Changes between Version 24 and Version 25 of SafeHaskell


Ignore:
Timestamp:
Jan 18, 2011 12:23:38 PM (3 years ago)
Author:
simonpj
Comment:

--

Legend:

Unmodified
Added
Removed
Modified
  • SafeHaskell

    v24 v25  
    8282 It is up to C to decide what packages to trust; it is not a property of P. 
    8383 
    84  * A '''module M from package P is trusted by a client C''' iff 
    85    * Package P is trusted by C 
    86    * One of the following holds: 
    87      * The module was compiled with `-XSafe` and all of M's direct `imports` are trusted by C 
    88      * The module was compiled with `-XTrustworthy` and all of M's direct `safe imports` are trusted by C 
     84 * A '''module M from package P is trusted by a client C''' iff  
     85   * Either all of these hold: 
     86     * The module was compiled with `-XSafe` 
     87     * All of M's direct `imports` are trusted by C 
     88   * Or all of these hold: 
     89     * The module was compiled with `-XTrustworthy` 
     90     * All of M's direct `safe imports` are trusted by C 
     91     * Package P is trusted by C 
    8992 
    9093 * When a client C compiles a module M with 
     
    9295   * `-XTrustworthy`: all M's `safe imports` must be trusted by C[[BR]] 
    9396 Otherwise the module is rejected. 
     97 
     98The intuition is this: 
     99 * Here are the obligations of the author of a package: 
     100   * When the author of code marks it `-XSafe`, he asks the compiler to check that it is indeed safe.  He takes on no responsibility.  Although he must trust imported packages in order to compile his package, he takes not responsibility for them. 
     101   * When the author of code marks it `-XTrustworthy` he takes on responsibility for the stafety of that code, ''under the assumption'' that `safe imports` are indeed safe. 
     102 
     103 * When client C trusts package P, he expresses trust in the author of that code.  But since the author makes no guarantees about `safe imports`, C may need ot chase dependencies to decide which modules in P should be trusted by C. 
     104 
     105For example, suppose we have this setup: 
     106{{{ 
     107Package Wuggle: 
     108   {-# LANGUAGE Safe #-} 
     109   module Buggle where 
     110     import Prelude 
     111     f x = ...blah... 
     112      
     113Package P: 
     114   {-# LANGUAGE Trustworthy #-} 
     115   module M where 
     116     import System.IO.Unsafe 
     117     import safe Buggle 
     118}}} 
     119Suppose client C decides to trust P.  Then does C trust M?  Well, M has a `safe` import, so P's author takes no responsibility.  So C must check whether `Buggle` is trusted by C.  Is it?  Well, it is compiled with `-XSafe`, so the code in `Buggle` is machine-checked to be OK, but again the author takes no responsibility for `Prelude`.  Ah, but `Prelude` comes from `base`, which C trusts, and is (let's say) compiled with `-XTrustworthy`. 
     120 
     121What about the import of `System.IO.Unsafe`.  C trust's P's author, and P's author takes responsibility for that import.  So C trusts M. 
     122 
     123Notice that C didn't need to trust package `Wuggle`; the machine checking is enough.  C only needs to trust packages that have `-XTrustworthy` packages in them. 
    94124 
    95125'''End of SLPJ/SDM note'''