As we were discussing in #haskell, it would have to be more involved than just a taint bit. A listing showing the "taint sources" of a given package would give you confidence in its good behavior.<div><br></div><div>
For example, if my nice, pure package's taint list showed that my only taint sources were through my dependencies on base and bytestring, people could trust my program not to launch missiles behind their backs. This would essentially involve traversing transitive dependencies and looking for any module that imports one of the unsafe modules and uses any function from them (including GHC.Prim). This seems like it could be done fairly efficiently, if you just try to do it on the module or package level. At the function level, it would be a lot more computationally intensive, but would be more or less the same idea.</div>
<div><br></div><div>I like the idea, but I don't think any formal proof of unsafeness is feasible. We already can't prove arbitrary properties about even our pure code, and proving stuff about impure code would require modeling the outside world and proving your code safe under that model. Anyone reading the proof would have to accept your model of the outside world as well as verifying your proof.</div>
<div><br></div><div>But maybe one day we'll have way more than just "Stability: experimental; Version: 0.0.1" on hackage, but instead:</div><div><br></div><div>Stability: experimental</div><div>Version: 0.0.1</div>
<div>Test coverage: 98%</div><div>User stability rating: 86%</div><div>User API quality rating: 56%</div><div>Local sources of impurity: none</div><div>Transitive sources of impurity: bytestring, base</div><div>Used by: 37 packages [click to see them]</div>
<div><br></div><div>But that's just a dream, and the impurity measures seem like a decent goal in the mean time :) <br><br></div><div>Dan</div><div><br><div class="gmail_quote">On Thu, Sep 16, 2010 at 8:21 AM, Ivan Lazar Miljenovic <span dir="ltr"><<a href="mailto:ivan.miljenovic@gmail.com">ivan.miljenovic@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;"><div><div></div><div class="h5">On 16 September 2010 16:04, Mitar <<a href="mailto:mmitar@gmail.com">mmitar@gmail.com</a>> wrote:<br>
> Hi!<br>
><br>
> I just got an idea for hackage feature. All functions/modules listed<br>
> there could have some mark if they or any function/module they use<br>
> uses an unsafe* function. Of course this will make probably almost<br>
> everything marked as unsafe, but this is the idea - to raise awareness<br>
> about that so that you can prefer some function/implementation over<br>
> another.<br>
><br>
> Of course marking/tagging everything as unsafe is not really useful.<br>
> Because of this I propose that then community votes/vouches on<br>
> correctness/stability of implementations and this would then influence<br>
> the how unsafe given function really is (or is according to community,<br>
> if we are more precise). Of course it would be even better that every<br>
> function using unsafe would have also a formal proof but as we cannot<br>
> believe that we will prove everything in a feasible feature we could<br>
> maybe opt for such "crowd intelligence" approach. We cannot have a<br>
> Turing machine, but maybe we can have crowd. ;-)<br>
><br>
> (Of course low number of found bugs and good unit test code coverage<br>
> can then positively influence crowd, so authors would be motivated to<br>
> assure that.)<br>
><br>
> Comments? Opinions?<br>
><br>
> Because I really hate that I try to keep my code pure and separate IO<br>
> from everything else and then somewhere deep in there some unsafe*<br>
> lurks. (Ah, yes, a side effect of this tagging/marks would be also<br>
> that you would be able to see where all those unsafe* calls are for a<br>
> given function, so you would be able to fast jump (with link) to a<br>
> given line in code and evaluate circumstances in which that unsafe*<br>
> call is made. And then vote/vouch once you discover that it is<br>
> probably pretty safe.)<br>
<br>
</div></div>The problem with this is: unsafe* functions would be better called<br>
"yesIGuaranteeThatUsingThisFunctionDoesResultInAReferentiallyTransparentEntityAndItsOKForMeToUseIt*".<br>
They are "unsafe" in that you shouldn't use them blindly.<br>
<br>
Seeing as how lazy IO relies on various unsafe* functions, as do<br>
bytestrings, this means that any program that uses them is<br>
subsequently "tainted".<br>
<br>
A much better idea would be to have some kind of compilation warning<br>
unless you can prove that you're using the unsafe* function in a safe<br>
fashion, but such a proof is unlikely to be easily proven in a<br>
rigorous fashion nor mechanically checkable (and would delay<br>
compilation times).<br>
<font color="#888888"><br>
--<br>
Ivan Lazar Miljenovic<br>
<a href="mailto:Ivan.Miljenovic@gmail.com">Ivan.Miljenovic@gmail.com</a><br>
<a href="http://IvanMiljenovic.wordpress.com" target="_blank">IvanMiljenovic.wordpress.com</a><br>
</font><div><div></div><div class="h5">_______________________________________________<br>
Haskell-Cafe mailing list<br>
<a href="mailto:Haskell-Cafe@haskell.org">Haskell-Cafe@haskell.org</a><br>
<a href="http://www.haskell.org/mailman/listinfo/haskell-cafe" target="_blank">http://www.haskell.org/mailman/listinfo/haskell-cafe</a><br>
</div></div></blockquote></div><br></div>