I like the simplicity but would also like the spec to make it easy for me to guarantee that that I don't end up running/installing malware. I think Haskell's typesystem and purity should make it relatively easy to make sure that: 1. installation has no sideeffects beyond making a module available for import 2. import has no sideeffects beyond making functions in a module available 3. the installer and perhaps end-user is notified if functions in a module/package use unsafeperformIO or some equivalent and perhaps what IO functions the IO monad code actually does use (if any). I don't want to have to trust a random downloaded Setup.lhs (I don't want to have to read/understand its source) and I suspect it is easy enough to make sure that I don't have to. -Alex- PS I know that other languages require that lib users trust lib authors and have been succesful nonetheless, but I don't think we have to impost that requirement. Combined with quickcheck and other Haskell verification tools, that guarantees the functionality of a lib, we should be able to have a really really awesome Haskell lib infrastructure. _________________________________________________________________ S. Alexander Jacobson mailto:me@alexjacobson.com tel:917-770-6565 http://alexjacobson.com