Raw Record Source

{
  "$type": "site.standard.document",
  "bskyPostRef": {
    "cid": "bafyreia6lde5yhnzjirenvju3mxziycp6pfopzmqzbxngbkxzq3dqnlfra",
    "uri": "at://did:plc:ivbknywyskln22er3nkssdhl/app.bsky.feed.post/3melafxpr6tp2"
  },
  "path": "/t/conditions-for-unsafe-code-to-rely-on-correctness/23995#post_1",
  "publishedAt": "2026-02-11T10:01:23.000Z",
  "site": "https://internals.rust-lang.org",
  "tags": [
    "crates.io",
    "crates.io",
    "crates.io",
    "crates.io"
  ],
  "textContent": "**TLDR**\n\nWhat's the ecosystem convention for unsafe code relying on correctness?\n\nI see at least 3 options:\n\n  * If unsafe code relies on correctness, it must verify it.\n  * If unsafe code relies on correctness, it must verify it, unless it's correctness of the standard library. (That's what I thought was the convention.)\n  * Unsafe code can always rely on correctness. (I've heard this recently.)\n\n\n\nWhere should the convention be officially documented? Is it already?\n\n* * *\n\n**Details**\n\nFor example, let's assume `primes` is a crate published on crates.io with the following public API:\n\n\n    /// Returns the prime numbers fitting `u32` in order.\n    pub fn iter() -> impl Iterator<Item = u32>;\n\n\nLet's assume another crate `crypto` also published on crates.io with the following unsafe code:\n\n\n    let first_prime = primes::iter().next().unwrap();\n    // SAFETY: The first prime number is 2 and it fits `u32`.\n    unsafe { std::hint::assert_unchecked(first_prime == 2) };\n\n\nFinally, let's assume `primes::iter()` is implemented as follows:\n\n\n    pub fn iter() -> impl Iterator<Item = u32> {\n        1..10\n    }\n\n\nWhich crate should get a \"soundness issue\" advisory from RUSTSEC?\n\nI thought the convention (and uncontested opinion) was that it should be `crypto` (because it relies on a correctness guarantee without checking the implementation and pinning the version), but I've recently seen knowledgeable people argue it should be `primes` (because it is incorrect and crates on crates.io should be correct). So now I'm unsure and I can't find any official or authoritative documentation in that regard.\n\nMy rationalization of the convention I thought was in place (`crypto` is unsound), is that the Rust type system only provides safety guarantees, not correctness guarantees. On the one hand, while the ecosystem should aim for publishing correct crates only, there is little hope of enforcing that at scale. On the other hand, enforcing that only sound crates (more generally \"correct for safety\" crates) are published is more realistic. Safe crates are proved sound by the type system (for free). For the minority (about 25%) of crates with unsafe code, enforcement is either passive through soundness bug reports or active through unsafe code reviews.\n\nNote that this is only about crates.io. Other cargo registries or build systems can have their own conventions.",
  "title": "Conditions for unsafe code to rely on correctness"
}