FAQ entry on `unsafe` is problematic

[skade]

The current entry on "does riker use unsafe code?" states:

Riker does not use unsafe for any memory management. We believe it's better to work with the Borrow Checker and compiler than against them.

unsafe is only used to explicitly mark a few types as Send or Sync to assist the compiler. Both of these have empty implementations, i.e. no actual unsafe code:

unsafe impl<T: Message> Send for Envelope<T> {}

This is slightly skirting around an issue: Incorrect Send and Sync implementations can trigger memory issues and undefined behaviour. unsafe trait implementations are as thorny (and sometimes even more dangerous, because they look so innocuous) as a line of unsafe code.

So, this is actual unsafe code (because it will be composed with other safe code that will assume those operations to be safe) and the statements are promises to the compiler. It also affects memory management, particularly, Sync types will be assumed to be safe to access from multiple components.

I think there's a stronger point to make: riker does use unsafe minimally for statements that the compiler can't make and only on its core competencies (providing safe concurrency primitives). It avoids unsafe for other cases and finds safe and fast abstractions instead.