Add a brief safety explanation up top

commit: ccd3975f4086fc6dbc87e0b1c53b15122dd48c2d [log] [tgz]
author: David Tolnay <dtolnay@gmail.com> Wed Jan 08 09:33:51 2020 -0800
committer: David Tolnay <dtolnay@gmail.com> Wed Jan 08 09:35:04 2020 -0800
tree: 5fb57cb414c86dffc6b26cf18ebeba06408d0188
parent: e43b737f2c1591fa03bbf126b4019645e0e13ac7 [diff] [blame]
diff --git a/src/lib.rs b/src/lib.rs
index 5c018c2..50bf516 100644
--- a/src/lib.rs
+++ b/src/lib.rs

@@ -2,6 +2,12 @@
 //! and Rust code from C++, not subject to the many ways that things can go
 //! wrong when using bindgen or cbindgen to generate unsafe C-style bindings.
 //!
+//! This doesn't change the fact that 100% of C++ code is unsafe. When auditing
+//! a project, you would be on the hook for auditing all the unsafe Rust code
+//! and *all* the C++ code. The core safety claim under this new model is that
+//! auditing just the C++ side would be sufficient to catch all problems, i.e.
+//! the Rust side can be 100% safe.
+//!
 //! <br>
 //!
 //! *Compiler support: requires rustc 1.42+ (beta on January 30, stable on March
commit	ccd3975f4086fc6dbc87e0b1c53b15122dd48c2d	[log] [tgz]
author	David Tolnay <dtolnay@gmail.com>	Wed Jan 08 09:33:51 2020 -0800
committer	David Tolnay <dtolnay@gmail.com>	Wed Jan 08 09:35:04 2020 -0800
tree	5fb57cb414c86dffc6b26cf18ebeba06408d0188
parent	e43b737f2c1591fa03bbf126b4019645e0e13ac7 [diff] [blame]