Commit b78b6b34 authored by dterei's avatar dterei

add note about compilation safety to safe haskell docs

parent c2b56985
......@@ -44,6 +44,16 @@
Safe Haskell, however, <emphasis>does not offer</emphasis> compilation
safety. During compilation time it is possible for arbitrary processes to be
launched, using for example the <link linkend="pre-processor">custom
pre-processor</link> flag. This can be manipulated to either compromise a
users system at compilation time, or to modify the source code just before
compilation to try to alter set Safe Haskell flags. This is discussed further
in section <xref linkend="safe-compilation"/>.
<sect2 id="safe-use-cases">
<title>Uses of Safe Haskell</title>
<indexterm><primary>safe haskell uses</primary></indexterm>
......@@ -722,6 +732,48 @@
<sect2 id="safe-compilation">
<title>Safe Compilation</title>
<indexterm><primary>safe compilation</primary></indexterm>
GHC includes a variety of flags that allow arbitrary processes to be run at
compilation time. One such example is the <link
linkend="pre-processor">custom pre-processor</link> flag. Another is the
ability of Template Haskell to execute Haskell code at compilation time,
including IO actions. Safe Haskell <emphasis>does not address this
danger</emphasis> (although, Template Haskell is a disallowed feature).
Due to this, it is suggested that when compiling untrusted source code that
has had no manual inspection done, the following precautions be taken:
<listitem>Compile in a sandbox, such as a chroot or similar container
technology. Or simply as a user with very reduced system
<listitem>Compile untrusted code with the <option>-XSafe</option> flag
being specified on the command line. This will ensure that modifications
to the source being compiled can't disable the use of the Safe Language
as the command line flag takes precedence over a source level
<listitem>Ensure that all untrusted code is imported as a
<link linkend="safe-imports">safe import</link><emphasis> and</emphasis>
that the <link linkend="safe-package-trust"><option>-fpackage-trust</option></link>
flag is used with packages from untrusted sources being marked as
There is a more detailed discussion of the issues involved in compilation
safety and some potential solutions on the <ulink
<!-- Emacs stuff:
Markdown is supported
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment