Clarify when safety may rely on correctness

[ia0]

This is a follow-up of #294 which in my opinion did not completely address the confusion.

The "Safe Rust client" terminology comes from the Reference. I'm using "dependencies" (think upstream code) as the opposite concept of "clients" (think downstream code). I'm happy to follow any suggestions to improve those terms.

[JohnTitor]

Maybe it'd be better to describe what cannot be trusted a bit more specific.

Suggested change

	On the other hand, Unsafe Rust cannot trust Safe Rust without care. It can
	trust Safe Rust dependencies but cannot trust Safe Rust clients.
	On the other hand, Unsafe Rust cannot trust Safe Rust without care. It can
	trust specific Safe Rust implementations, but not arbitrary Safe Rust chosen
	or supplied by clients.

[ia0]

What do you mean by "implementation"? My understanding is that it means a specific version of the code that implements an API. If that's true then Unsafe Rust can trust arbitrary implementations of the crates it depends on, it doesn't need to be a specific implementation.

If we want to be more specific, this could look like:

• Unsafe Rust can trust Safe Rust within its own crate (because the implementation is known and thus can be verified to be correct) and the crates of its dependencies (because, while unknown, the implementation is trusted to be correct).
• Unsafe Rust cannot trust Safe Rust within the crates of its reverse-dependencies (because the implementation is unknown and not trusted to be correct).

Not sure how to formulate this elegantly.

[JohnTitor]

How about this wording? I'd avoid using two words, dependency and crate in the same paragraph.

Suggested change

	This difference also holds for arbitrary implementations of one very specific
	dependency. Unsafe Rust in crate `foo` (which depends on crate `bar`) may rely on
	Safe Rust in crate `bar` to be written correctly, regardless of the actual
	implementation.
	The same can be true across crate boundaries. Unsafe Rust in crate `foo` may
	trust a specific Safe Rust implementation in crate `bar` when that is a
	bounded piece of code that can be reviewed.

[ia0]

The wording is much better, but the "specific implementation" issue from the other comment is still present. So I'll wait until we clarify that to update this part. Maybe "implementation" is more a general concept than I think.

[ia0]

Thanks for the review! Before applying the suggestions, I have one clarification question in one of the comment.

[ia0]

What do you mean by "implementation"? My understanding is that it means a specific version of the code that implements an API. If that's true then Unsafe Rust can trust arbitrary implementations of the crates it depends on, it doesn't need to be a specific implementation.

If we want to be more specific, this could look like:

• Unsafe Rust can trust Safe Rust within its own crate (because the implementation is known and thus can be verified to be correct) and the crates of its dependencies (because, while unknown, the implementation is trusted to be correct).
• Unsafe Rust cannot trust Safe Rust within the crates of its reverse-dependencies (because the implementation is unknown and not trusted to be correct).

Not sure how to formulate this elegantly.

[ia0]

The wording is much better, but the "specific implementation" issue from the other comment is still present. So I'll wait until we clarify that to update this part. Maybe "implementation" is more a general concept than I think.