Add a brief safety explanation up top

commit: ccd3975f4086fc6dbc87e0b1c53b15122dd48c2d [log] [tgz]
author: David Tolnay <dtolnay@gmail.com> Wed Jan 08 09:33:51 2020 -0800
committer: David Tolnay <dtolnay@gmail.com> Wed Jan 08 09:35:04 2020 -0800
tree: 5fb57cb414c86dffc6b26cf18ebeba06408d0188
parent: e43b737f2c1591fa03bbf126b4019645e0e13ac7 [diff] [blame]
diff --git a/README.md b/README.md
index a978e96..cdd2e51 100644
--- a/README.md
+++ b/README.md

@@ -9,6 +9,12 @@
 Rust code from C++, not subject to the many ways that things can go wrong when
 using bindgen or cbindgen to generate unsafe C-style bindings.
 
+This doesn't change the fact that 100% of C++ code is unsafe. When auditing a
+project, you would be on the hook for auditing all the unsafe Rust code and
+*all* the C++ code. The core safety claim under this new model is that auditing
+just the C++ side would be sufficient to catch all problems, i.e. the Rust side
+can be 100% safe.
+
 ```toml
 [dependencies]
 cxx = "0.1"
commit	ccd3975f4086fc6dbc87e0b1c53b15122dd48c2d	[log] [tgz]
author	David Tolnay <dtolnay@gmail.com>	Wed Jan 08 09:33:51 2020 -0800
committer	David Tolnay <dtolnay@gmail.com>	Wed Jan 08 09:35:04 2020 -0800
tree	5fb57cb414c86dffc6b26cf18ebeba06408d0188
parent	e43b737f2c1591fa03bbf126b4019645e0e13ac7 [diff] [blame]