[Haskell-cafe] Safe Haskell?

Tom Ellis tom-lists-haskell-cafe-2017 at jaguarpaw.co.uk
Sun Apr 18 10:38:28 UTC 2021

On Sun, Apr 18, 2021 at 05:43:47PM +0800, Andreas Källberg wrote:
> I've been considering using it for safety-critical software to
> prevent things similar to the event-stream fiasco from happening,
> where someone took over maintenance of an npm library that was a
> transitive dependency of a bitcoin wallet application and injected
> malware that stole the users' secret keys and money.
> https://blog.npmjs.org/post/180565383195/details-about-the-event-stream-incident
> Would Safe Haskell be effective against those kinds of attacks? It
> should allow using a large amount of transitive dependencies,
> without having to manually verify the safety of anything but the
> core trusted packages, right?

Sounds unlikely unless you're willing to never run an IO action:

> It does not ensure code inferred safe but in IO cannot perform
> arbitrary IO.



More information about the Haskell-Cafe mailing list