Hi Benno, > > I will try to rephrase this, tell me if it helps. When checking if an > API is sound, you are not allowed to change the code behind the API. > That is because `unsafe` code often relies on the surrounding safe code > to work properly. In the example above, safe code ensures that the raw > pointer `ptr` is valid. This is OK (and also very necessary), since we > expect people to be *aware* of the `unsafe` block and thus more > carefully review the changes in surrounding safe code. If you have safe > code that only interfaces with other safe code you don't need to be this > careful. > > Note that this heavily depends on where you put the API boundary. In our > case, we generally have this boundary: driver code <-> `kernel` crate. > But if your driver requires very specific helper code that does not fit > into the `kernel` crate, then you might also have an API boundary there. > > If it doesn't help, then it would great to get some more detailed > questions which part(s) you need help with. > > --- > Cheers, > Benno > > Yes, I think this is more clear, but note that this explanation is more thorough than the actual example. My point being, maybe you should take some of what you just wrote and put it into the actual docs. — Daniel