[Haskell-cafe] Safe Haskell design question - package trust

[Omari Norman]

Safe Haskell has three levels of safety:

Safe - pure functions won't launch missiles.  Well, sort of.  They
might launch missiles if they apply functions from other Trustworthy
modules that do launch missiles, though one can use -fpackage-trust to
mitigate this issue.

Unsafe - pure functions might launch missiles, watch out.

Trustworthy - module author raises her hand and says "My pure
functions won't launch missiles, I promise."

I can use the package trust feature to say "only trust a Trustworthy
package if I say so."

My issue is this: why is there no easy way to trust *any* package, not
just packages that are Trustworthy? I should be able to say "I trust
this package." It is immaterial whether the package author has raised
her hand and said "my pure functions don't launch missiles" when I can
examine the code for myself and determine whether the code launches
missiles.  Indeed, if I use package trust, I need to either examine
the code or trust the author--the author's pledge isn't determinative.
 I see what "Trustworthy" adds when you're not using package trust,
but it's just an informational flag if you are using package trust.
Despite this Safe Haskell will not recognize the trustworthiness of
packages that I have deliberately marked as trusted--merely because
the author has not made a pledge.

I ask because Safe Haskell has been around for over two years now yet
the time package, which ships with GHC, has modules that are unsafe.
I have examined them; they don't launch missiles.  Yet the only easy
way to get them working with Safe Haskell is to get the modules marked
Trustworthy.  I have emailed the maintainer and the libraries mailing
list and so far have heard nothing.

I have seen at least one package author get annoyed because people
asked him to mark his modules Trustworthy, and I think he's right.  He
shouldn't need to say they're Trustworthy; rather, the Safe Haskell
user should be able to do this himself. (True, the Safe Haskell user
can do this by recompiling--come on, it shouldn't be that hard, and I
don't want to recompile a package like time, that ships with GHC.)