Repository : ssh://darcs.haskell.org//srv/darcs/ghc On branch : master
http://hackage.haskell.org/trac/ghc/changeset/b78b6b3472511c7e39d5c91b0449a59e0f361dcf >--------------------------------------------------------------- commit b78b6b3472511c7e39d5c91b0449a59e0f361dcf Author: David Terei <[email protected]> Date: Fri Nov 9 16:33:36 2012 -0800 add note about compilation safety to safe haskell docs >--------------------------------------------------------------- docs/users_guide/safe_haskell.xml | 52 +++++++++++++++++++++++++++++++++++++ 1 files changed, 52 insertions(+), 0 deletions(-) diff --git a/docs/users_guide/safe_haskell.xml b/docs/users_guide/safe_haskell.xml index dc07b89..8b777bb 100644 --- a/docs/users_guide/safe_haskell.xml +++ b/docs/users_guide/safe_haskell.xml @@ -44,6 +44,16 @@ </itemizedlist> </para> + <para> + Safe Haskell, however, <emphasis>does not offer</emphasis> compilation + safety. During compilation time it is possible for arbitrary processes to be + launched, using for example the <link linkend="pre-processor">custom + pre-processor</link> flag. This can be manipulated to either compromise a + users system at compilation time, or to modify the source code just before + compilation to try to alter set Safe Haskell flags. This is discussed further + in section <xref linkend="safe-compilation"/>. + </para> + <sect2 id="safe-use-cases"> <title>Uses of Safe Haskell</title> <indexterm><primary>safe haskell uses</primary></indexterm> @@ -722,6 +732,48 @@ </variablelist> </sect2> + <sect2 id="safe-compilation"> + <title>Safe Compilation</title> + <indexterm><primary>safe compilation</primary></indexterm> + + <para> + GHC includes a variety of flags that allow arbitrary processes to be run at + compilation time. One such example is the <link + linkend="pre-processor">custom pre-processor</link> flag. Another is the + ability of Template Haskell to execute Haskell code at compilation time, + including IO actions. Safe Haskell <emphasis>does not address this + danger</emphasis> (although, Template Haskell is a disallowed feature). + </para> + + <para> + Due to this, it is suggested that when compiling untrusted source code that + has had no manual inspection done, the following precautions be taken: + <itemizedlist> + <listitem>Compile in a sandbox, such as a chroot or similar container + technology. Or simply as a user with very reduced system + access.</listitem> + <listitem>Compile untrusted code with the <option>-XSafe</option> flag + being specified on the command line. This will ensure that modifications + to the source being compiled can't disable the use of the Safe Language + as the command line flag takes precedence over a source level + pragma.</listitem> + <listitem>Ensure that all untrusted code is imported as a + <link linkend="safe-imports">safe import</link><emphasis> and</emphasis> + that the <link linkend="safe-package-trust"><option>-fpackage-trust</option></link> + flag is used with packages from untrusted sources being marked as + untrusted.</listitem> + </itemizedlist> + </para> + + <para> + There is a more detailed discussion of the issues involved in compilation + safety and some potential solutions on the <ulink + url="http://hackage.haskell.org/trac/ghc/wiki/SafeHaskell/SafeCompilation";>GHC + Wiki</ulink>. + </para> + + </sect2> + </sect1> <!-- Emacs stuff: _______________________________________________ Cvs-ghc mailing list [email protected] http://www.haskell.org/mailman/listinfo/cvs-ghc
