[Haskell-cafe] Safe Haskell?
Carter Schonwald
carter.schonwald at gmail.com
Sat Apr 17 16:11:19 UTC 2021
I think safe Haskell is largely meant for exactly stuff like lambda bot.
One gotcha that I’ve seen come up when people use it ... safe Haskell
modules disable all rewrite rules (trustworthy doesn’t). And I’ve seen
folks mark a module in their benchmarks as safe... and I suppose they
didn’t understand the implications of that.
On Sat, Apr 17, 2021 at 10:59 AM Richard Eisenberg <rae at richarde.dev> wrote:
> Hi Bertram,
>
> Thanks for speaking up here. I feel like I'm missing something I should
> know, but how does Safe help you? Looking at the lambdabot docs, users
> cannot import their own modules, and you describe the libraries as curated.
> So, presumably, that's enough to keep unsafeCoerce and unsafePerformIO from
> being in scope. Along similar lines, I don't see a way in lambdabot to
> enable extensions, so Template Haskell is not an issue for you (I believe).
>
> Maybe the role of Safe is in helping you curate your libraries? That is,
> you can use the Safety of a module in determining whether or not it should
> be imported. That is indeed helpful. Is that it, though? Does enabling
> -XSafe when compiling user-supplied code catch some scenarios that would be
> uncaught otherwise?
>
> Thanks for educating me about this -- it's important to know how the
> feature is being used if we are going to maintain it.
>
> Richard
>
> > On Apr 17, 2021, at 9:03 AM, Bertram Felgenhauer via Haskell-Cafe <
> haskell-cafe at haskell.org> wrote:
> >
> > Richard Eisenberg wrote:
> >> Hi café,
> >>
> >> Do you use Safe Haskell? Do you know someone who does? If you do, which
> >> of Safe Haskell's guarantees do you rely on?
> >
> > Yes. lambdabot's evaluation mechanism is essentially designed around
> > Safe Haskell: expressions being evaluated are wrapped in `show`, so
> > there's nothing triggering IO actions from outside.
> >
> > Safe Haskell (barring bugs or evil libraries) ensures that there's no
> > unsafePerformIO nor unsafeCoerce to break the type system, so there's
> > no way to perform arbitrary IO actions inside pure code.
> >
> > The libraries are curated, so evil libraries have not been an issue.
> >
> > As for bugs, there have been holes in Typeable in the past, but
> > currently I believe they're closed, except for the use of MD5 as a
> > hash function (but that may require ~2^64 hash operations to exploit
> > because it's hashing UTF-16 data, rendering the existing differential
> > path collision attacks useless... as far as I know, nobody has done
> > this yet).
> >
> > Preventing the use of Template Haskell is another aspect that
> > lambdabot relies on.
> >
> > Nowadays, lambdabot (as deployed on Freenode) also uses a sandbox for
> > evaluation, but I'm thinking of that as a second line of defense
> > rather than the primary mechanism for keeping things safe.
> >
> > So I'd be sad to see SafeHaskell go away.
> >
> > Cheers,
> >
> > Bertram
> > _______________________________________________
> > Haskell-Cafe mailing list
> > To (un)subscribe, modify options or view archives go to:
> > http://mail.haskell.org/cgi-bin/mailman/listinfo/haskell-cafe
> > Only members subscribed via the mailman list are allowed to post.
>
> _______________________________________________
> Haskell-Cafe mailing list
> To (un)subscribe, modify options or view archives go to:
> http://mail.haskell.org/cgi-bin/mailman/listinfo/haskell-cafe
> Only members subscribed via the mailman list are allowed to post.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.haskell.org/pipermail/haskell-cafe/attachments/20210417/0d0769ad/attachment.html>
More information about the Haskell-Cafe
mailing list