On 13/07/12 21:18, Heinrich Apfelmus wrote:
Simon Marlow wrote:
Hi Thomas,
All these questions are answered by the Haskell Symposium paper, which we'll post very shortly. FYI, the FFI is mostly safe, as long as you declare foreign imports to have an IO result type (otherwise it's unsafePerformIO, and hence unsafe). Unsafety is not viral: as soon as you have a safe API, you can declare its implementation to be Trustworthy, and then it is usable from safe code.
How strict are the requirements for Trustworthy code? For instance, my reactive-banana library uses observable sharing, which is inherently Unsafe. Of course, I think that my library is still Safe, but I have no formal proof of this "fact". I have two options:
1. Mark my library as Trustworthy even though I don't have sufficient proof. This severely weakens the guarantees of Safe Haskell. 2. Mark my library as Unsafe. But then people can't use it to write Safe code and will complain.
The trouble is that I have a strong incentive to solve the problem arising from 2 by doing 1. Oops.
The idea is that you do (1). All your clients get to use Safe, and nobody is obliged to use your code in a security-critical setting unless they want to. (I could write a lot more, but I've written too much about this already today. Good night!) Cheers, Simon