On Sun, Apr 18, 2021 at 05:43:47PM +0800, Andreas Källberg wrote:
I've been considering using it for safety-critical software to prevent things similar to the event-stream fiasco from happening, where someone took over maintenance of an npm library that was a transitive dependency of a bitcoin wallet application and injected malware that stole the users' secret keys and money. https://blog.npmjs.org/post/180565383195/details-about-the-event-stream-inci...
Would Safe Haskell be effective against those kinds of attacks? It should allow using a large amount of transitive dependencies, without having to manually verify the safety of anything but the core trusted packages, right?
Sounds unlikely unless you're willing to never run an IO action:
It does not ensure code inferred safe but in IO cannot perform arbitrary IO.