[Haskell-cafe] Safe Haskell?
Henning Thielemann
lemming at henning-thielemann.de
Sun Apr 18 11:07:38 UTC 2021
On Sun, 18 Apr 2021, Tom Ellis wrote:
> On Sun, Apr 18, 2021 at 05:43:47PM +0800, Andreas Källberg wrote:
>> I've been considering using it for safety-critical software to
>> prevent things similar to the event-stream fiasco from happening,
>> where someone took over maintenance of an npm library that was a
>> transitive dependency of a bitcoin wallet application and injected
>> malware that stole the users' secret keys and money.
>> https://blog.npmjs.org/post/180565383195/details-about-the-event-stream-incident
>>
>> Would Safe Haskell be effective against those kinds of attacks? It
>> should allow using a large amount of transitive dependencies,
>> without having to manually verify the safety of anything but the
>> core trusted packages, right?
>
> Sounds unlikely unless you're willing to never run an IO action:
In safety critical code you might not use bare IO but a wrapper or a type
class with a trusted set of primitive methods.
More information about the Haskell-Cafe
mailing list