Changes between Version 40 and Version 41 of SafeHaskell
- Jan 25, 2011 9:09:48 AM (4 years ago)
v40 v41 227 227 * We want to be able to change a package P from trusted to untrusted and then have compilation of code that directly or transversely depends on it to fail accordingly if it relies on that package being trusted. That is trust should be checked recursively at link time and not just for code being compiled. Having the interface file format record each modules trust type should be enough for this. 228 228 * If a module M is Untrusted then no further processing needs to be done. 229 * If a module M is Safe then we know all imports must be safe or trustworthy so we must check them. 229 * If a module M is Safe then 230 * At compile time we check each of M's imports are trusted 230 231 * If a module M is Trustworthy then we handle it differently when linking than compiling: 231 232 * At both link time and compile time M itself must be in a trusted package. 232 * At compile time we check each of M's safe imports are trusted and that all trustworthy imports reside in the current set of trusted packages. 233 * At compile time we check each of M's safe imports are trusted 233 234 * At link time we don't check that M's safe imports are still considered trusted. The reasoning behind this is that at compile time we had a guarantee that any modules marked Trustworthy did indeed reside in a package P that was trusted. If at link time some of M's safe imports that are marked Trustworthy now reside in a package marked untrusted this is because the client C changed the package trust. Since C is the one guaranteeing trustworthy modules we believe its fine to not fail. 234 235 * Guaranteeing trustworthy at link time wouldn't be too hard, it would just require we also record in the interface file format for modules marked as trustworthy, which of their dependencies were safe imports.