On 13/07/12 21:18, Heinrich Apfelmus wrote:
Simon Marlow wrote:
Hi Thomas,
All these questions are answered by the Haskell Symposium paper, which
we'll post very shortly. FYI, the FFI is mostly safe, as long as you
declare foreign imports to have an IO result type (otherwise it's
unsafePerformIO, and hence unsafe). Unsafety is not viral: as soon as
you have a safe API, you can declare its implementation to be
Trustworthy, and then it is usable from safe code.
How strict are the requirements for Trustworthy code? For instance, my
reactive-banana library uses observable sharing, which is inherently
Unsafe. Of course, I think that my library is still Safe, but I have no
formal proof of this "fact". I have two options:
1. Mark my library as Trustworthy even though I don't have sufficient
proof. This severely weakens the guarantees of Safe Haskell.
2. Mark my library as Unsafe. But then people can't use it to write Safe
code and will complain.
The trouble is that I have a strong incentive to solve the problem
arising from 2 by doing 1. Oops.
The idea is that you do (1). All your clients get to use Safe, and
nobody is obliged to use your code in a security-critical setting unless
they want to. (I could write a lot more, but I've written too much
about this already today. Good night!)
Cheers,
Simon
_______________________________________________
Haskell-platform mailing list
Haskell-platform@projects.haskell.org
http://projects.haskell.org/cgi-bin/mailman/listinfo/haskell-platform
