Report unsoundness for ruint

[shinmao]

The safe API provided in the crate can trigger out-of-bounds, which is undefined behavior.

[djc]

@recmo @prestwich @gakonst are you okay with having an advisory published for this?

[prestwich]

reciprocal_mg10 is explicitly not considered part of the stable API of the crate, so it seems a bit unnecessary. Is there an existing policy for this?

[djc]

reciprocal_mg10 is explicitly not considered part of the stable API of the crate, so it seems a bit unnecessary. Is there an existing policy for this?

I can see the warning. Without having used this crate before, I don't consider it a very strong case against an advisory, because:

• I would interpret it not being "part of the stable API" to mean that there could be semver-incompatible changes in otherwise semver-compatible version bumps (that is, with the emphasis on stable), rather than a warning that the function is unsound (in the sense of requiring the caller to uphold particular invariants that are not enforced by the API).
• The warning gives no indication why/what part of the function makes it dangerous or unstable.

If there are additional invariants to uphold, the function should ideally just be marked unsafe. Alternatively, I think you'd have a stronger case if it were marked as #[doc(hidden)] or otherwise explicitly documented the potential issues from using it.

[prestwich]

sounds good. I have no issue with an advisory being published, thanks

[djc]

sounds good. I have no issue with an advisory being published, thanks

Do you think a fix/mitigation will be published soon? If so, we'd like to wait for that.

[prestwich]

I consider this very low risk, and I'd like to review the code for other instances before publishing a patch. I don't think this is a high priority, so I'm unlikely to publish a new version in the next few days