No subject


Tue Jul 10 21:58:59 BST 2012 

"A module that is declared to be Trustworthy is claimed by the
author to expose a safe interface, even though its implementation
might make use of unsafe features."


Putting a Trustworthy on the top of a module means that "I, the module
author, assert that any uses of unsafePerformIO and friends in this module
are safe and using the functions herein will not violate safety." You can't
just slap a Trustworthy on everything and go home, every module in the
platform needs to be audited.

If a module does export a legitimately unsafe function (like the ones we've
already identified), then the unsafe bits will need to be moved into a new
module so that the package can export modules that *can* be either
safe-inferred or marked trustworthy. This is all I'm saying.

Happily, from what I can see, the only legitimately unsafe module in the
platform outside of the core libs (which I understand someone -- Simon? --
has already audited) is Data.Text.Array, so this is indeed probably just
hullabaloo about nothing on my part. Still: I just did a quick grep,
someone (or several someones) has to do a careful audit.

I really don't get what all the noise is about. We're talking
> about a single language pragma at the top of each module.
>

Again: no, we aren't :). It's likely that in almost every case putting the
pragma in will be the end result, but: the work is in the audit! We can't
just gloss over that.


> > regex-posix has lots of "unsafePerformIO"
>
> Re-exported to the user? I doubt it. There is
> no problem with unsafePerformIO if it is
> used internally and the author believes that
> the usage is safe.
>

Right. Those need Trustworthy pragmas.


> > network looks like it needs some work
>
> All exposed pointer-poking functions are in
> IO. So after Simon's comment, it looks like
> we can mark everything Trustworthy without
> change, even Internal. Correct me if I'm
> wrong.
>

There are several unsafePerformIOs in there also. The use is also almost
certainly fine, but again, a human needs to audit before the pragma can be
applied.

G
-- 
Gregory Collins <greg at gregorycollins.net>

--f46d042ef6f553dd8704c50a490a
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

<div class=3D"gmail_quote">Re-adding haskell-platform@, which I assume you =
left off by accident?</div><div class=3D"gmail_quote"><br></div><div class=
=3D"gmail_quote">On Tue, Jul 17, 2012 at 7:05 PM, Yitzchak Gale <span dir=
=3D"ltr">&lt;<a href=3D"mailto:gale at sefer.org" target=3D"_blank">gale at sefer=
.org</a>&gt;</span> wrote:<br>
<blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1p=
x #ccc solid;padding-left:1ex">
<div>Gregory Collins wrote:<br>
&gt; This slightly underestimates the amount of work required. Each package=
&#39;s api<br>
&gt; must be carefully audited for unsafe functions, you can&#39;t just sla=
p a<br>
&gt; &quot;trustworthy&quot; on everything and call it a day. If any legiti=
mately unsafe<br>
&gt; functions are found, the APIs need to be separated out into safe and u=
nsafe<br>
&gt; modules, and the old modules must go through a deprecation cycle.<br>
<br>
</div>No, it&#39;s really simple. Did you read Simon&#39;s paper,<br>
and his emails in this and related threads?<br>
<br>
I emphasize that I am *not* advocating requiring<br>
platform packages to have best possible support<br>
for Safe Haskell. That can come later after we<br>
get more experience and see how it is used<br>
in practice, as Mark says. That will take time.<br>
<br>
I am only advocating *recommending* that<br>
packages provide at least *minimal* support -<br>
namely, a simple Trustworthy pragma, which<br>
is almost always possible. That is in order to<br>
help bootstrap the process, to make adoption of<br>
Safe Haskell possible. Then we&#39;ll see if it<br>
really happens. (After reading Simon&#39;s paper,<br>
I believe there is a good chance it will if<br>
we do this.)<br></blockquote><div><br></div><div>From the paper:</div><div>=
<br></div></div><blockquote style=3D"margin:0 0 0 40px;border:none;padding:=
0px"><div class=3D"gmail_quote"><div>&quot;A module that is declared to be =
Trustworthy is claimed by the</div>
</div><div class=3D"gmail_quote"><div>author to expose a safe interface, ev=
en though its implementation</div></div><div class=3D"gmail_quote"><div>mig=
ht make use of unsafe features.&quot;</div></div></blockquote><div class=3D=
"gmail_quote">
<div><br></div><div>Putting a Trustworthy on the top of a module means that=
 &quot;I, the module author, assert that any uses of unsafePerformIO and fr=
iends in this module are safe and using the functions herein will not viola=
te safety.&quot; You can&#39;t just slap a Trustworthy on everything and go=
 home, every module in the platform needs to be audited.</div>
<div><br></div><div>If a module does export a legitimately unsafe function =
(like the ones we&#39;ve already identified), then the unsafe bits will nee=
d to be moved into a new module so that the package can export modules that=
 *can* be either safe-inferred or marked trustworthy. This is all I&#39;m s=
aying.</div>
<div><br></div><div>Happily, from what I can see, the only legitimately uns=
afe module in the platform outside of the core libs (which I understand som=
eone -- Simon? -- has already audited) is Data.Text.Array, so this is indee=
d probably just hullabaloo about nothing on my part. Still: I just did a qu=
ick grep, someone (or several someones) has to do a careful audit.</div>
<div><br></div><blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex=
;border-left:1px #ccc solid;padding-left:1ex">I really don&#39;t get what a=
ll the noise is about. We&#39;re talking<br>
about a single language pragma at the top of each module.<br></blockquote><=
div><br></div><div>Again: no, we aren&#39;t :). It&#39;s likely that in alm=
ost every case putting the pragma in will be the end result, but: the work =
is in the audit! We can&#39;t just gloss over that.</div>
<div>=C2=A0</div><blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8=
ex;border-left:1px #ccc solid;padding-left:1ex"><div>&gt; regex-posix has l=
ots of &quot;unsafePerformIO&quot;<br>
<br>
</div>Re-exported to the user? I doubt it. There is<br>
no problem with unsafePerformIO if it is<br>
used internally and the author believes that<br>
the usage is safe.<br></blockquote><div><br></div><div>Right. Those need Tr=
ustworthy pragmas.</div><div>=C2=A0</div><blockquote class=3D"gmail_quote" =
style=3D"margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><di=
v>
&gt; network looks like it needs some work<br>
<br>
</div>All exposed pointer-poking functions are in<br>
IO. So after Simon&#39;s comment, it looks like<br>
we can mark everything Trustworthy without<br>
change, even Internal. Correct me if I&#39;m<br>
wrong.<br></blockquote><div><br></div><div>There are several unsafePerformI=
Os in there also. The use is also almost certainly fine, but again, a human=
 needs to audit before the pragma can be applied.</div></div><div><br>
</div><div>G</div>-- <br>Gregory Collins &lt;<a href=3D"mailto:greg at gregory=
collins.net" target=3D"_blank">greg at gregorycollins.net</a>&gt;<br>

--f46d042ef6f553dd8704c50a490a--

More information about the Haskell-platform mailing list