Delaying 7.10?

Simon Peyton Jones simonpj at microsoft.com
Thu Jan 29 17:58:34 UTC 2015 

Friends
In a call with a bunch of type hackers, we were discussing
               https://ghc.haskell.org/trac/ghc/ticket/9858
This is a pretty serious bug.  It allows a malicious person to construct his own unsafeCoerce, and so completely subverts Safe Haskell.
Actually there are two bugs (see comment:19).  The first is easily fixed.  But the second is not.
We explored various quick fixes, but the real solution is not far out of reach.  It amounts to this:

*        Every data type is automatically in Typeable.  No need to say "deriving(Typeable)" or "AutoDeriveTypeable" (which would become deprecated)

*        In implementation terms, the constraint solver treats Typeable specially, much as it already treats Coercible specially.
It's not a huge job.  It'd probably take a couple of days of implementation work, and some time for shaking out bugs and consequential changes.  The biggest thing might be simply working out implementation design choices.  (For example, there is a modest code-size cost to making everything Typeable, esp because that includes the data constructors of the type (which can be used in types, with DataKinds).  Does that matter?  Should we provide a way to suppress it?  If so, we'd also need a way to express whether or not the Typable instance exists in the interface file.)
But it is a substantial change that will touch a lot of lines of code.  Moreover, someone has to do it, and Iavor (who heroically volunteered) happens to be travelling next week.
So it's really not the kind of thing we would usually do after RC2.
But (a) it's serious and, as it happens, (b) there is also the BBP Prelude debate going on.
Hence the question: should we simply delay 7.10  by, say, a month?  After all, the timetable is up to us.  Doing so might give a bit more breathing space to the BBP debate, which might allow time for reflection and/or implementation of modest features to help the transition.  (I know that several are under discussion.)  Plus, anyone waiting for 7.10 can simply use RC2, which is pretty good.
Would that be a relief to the BBP debate?  Or any other opinions.
Simon
PS: I know, I know: there is endless pressure to delay releases to get stuff in.  If we give in to that pressure, we never make a release.  But we should know when to break our own rules.  Perhaps this is such an occasion.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.haskell.org/pipermail/ghc-devs/attachments/20150129/0c25cb2e/attachment.html>

More information about the ghc-devs mailing list