[eximius]

The purported benefit would be to wrap all of the unsafe bits in safe wrappers and then have a less bug prone, more secure OS, I suppose.

This would be, to put it mildly, quite difficult. Even then, unsafe code is sometimes not written correctly which brings the whole thing down.

I, personally, still think it's worth it. I think efforts like Redox OS can teach us a lot about what we're doing and offer a chance to collapse some of the layers of cruft existing OSes have accumulated.

[OoooooooO]

Having only a small part of the code with unsafe means you only have to check only a small % of the code for UB/security holes and not the whole code base like in C.

It just limits the places shit can happen and which need to be closely reviewed which alone is a big help.

[cyphar]

It should be noted that you can have correctness bugs can occur in safe code if a Rust guarantee was violated in an unsafe block. This might seem obvious, but it does mean that when you hit one of these bugs you might start with debugging safe code and thus it's not as clean a separation as some Rust evangelists might imply.