[Haskell-cafe] Safe Haskell?
Richard Eisenberg
rae at richarde.dev
Sat Apr 17 14:55:04 UTC 2021
Hi Bertram,
Thanks for speaking up here. I feel like I'm missing something I should know, but how does Safe help you? Looking at the lambdabot docs, users cannot import their own modules, and you describe the libraries as curated. So, presumably, that's enough to keep unsafeCoerce and unsafePerformIO from being in scope. Along similar lines, I don't see a way in lambdabot to enable extensions, so Template Haskell is not an issue for you (I believe).
Maybe the role of Safe is in helping you curate your libraries? That is, you can use the Safety of a module in determining whether or not it should be imported. That is indeed helpful. Is that it, though? Does enabling -XSafe when compiling user-supplied code catch some scenarios that would be uncaught otherwise?
Thanks for educating me about this -- it's important to know how the feature is being used if we are going to maintain it.
Richard
> On Apr 17, 2021, at 9:03 AM, Bertram Felgenhauer via Haskell-Cafe <haskell-cafe at haskell.org> wrote:
>
> Richard Eisenberg wrote:
>> Hi café,
>>
>> Do you use Safe Haskell? Do you know someone who does? If you do, which
>> of Safe Haskell's guarantees do you rely on?
>
> Yes. lambdabot's evaluation mechanism is essentially designed around
> Safe Haskell: expressions being evaluated are wrapped in `show`, so
> there's nothing triggering IO actions from outside.
>
> Safe Haskell (barring bugs or evil libraries) ensures that there's no
> unsafePerformIO nor unsafeCoerce to break the type system, so there's
> no way to perform arbitrary IO actions inside pure code.
>
> The libraries are curated, so evil libraries have not been an issue.
>
> As for bugs, there have been holes in Typeable in the past, but
> currently I believe they're closed, except for the use of MD5 as a
> hash function (but that may require ~2^64 hash operations to exploit
> because it's hashing UTF-16 data, rendering the existing differential
> path collision attacks useless... as far as I know, nobody has done
> this yet).
>
> Preventing the use of Template Haskell is another aspect that
> lambdabot relies on.
>
> Nowadays, lambdabot (as deployed on Freenode) also uses a sandbox for
> evaluation, but I'm thinking of that as a second line of defense
> rather than the primary mechanism for keeping things safe.
>
> So I'd be sad to see SafeHaskell go away.
>
> Cheers,
>
> Bertram
> _______________________________________________
> Haskell-Cafe mailing list
> To (un)subscribe, modify options or view archives go to:
> http://mail.haskell.org/cgi-bin/mailman/listinfo/haskell-cafe
> Only members subscribed via the mailman list are allowed to post.
More information about the Haskell-Cafe
mailing list