0.2.2 (current) Thoroughness: Medium Understanding: Medium
by yvt on 2021-09-18
These reviews are from Crev, a distributed system for code reviews. To add your review, set up cargo-crev.
0.2.2 (current) Thoroughness: Medium Understanding: Medium
by vorner on 2019-11-22
The whole idea of the crate -- having a variable unitialized for a while, then return something back later on seems a bit unnatural for the whole Rust type system. This can be seen by the fact that certain cornercases are handled by not merely panicking, but outright aborting the whole process.
I didn't manage to find a way to break safety guarantees using the crate and I tried to find a loophole quite hard. But considering how questionable things it does, I'd really like to see some kind of proof or semi-formal argument saying why it is safe. Such thing is not included in the source code, unfortunately.
The repository doesn't seem to have a recent activity and the last release is 2 years ago, but it's hard to say if it's abandoned or simply considered finished.
I've also found a resource leak (that is somewhat unlikely to get triggered in real-world usage).
Therefore, I'd be somewhat wary using this myself and would need a good reason to reach for this crate -- certainly not just for convenience.
-
Issue: Medium (github.com/Sgeo/take_mut/pull/10)
These reviews are from cargo-vet. To add your review, set up cargo-vet and submit your URL to its registry.
0.2.2 (current)
From google/supply-chain copy of fuchsia. By David Koloski.
Reviewed on https://fxrev.dev/883543
0.2.2 (current)
From kornelski/crev-proofs copy of git.savannah.gnu.org.
Packaged for Guix (crates-io)
cargo-vet does not verify reviewers' identity. You have to fully trust the source the audits are from.
- safe-to-deploy (implies safe-to-run)
-
This crate will not introduce a serious security vulnerability to production software exposed to untrusted input. More…
- safe-to-run
Implied by other criteria
This crate can be compiled, run, and tested on a local workstation or in controlled automation without surprising consequences. More…
- ub-risk-2 (implies ub-risk-3)
-
Negligible unsoundness or average soundness.
Full description of the audit criteria can be found at https://github.com/google/rust-crate-audits/blob/main/auditing_standards.md#ub-risk-2
- ub-risk-3 (implies ub-risk-4)
Implied by other criteria
Mild unsoundness or suboptimal soundness.
Full description of the audit criteria can be found at https://github.com/google/rust-crate-audits/blob/main/auditing_standards.md#ub-risk-3
- ub-risk-4
Implied by other criteria
Extreme unsoundness.
Full description of the audit criteria can be found at https://github.com/google/rust-crate-audits/blob/main/auditing_standards.md#ub-risk-4
- unknown
-
May have been packaged automatically without a review
Crates in the crates.io registry are tarball snapshots uploaded by crates' publishers. The registry is not using crates' git repositories. There is absolutely no guarantee that the repository URL declared by the crate belongs to the crate, or that the code in the repository is the code inside the published tarball.
To review the actual code of the crate, it's best to use cargo crev open take_mut. Alternatively, you can download the tarball of take_mut v0.2.2 or view the source online.
While the idea of making a variable temporarily uninitialized may sound scary, this crate takes necessary precaution to make this sound.
Unfortunately, this crate has a resource leak issue that has been left open for two years, hence the negative rating.
This crate looks unmaintained as the last commit is from 2018.
Issue: Medium (github.com/Sgeo/take_mut/pull/10)
Recovery closure leakage