[Haskell-cafe] Safe Haskell?
Tom Ellis
tom-lists-haskell-cafe-2017 at jaguarpaw.co.uk
Sun Apr 18 10:38:28 UTC 2021
On Sun, Apr 18, 2021 at 05:43:47PM +0800, Andreas Källberg wrote:
> I've been considering using it for safety-critical software to
> prevent things similar to the event-stream fiasco from happening,
> where someone took over maintenance of an npm library that was a
> transitive dependency of a bitcoin wallet application and injected
> malware that stole the users' secret keys and money.
> https://blog.npmjs.org/post/180565383195/details-about-the-event-stream-incident
>
> Would Safe Haskell be effective against those kinds of attacks? It
> should allow using a large amount of transitive dependencies,
> without having to manually verify the safety of anything but the
> core trusted packages, right?
Sounds unlikely unless you're willing to never run an IO action:
> It does not ensure code inferred safe but in IO cannot perform
> arbitrary IO.
https://wiki.haskell.org/Safe_Haskell
Tom
More information about the Haskell-Cafe
mailing list