[Haskell] Re: ECT and SearchPath

S. Alexander Jacobson alex at alexjacobson.com
Tue Dec 13 15:59:12 EST 2005 

On Tue, 13 Dec 2005, Sven Moritz Hallberg wrote:
> is a good scheme. For it to _really_ work, however, we should form a
> registry of "officially assigned" module names (i.e. ones without a
> disambiguation suffix) and also one for the author and/or organization
> names to be used as suffixes. I for example am known by the nickname
> Pesco, or (more recently) by the mnemonic SM at domain KHJK.ORG.

My solution to this problem in SearchPath is module maps.  SearchPath 
lets you use multiple module maps simultaneously.  So you can for 
example simultaneously use a global module map as haskell.org, an 
industry module map at yourassociate.org, an internal company map 
located on your_intranet, and a personal map located on your computer. 
Conflicts are handled by the order in which you invoke the maps.
So a map is official to the extent your community shares it. 
Different entities can also compete to provide maps of differing 
qualities e.g. is the map audited for security issues?  does the map 
point to the repository head of all modules or a static version? etc.

Clay Shirky famously observed that in namespace construction there is 
a pretty direct tradeoff between have names be memorable, global, and 
non-political.  I think shared module maps represents a good 
compromise.

>> I just
>> read your ECT article which seems to start with the same assumption and
>> takes the theory to its logical conclusion.
>
> I take that as a compliment. ;) Thank you.

It was intended that way!  :-)

> The main issue that springs to my mind is authenticity control. How do I
> know the module I'm downloading is the one I want? Note that this
> question is always there, even in the local case, but it is usually not
> seen as a problem until module sources are distributed over the Net.

I think https URLs solve this problem.  You choose module maps from 
authors you trust and access those maps via https.  These "friendly" 
module maps then point to "friendly" modules that you can also access 
via https.  Since, you choose which CAs you trust to sign server keys, 
you are safe from MITM attacks.

Note, I thought about supporting pgp but there is no obvious way to 
sign a CVS/SVN/darcs repository and what I like about ECT is that you 
can point to such repositories rather than specific checked out 
versions in the comfort that things won't break.  I LOVE that in 
combination with ECT, you get notified that you are using a deprecated 
version on the next compile without having to check all your imports 
manually.

FYI, the main thing that I would really like, but don't have and can't 
implement, is for :r in ghci to invoke SearchPath to hunt for missing 
modules rather than forcing you to quit out and restart ghci every 
time you add an import of an undownloaded module in your code.  Using 
searcpath make thing very smooth, but this feature would make it 
completely so.

-Alex-


______________________________________________________________
S. Alexander Jacobson tel:917-770-6565 http://alexjacobson.com

More information about the Haskell mailing list