new Library Infrastructure spec.

Isaac Jones ijones at syntaxpolice.org
Tue Jun 1 22:32:53 EDT 2004 

"S. Alexander Jacobson" <haskell at alexjacobson.com> writes:

> I like the simplicity but would also like the spec
> to make it easy for me to guarantee that that I
> don't end up running/installing malware.
>
> I think Haskell's typesystem and purity should
> make it relatively easy to make sure that:

We actually talked about exactly this idea (thanks to Ross) last
month.  I understand what you're looking for here, but I don't think
you'll be able to get any extra security without unduly limiting the
system...

> 1. installation has no sideeffects beyond
>    making a module available for import

What about packages that install binary tools or data files?  I don't
want to limit the system to just libraries for the sake of this
security feature.

> 2. import has no sideeffects beyond making
>    functions in a module available

This is already true (besides some stuff with type classes, of
course).

> 3. the installer and perhaps end-user is notified
>    if functions in a module/package use
>    unsafeperformIO or some equivalent and perhaps
>    what IO functions the IO monad code actually
>    does use (if any).

This would be nice, but in absence of this (which is outside the scope
of this project, since it'll require changing the compilers), your (1)
above becomes less useful, and we limit ourselves to just libraries
for the sake of ineffective security.

I have no idea how difficult all of that would be.  Maybe some of the
implementation authors can speak to that.

> I don't want to have to trust a random downloaded
> Setup.lhs (I don't want to have to read/understand
> its source) and I suspect it is easy enough to
> make sure that I don't have to.

I suspect that implementing real security here will be harder than it
looks, and I don't want to delay the package infrastructure until all
those problems are sorted out and the compilers implement them.  For
now, I'm afraid, trust is an all-or-nothing venture when it comes to
running someone else's code.  It would be really cool to have a
"secure library infrastructure" which is more limited but which
provides more guarantees.  I just think it's overly ambitious for now.


peace,

  isaac

More information about the Libraries mailing list