I'd much rather have code that can compile as Safe rather than Trustworthy. Trustworthy code is a pain to annotate the safety of correctly.
A one line change to GHC to ensure the safety of GHC.Generics and to maximize the number of operations you can use safely seems entirely reasonable. Otherwise I have to mark perfectly Safe-by-construction code Trustworthy, enlarging the trusted code base considerably. Using properly constructed Generic instances is perfectly safe. That library level fix has knock-on effects across the entire ecosystem for anyone who cares about SafeHaskell. I tend to instantiate GHC.Generics for any type in most of my packages. A quick grep finds 209 modules broken in just the projects I have open in my working directory. That is a mixture of public and private repos. The majority of which are public. So, I first have to change a couple hundred import statements... conditionally on compiler version, since I maintain wide support windows. This fix would literally break SafeHaskell for me silently across almost everything I have written, forcing me to run through tons of packages trying to figure out what I have to change to get it back. I've done this song and dance before trying to get lambdabot to build, since it uses lens these days. If I don't get every one of them right lens builds as unsafe. There isn't a good debugging process for this, as the only real way I have to know it worked is to go through each one and make sure I didn't compromise safe haskell by looking at the resulting haddocks for each case. The code that *uses* GHC.Generics uses their internals and is safe by construction. It is only the instance construction that is unsafe, so lets mark it as such. -Edward On Mon, Oct 7, 2013 at 11:11 AM, Ryan Newton <[email protected]> wrote: > On Mon, Oct 7, 2013 at 10:22 AM, Edward Kmett <[email protected]> wrote: > >> Am I correct in understanding your issue arises from manually rolled >> instances of Generic, not from Generic itself? >> > > Exactly. > > >> Wouldn't then perhaps the better fix be to resurrect the old rule for >> derived Typeable instances and apply it to Generic and Generic1 instead? >> > The new rule would be that if you hand-implemented Generic or Generic1 in >> your module it isn't Safe. >> > > Ah... so you're proposing adding an extra rule to the GHC compiler itself? > > Isn't it simpler to do it just with a library-level fix? I.e. my proposal > is that GHC.Generics is marked as Unsafe. And then if you really want you > can mark your module as TrustWorthy even with manual instances. (And then, > yes, we'd need a GHC.Generics.Safe to pull the Generic symbol itself from > when we just want to derive it.) > > That would make it so that derived Generic, Generic1 would be considered >> Safe, and you wouldn't break literally every user of the library who care >> about Safe Haskell. >> > > Isn't that also accomplished just by "import GHC.Generic.Safe (Generic)"? > And the handful of hypothetical people that are using this right now can > make that one-line fix. I will *personally* make that fix for all those > people if they would come forward and share the link to their code ;-). > > As it stands the things are damn-near impossible to get right >> instantiating them by hand anyways, so I expect this would affect only 1 or >> 2 users rather than all of them! >> > > Exactly! > >
_______________________________________________ ghc-devs mailing list [email protected] http://www.haskell.org/mailman/listinfo/ghc-devs
