There's been some FUD messaging by other projects against msgspec as an unsafe C project. While it's written in C, safety is a spectrum and we're definitely not careless about security issues here. It would be good to write up a docs page on our testing setup to hopefully allay safety concerns. We should cover:
Our high test coverage (full coverage in critical sections of the parsers)
Our fuzz testing setups
Our use of sanitizer tooling
Our track record. Some purportedly safe rust projects make enough incorrect use of unsafe to not actually guarantee safety, leading to a number of segfaultissues over the years.
This is not to minimize the benefit a safe language like rust provides (rust is good! and C does have footguns). But all C code is not the same and this project should definitely not be treated as "definitely unsafe, don't touch". All software is tradeoffs - if you need the performance benefits msgspec provides and can tolerate a "we're trying our best using the tooling available, no CVEs so far" level of guarantee, then maybe msgspec is a tool worth considering.
There's been some FUD messaging by other projects against
msgspecas an unsafe C project. While it's written in C, safety is a spectrum and we're definitely not careless about security issues here. It would be good to write up a docs page on our testing setup to hopefully allay safety concerns. We should cover:unsafeto not actually guarantee safety, leading to a number of segfault issues over the years.This is not to minimize the benefit a safe language like
rustprovides (rust is good! and C does have footguns). But all C code is not the same and this project should definitely not be treated as "definitely unsafe, don't touch". All software is tradeoffs - if you need the performance benefits msgspec provides and can tolerate a "we're trying our best using the tooling available, no CVEs so far" level of guarantee, then maybe msgspec is a tool worth considering.