safe vs. unsafe (Was: Haskell Platform proposal: Add the vector package)

Simon Marlow marlowsd at
Sat Jul 14 00:26:27 CEST 2012

On 13/07/12 21:18, Heinrich Apfelmus wrote:
> Simon Marlow wrote:
>> Hi Thomas,
>> All these questions are answered by the Haskell Symposium paper, which
>> we'll post very shortly. FYI, the FFI is mostly safe, as long as you
>> declare foreign imports to have an IO result type (otherwise it's
>> unsafePerformIO, and hence unsafe). Unsafety is not viral: as soon as
>> you have a safe API, you can declare its implementation to be
>> Trustworthy, and then it is usable from safe code.
> How strict are the requirements for Trustworthy code? For instance, my
> reactive-banana library uses observable sharing, which is inherently
> Unsafe. Of course, I think that my library is still Safe, but I have no
> formal proof of this "fact". I have two options:
> 1. Mark my library as Trustworthy even though I don't have sufficient
> proof. This severely weakens the guarantees of Safe Haskell.
> 2. Mark my library as Unsafe. But then people can't use it to write Safe
> code and will complain.
> The trouble is that I have a strong incentive to solve the problem
> arising from 2 by doing 1. Oops.

The idea is that you do (1).  All your clients get to use Safe, and 
nobody is obliged to use your code in a security-critical setting unless 
they want to.  (I could write a lot more, but I've written too much 
about this already today.  Good night!)


More information about the Libraries mailing list