On 03/09/15 08:22, Michael Smith wrote:
I feel there should be some process for reporting security-sensitive issues in GHC -- for example, #9562 and #10826 in Trac. Perhaps something like the SensitiveTicketsPlugin [3] could be used?
[1] https://ghc.haskell.org/trac/ghc/ticket/9562 [2] https://ghc.haskell.org/trac/ghc/ticket/10826 [3] https://trac-hacks.org/wiki/SensitiveTicketsPlugin
Thanks for raising this. While I see where you are coming from, I'm going to argue against it, because I think it creates a false impression of the security guarantees GHC provides. Such a process may give the impression that there are people directly tasked with handling such security bugs, which is not currently the case. I think it is unreasonable for the security of a system to depend on GHC having no type soundness bugs, particularly since GHC is actively used for developing experimental type system features. #9562 has been open for a year and we don't have a good solution. Relatedly, I think the Safe Haskell documentation should prominently warn about the existence of #9562 and the possibility of other type soundness bugs, like it does for compilation safety issues. What do others think? Adam -- Adam Gundry, Haskell Consultant Well-Typed LLP, http://www.well-typed.com/