2 files changed, 17 insertions, 0 deletions
diff --git a/docs/dev/README.md b/docs/dev/README.md
index b91013f13..57162a47d 100644
--- a/docs/dev/README.md
+++ b/docs/dev/README.md
@@ -226,6 +226,9 @@ If the GitHub Actions release fails because of a transient problem like a timeou
 If it fails because of something that needs to be fixed, remove the release tag (if needed), fix the problem, then start over.
 Make sure to remove the new changelog post created when running `cargo xtask release` a second time.
+We release "nightly" every night automatically and promote the latest nightly to "stable" manually, every week.
+We don't do "patch" releases, unless something truly egregious comes up.
 # Permissions
 There are three sets of people with extra permissions:
diff --git a/docs/user/manual.adoc b/docs/user/manual.adoc
index dba2197de..8656dd1da 100644
--- a/docs/user/manual.adoc
+++ b/docs/user/manual.adoc
@@ -516,6 +516,20 @@ See https://github.com/rust-analyzer/rust-project.json-example for a small examp
 You can set `RA_LOG` environmental variable to `rust_analyzer=info` to inspect how rust-analyzer handles config and project loading.
+== Security
+At the moment, rust-analyzer assumes that all code is trusted.
+Here is a **non-exhaustive** list of ways to make rust-analyzer execute arbitrary code:
+* proc macros and build scripts are executed by default
+* `.cargo/config` can override `rustc` with an arbitrary executable
+* VS Code plugin reads configuration from project directory, and that can be used to override paths to various executables, like `rustfmt` or `rust-analyzer` itself.
+* rust-analyzer's syntax trees library uses a lot of `unsafe` and hasn't been properly audited for memory safety.
+rust-analyzer itself doesn't access the network.
+The VS Code plugin doesn't access the network unless the nightly channel is selected in the settings.
+In that case, the plugin uses the GitHub API to check for and download updates.
 == Features
 include::./generated_features.adoc[]

diff --git a/docs/dev/README.md b/docs/dev/README.md index b91013f13..57162a47d 100644 --- a/docs/dev/README.md +++ b/docs/dev/README.md
@@ -226,6 +226,9 @@ If the GitHub Actions release fails because of a transient problem like a timeou
226	If it fails because of something that needs to be fixed, remove the release tag (if needed), fix the problem, then start over.	226	If it fails because of something that needs to be fixed, remove the release tag (if needed), fix the problem, then start over.
227	Make sure to remove the new changelog post created when running `cargo xtask release` a second time.	227	Make sure to remove the new changelog post created when running `cargo xtask release` a second time.
228		228
		229	We release "nightly" every night automatically and promote the latest nightly to "stable" manually, every week.
		230	We don't do "patch" releases, unless something truly egregious comes up.
		231
229	# Permissions	232	# Permissions
230		233
231	There are three sets of people with extra permissions:	234	There are three sets of people with extra permissions:


diff --git a/docs/user/manual.adoc b/docs/user/manual.adoc index dba2197de..8656dd1da 100644 --- a/docs/user/manual.adoc +++ b/docs/user/manual.adoc
@@ -516,6 +516,20 @@ See https://github.com/rust-analyzer/rust-project.json-example for a small examp
516		516
517	You can set `RA_LOG` environmental variable to `rust_analyzer=info` to inspect how rust-analyzer handles config and project loading.	517	You can set `RA_LOG` environmental variable to `rust_analyzer=info` to inspect how rust-analyzer handles config and project loading.
518		518
		519	== Security
		520
		521	At the moment, rust-analyzer assumes that all code is trusted.
		522	Here is a non-exhaustive list of ways to make rust-analyzer execute arbitrary code:
		523
		524	* proc macros and build scripts are executed by default
		525	* `.cargo/config` can override `rustc` with an arbitrary executable
		526	* VS Code plugin reads configuration from project directory, and that can be used to override paths to various executables, like `rustfmt` or `rust-analyzer` itself.
		527	* rust-analyzer's syntax trees library uses a lot of `unsafe` and hasn't been properly audited for memory safety.
		528
		529	rust-analyzer itself doesn't access the network.
		530	The VS Code plugin doesn't access the network unless the nightly channel is selected in the settings.
		531	In that case, the plugin uses the GitHub API to check for and download updates.
		532
519	== Features	533	== Features
520		534
521	include::./generated_features.adoc[]	535	include::./generated_features.adoc[]