I think safe Haskell is largely meant for exactly stuff like lambda bot.
One gotcha that I’ve seen come up when people use it ... safe Haskell
modules disable all rewrite rules (trustworthy doesn’t). And I’ve seen
folks mark a module in their benchmarks as safe... and I suppose they
didn’t understand the implications of that.
On Sat, Apr 17, 2021 at 10:59 AM Richard Eisenberg
Hi Bertram,
Thanks for speaking up here. I feel like I'm missing something I should know, but how does Safe help you? Looking at the lambdabot docs, users cannot import their own modules, and you describe the libraries as curated. So, presumably, that's enough to keep unsafeCoerce and unsafePerformIO from being in scope. Along similar lines, I don't see a way in lambdabot to enable extensions, so Template Haskell is not an issue for you (I believe).
Maybe the role of Safe is in helping you curate your libraries? That is, you can use the Safety of a module in determining whether or not it should be imported. That is indeed helpful. Is that it, though? Does enabling -XSafe when compiling user-supplied code catch some scenarios that would be uncaught otherwise?
Thanks for educating me about this -- it's important to know how the feature is being used if we are going to maintain it.
Richard
On Apr 17, 2021, at 9:03 AM, Bertram Felgenhauer via Haskell-Cafe < haskell-cafe@haskell.org> wrote:
Richard Eisenberg wrote:
Hi café,
Do you use Safe Haskell? Do you know someone who does? If you do, which of Safe Haskell's guarantees do you rely on?
Yes. lambdabot's evaluation mechanism is essentially designed around Safe Haskell: expressions being evaluated are wrapped in `show`, so there's nothing triggering IO actions from outside.
Safe Haskell (barring bugs or evil libraries) ensures that there's no unsafePerformIO nor unsafeCoerce to break the type system, so there's no way to perform arbitrary IO actions inside pure code.
The libraries are curated, so evil libraries have not been an issue.
As for bugs, there have been holes in Typeable in the past, but currently I believe they're closed, except for the use of MD5 as a hash function (but that may require ~2^64 hash operations to exploit because it's hashing UTF-16 data, rendering the existing differential path collision attacks useless... as far as I know, nobody has done this yet).
Preventing the use of Template Haskell is another aspect that lambdabot relies on.
Nowadays, lambdabot (as deployed on Freenode) also uses a sandbox for evaluation, but I'm thinking of that as a second line of defense rather than the primary mechanism for keeping things safe.
So I'd be sad to see SafeHaskell go away.
Cheers,
Bertram _______________________________________________ Haskell-Cafe mailing list To (un)subscribe, modify options or view archives go to: http://mail.haskell.org/cgi-bin/mailman/listinfo/haskell-cafe Only members subscribed via the mailman list are allowed to post.
_______________________________________________ Haskell-Cafe mailing list To (un)subscribe, modify options or view archives go to: http://mail.haskell.org/cgi-bin/mailman/listinfo/haskell-cafe Only members subscribed via the mailman list are allowed to post.