[GHC] #8310: Can we change the semantics of `Trustworthy`?

GHC ghc-devs at haskell.org
Mon Sep 16 21:15:50 CEST 2013 

#8310: Can we change the semantics of `Trustworthy`?
------------------------------------+-------------------------------------
       Reporter:  ekmett            |             Owner:
           Type:  feature request   |            Status:  new
       Priority:  normal            |         Milestone:
      Component:  Compiler          |           Version:  7.6.3
       Keywords:                    |  Operating System:  Unknown/Multiple
   Architecture:  Unknown/Multiple  |   Type of failure:  None/Unknown
     Difficulty:  Unknown           |         Test Case:
     Blocked By:                    |          Blocking:
Related Tickets:                    |
------------------------------------+-------------------------------------
 I would like to propose that if I put `{-# LANGUAGE Trustworthy #-}` on a
 module and it infers as Safe, then the module should get marked `Safe`
 instead of `Trustworthy`. Putting `Trustworthy` in right now has the
 semantics "it is at most `Trustworthy`".

 It would be far more useful to have the semantics "it is at least
 `Trustworthy`".

 The current situation is actually a maintenance nightmare.

 Currently, if I incur a dependency on a package has some `Safe` versions
 and some non-Safe versions, but I know I'm not using any unsafe
 componentry of it, I have to either

 a.) Mark my package Trustworthy unnecessarily enlarging the trusted code
 base a lot.

 b.) Track ALL of the dependencies of my dependencies to know when it will
 be Safe rather than Trustworthy, then insert brittle CPP pragmas that
 often fail.

 Consider that `hashable` 1.2.1.0 recently became flagged `Trustworthy`,
 but was previously not.

 Now, if I want to properly infer as `Safe`, I have to track the exact
 version of `hashable` I depend on _and_ whether or not my `Typeable`
 instance is being rolled manually and make an enormous composite `#ifdef`
 at the top of the module.

 Worse, we got the patch in about a month ago, so to future proof my code
 I'd have had to be psychic.

 Now consider that I have 50 other packages to maintain in this same
 manner. I wind up shotgunning `Trustworthy`, do deal with the fact that I
 deigned to provide instances for `vector`. If `vector` ever refactored to
 support Safe Haskell, I'd have to go fix up 50 very arcane CPP pragmas to
 match the internal details of an external package.

 Then I wind up checking them by round tripping through cabal installs and
 checking my haddocks.

 This is further complicated by the fact that some things are just becoming
 Safe "for free" as they go, due to the fact that they no longer need or
 can supply hand-rolled `Typeable` instances.

-- 
Ticket URL: <http://ghc.haskell.org/trac/ghc/ticket/8310>
GHC <http://www.haskell.org/ghc/>
The Glasgow Haskell Compiler

More information about the ghc-tickets mailing list