Changes between Version 34 and Version 35 of SafeHaskell


Ignore:
Timestamp:
Jan 21, 2011 10:05:47 AM (3 years ago)
Author:
simonmar
Comment:

use cases for SafeImports/SafeLanguage

Legend:

Unmodified
Added
Removed
Modified
  • SafeHaskell

    v34 v35  
    8484We also want to be able to enable the safe dialect and safe import extensions without any corresponding trust assertion for the code: 
    8585 
    86  * `-XSafeImports` ('''previously''' `-XUntrustworthy`) enables the safe import extension. Module M is left untrusted though. 
    87  * `-XSafeLanguage` ('''previously''' `-XUntrustworthy` `-XSafe`) enables the safe language (and therefore safe imports). Module M is left untrusted though. 
     86 * `-XSafeImports` ('''previously''' `-XUntrustworthy`) enables the safe import extension. Module M is left untrusted though. (See [#UsecasesforSafeImports use cases]) 
     87 * `-XSafeLanguage` ('''previously''' `-XUntrustworthy` `-XSafe`) enables the safe language (and therefore safe imports). Module M is left untrusted though. (See [#UsecasesforSafeLanguage use cases]) 
    8888 
    8989We see these being used both for good coding style and more flexibility during development of trusted code. We have this relation between the flags: 
     
    265265In this case, the type of `Danger.runMe` will be `IO ()`.  However, because `-ultrasafe` implies `-distrust-all-packages`, the only modules `Danger` can import are trustable modules whose entire trust dependency set lies in the current package.  Let's say that `SafeIO` and `Danger` are the only two such modules.  We then know that the only IO actions `Danger.runMe` can directly execute are `rioReadFile` and `rioWriteFile`. 
    266266 
     267== Use cases for `SafeImports` == 
     268 
     269Say I'm in module Main or some other unsafe place, and I want to 
     270import a module from an untrusted author.  I'd like to say: 
     271 
     272{{{ 
     273   import safe Untrusted.Module 
     274}}}  
     275 
     276Unfortunately, safe is not a Haskell98 keyword, so this fails.  There 
     277are several other ways of enabling the safe keyword, namely the 
     278`LANGUAGE Safe`, `SafeLanguage`, and `Trustworthy` pragmas, but these all do 
     279more than just enable the safe keyword--they restrict the language 
     280and/or mark the module as trusted.  I don't want any of these things. 
     281I just want to make module Main fail to compile should 
     282Untrusted.Module be importing trustworthy modules from untrusted 
     283packages, nothing more. 
     284 
     285== Use cases for `SafeLanguage` == 
     286 
     287Here again the idea is that I want to create an untrusted module that 
     288exports unsafe constructors, but I want to use the Safe dialect, 
     289because it enforces good programming style.  An example would be the 
     290`RIO` module, if it wanted to export `UnsafeRIO`.  There's no reason RIO 
     291itself can't be implemented in the Safe dialect, we just need to make 
     292sure that only Trustworthy modules can import `RIO`. 
     293 
    267294 
    268295== Ultra-safety ==