=aliceryhl@google.com \
--cc=baptiste.lepers@gmail.com \
--cc=benno.lossin@proton.me \
--cc=bjorn3_gh@protonmail.com \
--cc=boqun.feng@gmail.com \
--cc=clement.chapot@polytechnique.edu \
--cc=corbet@lwn.net \
--cc=daniel.almeida@collabora.com \
--cc=gary@garyguo.net \
--cc=linux-doc@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=ojeda@kernel.org \
--cc=rust-for-linux@vger.kernel.org \
--cc=wedsonaf@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).