Changes between Version 34 and Version 35 of SafeHaskell


Ignore:
Timestamp:
Jan 21, 2011 10:05:47 AM (5 years ago)
Author:
simonmar
Comment:

use cases for SafeImports/SafeLanguage

Legend:

Unmodified
Added
Removed
Modified
  • SafeHaskell

    v34 v35  
    8484We also want to be able to enable the safe dialect and safe import extensions without any corresponding trust assertion for the code:
    8585
    86  * `-XSafeImports` ('''previously''' `-XUntrustworthy`) enables the safe import extension. Module M is left untrusted though.
    87  * `-XSafeLanguage` ('''previously''' `-XUntrustworthy` `-XSafe`) enables the safe language (and therefore safe imports). Module M is left untrusted though.
     86 * `-XSafeImports` ('''previously''' `-XUntrustworthy`) enables the safe import extension. Module M is left untrusted though. (See [#UsecasesforSafeImports use cases])
     87 * `-XSafeLanguage` ('''previously''' `-XUntrustworthy` `-XSafe`) enables the safe language (and therefore safe imports). Module M is left untrusted though. (See [#UsecasesforSafeLanguage use cases])
    8888
    8989We see these being used both for good coding style and more flexibility during development of trusted code. We have this relation between the flags:
     
    265265In this case, the type of `Danger.runMe` will be `IO ()`.  However, because `-ultrasafe` implies `-distrust-all-packages`, the only modules `Danger` can import are trustable modules whose entire trust dependency set lies in the current package.  Let's say that `SafeIO` and `Danger` are the only two such modules.  We then know that the only IO actions `Danger.runMe` can directly execute are `rioReadFile` and `rioWriteFile`.
    266266
     267== Use cases for `SafeImports` ==
     268
     269Say I'm in module Main or some other unsafe place, and I want to
     270import a module from an untrusted author.  I'd like to say:
     271
     272{{{
     273   import safe Untrusted.Module
     274}}}
     275
     276Unfortunately, safe is not a Haskell98 keyword, so this fails.  There
     277are several other ways of enabling the safe keyword, namely the
     278`LANGUAGE Safe`, `SafeLanguage`, and `Trustworthy` pragmas, but these all do
     279more than just enable the safe keyword--they restrict the language
     280and/or mark the module as trusted.  I don't want any of these things.
     281I just want to make module Main fail to compile should
     282Untrusted.Module be importing trustworthy modules from untrusted
     283packages, nothing more.
     284
     285== Use cases for `SafeLanguage` ==
     286
     287Here again the idea is that I want to create an untrusted module that
     288exports unsafe constructors, but I want to use the Safe dialect,
     289because it enforces good programming style.  An example would be the
     290`RIO` module, if it wanted to export `UnsafeRIO`.  There's no reason RIO
     291itself can't be implemented in the Safe dialect, we just need to make
     292sure that only Trustworthy modules can import `RIO`.
     293
    267294
    268295== Ultra-safety ==