| sjanssen | ie. if by saying --trust Z, I believe that Z has made good decisions about which packages to trust too |
| SamB_XP | where would you be saying --trust Z? |
| sjanssen | SamB_XP: Z doesn't have to trust X or Y, the SAFE pragma says that it believes 'z' is safe, unconditionally |
| SamB_XP | yeah. but what if you *don't* trust Z? |
| sjanssen | then you can't call 'z' |
| SamB_XP | even if you trust X and Y? |
| sjanssen | oh, another thing: z only calls functions that are marked as SAFE that probably shouldn't be allowed |
| SamB_XP | why not? |
| sjanssen | SAFE means that a function uses functions that are known to be unsafe (unsafePerformIO, etc.) but validates that their *local* use is safe imagine that ByteString adopted this system |
| SamB_XP | yeah. but, Z hasn't made a statement about whether it trusts X and Y... it does seem like it would make sense to at least warn about using SAFE where it adds no information |
| dcoutts | probably so |
| erider | good evening |
| SamB_XP | but I still think you should store some kind of boolean expression over package names... SAFE would then be flagged as useless if the calculated safety expression evaluates to true when the current package is trusted |
| dcoutts | sjanssen: SamB_XP: making it transitive seems to make some sense |
| SamB_XP | that sounds kinda confusing. |
| dcoutts | sjanssen: SamB_XP: so if we trust the package author to have marked things as safe correctly, then we probably trust their judgement about the safety of the functions they use from the other package |
| SamB_XP | what... if we decide that we don't trust the package author about safety? |
| dcoutts | SamB_XP: then just don't list it as trusted |
| bringert | joelr1: no user/pass yet |
| SamB_XP | but we do trust X and Y? |
| dcoutts | sjanssen: SamB_XP: so you had the example, package X uses functions marked safe from package Y. Suppose for a min that X does not mark anything as safe, then the safety of functions in it depends on whether we think Y is kosher. |
| SamB_XP | yeah. |
| bringert | joelr1: RSS URL setting in darcs now, see /setting/hope |
| dcoutts | SamB_XP: now, if X marks things as safe and we don't trust Y then we can't use those functions from X. If we do trust X but not Y, then we can use those functions in X (but we still cannot use Y directly) |
| SamB_XP | so we have {-# SAFETY X.f :: Y #-} |
| bringert | joelr1: I probably won't have time to look at the edit issue today |
| SamB_XP | dcoutts: hmm? |
| dcoutts | SamB_XP: so by that reasoning, I don't think we need anything to be transitive. |
| joelr1 | bringert: woohoo! bringert: it's your nick for user and name for pass |
| dcoutts | SamB_XP: and it's then not so easy to say that something is marked safe redundantly, because it depends on the final context of what packages are deemed ok. |
| joelr1 | bringert: thanks! |
| SamB_XP | dcoutts: that sounds about right |
| shapr | gwahr! |
| dcoutts | SamB_XP: so I think it's quite simple then, we explicitly list the set of packages we trust, functions annotated safe from safe packages are then safe. The safety of everything else is determined simply by whether they call only safe functions. |
| SamB_XP | dcoutts: well, you don't keep the source around long enough to figure that out |