<div class="gmail_quote">Hi Simon,</div><div class="gmail_quote"><br></div><div class="gmail_quote">On Thu, Jul 12, 2012 at 10:43 PM, Simon Marlow <span dir="ltr"><<a href="mailto:marlowsd@gmail.com" target="_blank">marlowsd@gmail.com</a>></span> wrote:<br>
<div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Safe Haskell isn't about catching bugs. It's about making it possible to program with stronger guarantees than we currently have. </blockquote><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
...</blockquote><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> </blockquote><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Normally when you use an unsafe feature, the purpose is to use it to implement a safe API - if that's the case, all you have to do is add Trustworthy to your language pragma, and the API is available to use from Safe code.<br>
</blockquote></div><br clear="all"><div>The issue I think Johan is complaining about is that this is a very weak sauce. If some muppet can upload a package on Hackage that dereferences nullPtr and just slap a "{-# LANGUAGE Trustworthy #-}" on the top, then we're back exactly where we were before: library users must trust library maintainers and/or carefully security audit the code they rely on. If you're asking library authors to do a lot of work to rearchitect their module namespaces, and increasing their maintenance overhead for the 6-12 months a deprecation cycle would take, I think you have to have a compelling story to offer about how life will be better in the end.</div>
<div><br></div><div>Now, if functions could be cryptographically *signed*, meaning that "user X asserts that he's audited this code and it's actually safe", then you could start building the web of trust necessary for this feature to be useful. (Of course, the code would have to be re-signed every time code it depends on changed..... I don't actually think this would work!).</div>
<div><br></div><div>As it stands, one miscreant can cause a lot of damage, especially when you consider that right now anyone can upload any version of any package to Hackage --- Safe Haskell or not. </div><div><br></div>
<div>G</div>-- <br>Gregory Collins <<a href="mailto:greg@gregorycollins.net" target="_blank">greg@gregorycollins.net</a>><br>