"Well I got into an interesting..." <- > <@thejpster:matrix.org> Well I got into an interesting discussion today. > > If the API of some library has some pre-conditions, where failure to meet the pre-conditions causes the library to Not Work (but doesn't cause UB), and those pre-conditions cannot be checked by the type system, or at run-time, but are in fact properties of a wider system that Rust cannot see, should the API be unsafe or not? > > I recall Oreste Bernardi having similar questions (where it was posed as "Should a function which can program the voltage regulator in a way that can set the machine on fire be `unsafe`", or similar). > > Did we ever get to a consensus on that? > Yeah we've had these discussions before. Not sure if there's a broad consensus. Generally people don't make these things unsafe. See for example the clocking setups in embassy. They're not unsafe. Using unsafe everywhere is really tedious. But it might make sense in areas. For example, if you have a robot arm with a function 'override_max_speed', you could consider marking it unsafe.