Omari Norman | 1 Mar 18:48 2014

Safe Haskell design question - package trust

Safe Haskell has three levels of safety:

Safe - pure functions won't launch missiles.  Well, sort of.  They
might launch missiles if they apply functions from other Trustworthy
modules that do launch missiles, though one can use -fpackage-trust to
mitigate this issue.

Unsafe - pure functions might launch missiles, watch out.

Trustworthy - module author raises her hand and says "My pure
functions won't launch missiles, I promise."

I can use the package trust feature to say "only trust a Trustworthy
package if I say so."

My issue is this: why is there no easy way to trust *any* package, not
just packages that are Trustworthy? I should be able to say "I trust
this package." It is immaterial whether the package author has raised
her hand and said "my pure functions don't launch missiles" when I can
examine the code for myself and determine whether the code launches
missiles.  Indeed, if I use package trust, I need to either examine
the code or trust the author--the author's pledge isn't determinative.
 I see what "Trustworthy" adds when you're not using package trust,
but it's just an informational flag if you are using package trust.
Despite this Safe Haskell will not recognize the trustworthiness of
packages that I have deliberately marked as trusted--merely because
the author has not made a pledge.

I ask because Safe Haskell has been around for over two years now yet
the time package, which ships with GHC, has modules that are unsafe.
(Continue reading)