How does unsafe code fit in?

[richlander]

I was re-reading this doc: https://github.com/ossf/Memory-Safety/blob/main/docs/memory-safety-continuum.md

I find it difficult to fit unsafe code into that continuum. On first read "memory safe by default" seems be getting at unsafe code. I can accept that.

Using a memory safe by default language with developer best practices and automated tooling to check for memory safety in first party code AND automated tooling to check for memory safety in third party code (dependencies)

This is where things get unclear for me. I read this fine article: https://foundation.rust-lang.org/news/unsafe-rust-in-the-wild-notes-on-the-current-state-of-unsafe-rust/. If I'm to apply this prescription, I assume I should run Miri on all crates that use unsafe code. Is that the intent?

Two nits:

• I don't grasp the "AND" there. Why is that "AND" more important than the "and" that comes before it. This appears intentional since an earlier point repeats the pattern.
• We don't use "1st party" this way on our team. It is very confusing and I think incorrect. Given that my team is at Microsoft, we say "0th party to mean the .NET dev platform", "1st party" to mean Microsoft (our company), and "third party" to mean everyone else. We should leave "1st party" to mean "the app developer at Acme corp".

[balteravishay]

Discussed this issue in the SIG meeting on July 11th.

Nit 1: phrase better the addition of the second part of the sentence (use comma or other grammar instead of AND) Nit 2: Agree that the terms first party and third party may be confusing, the goal was to distinguish between "own code" and code of dependencies as most OSS projects have no distinction between org-level dependencies and others.