On 23/02/2018 00.27, Matthias Kilian wrote:
Does it maen that one can't trust *any* package on hackage.haskell.org at least a little bit (based on trust between acknowledging persons and reputation) without reviewing the package's source code?
Yes, in fact you cannot trust any random code you download from the Internet, Hackage is no exception. Anybody could register and upload a package that runs some `runIO` TemplateHaskell which deletes your entire home directory upon compilation, no matter if they are verified as a human or not. Other programming languages' ecosystems don't solve this problems either; if we want it solved, we should layer a trusted curated package repository on top where all code is reviewed by a set of trusted experts.