Some bumps for Haskell #11050

AlistairB · 2021-10-07T05:32:46Z

👋 The Haskell images have been a bit stuck on installing some dependencies via debian packaging, which seems to be dead at this point.

This includes changes to switch away from the debian packaging and directly install the haskell compiler and the cabal build tool. We are also now doing sha256 verification on top of the gpg verify step. With this done, it includes the missing version bumps as well.

I'm assuming each of these commits will be applied independently and the versions released? (or I might need multiple stacked PRs?)

cc @psftw

tianon · 2021-10-07T18:01:30Z

We'll only build/publish the end result -- if you want to backfill all three versions (temporarily), you'll need to include each as a separate entry within the library/haskell file (which can then be removed in a follow-up PR after they're built/pushed).

We now use a direct install approach for GHC and cabal-install. We used to use debian packaging, but that has more or less died. This left the images blocked on some old versions. This also includes those missing bumps. GHC: 8.10.5, 8.10.6, 8.10.7 cabal-install: 3.6.0.0

github-actions · 2021-10-07T20:26:06Z

Diff for 7790e99:

diff --git a/_bashbrew-cat b/_bashbrew-cat
index 4930452..cd07cb2 100644
--- a/_bashbrew-cat
+++ b/_bashbrew-cat
@@ -1,18 +1,34 @@
 Maintainers: Peter Salvatore <[email protected]> (@psftw), Herbert Valerio Riedel <[email protected]> (@hvr), Alistair Burrowes <[email protected]> (@AlistairB)
 GitRepo: https://github.com/haskell/docker-haskell
 
-Tags: 8.10.4-buster, 8.10-buster, 8-buster, 8.10.4, 8.10, 8
-GitCommit: d9bf04e3d561c3ccef4528bbe74d1c89552c6d35
+Tags: 8.10.5-buster, 8.10.5
+GitCommit: 47d2ca30933d9fa81bff1538c035008bb1c0c197
 Directory: 8.10/buster
 
-Tags: 8.10.4-stretch, 8.10-stretch, 8-stretch
-GitCommit: d9bf04e3d561c3ccef4528bbe74d1c89552c6d35
+Tags: 8.10.5-stretch
+GitCommit: 47d2ca30933d9fa81bff1538c035008bb1c0c197
+Directory: 8.10/stretch
+
+Tags: 8.10.6-buster, 8.10.6
+GitCommit: bc860ec5b664fdd12353a46017e407f10045e9b0
+Directory: 8.10/buster
+
+Tags: 8.10.6-stretch
+GitCommit: bc860ec5b664fdd12353a46017e407f10045e9b0
+Directory: 8.10/stretch
+
+Tags: 8.10.7-buster, 8.10-buster, 8-buster, 8.10.7, 8.10, 8
+GitCommit: 4181ccd382f72959ecb234204fd018b2c203c3fe
+Directory: 8.10/buster
+
+Tags: 8.10.7-stretch, 8.10-stretch, 8-stretch
+GitCommit: 4181ccd382f72959ecb234204fd018b2c203c3fe
 Directory: 8.10/stretch
 
 Tags: 9.0.1-buster, 9.0-buster, 9-buster, buster, 9.0.1, 9.0, 9, latest
-GitCommit: d9bf04e3d561c3ccef4528bbe74d1c89552c6d35
+GitCommit: 4181ccd382f72959ecb234204fd018b2c203c3fe
 Directory: 9.0/buster
 
 Tags: 9.0.1-stretch, 9.0-stretch, 9-stretch, stretch
-GitCommit: d9bf04e3d561c3ccef4528bbe74d1c89552c6d35
+GitCommit: 4181ccd382f72959ecb234204fd018b2c203c3fe
 Directory: 9.0/stretch
diff --git a/_bashbrew-list b/_bashbrew-list
index 1d4101d..b468ee8 100644
--- a/_bashbrew-list
+++ b/_bashbrew-list
@@ -4,9 +4,15 @@ haskell:8-stretch
 haskell:8.10
 haskell:8.10-buster
 haskell:8.10-stretch
-haskell:8.10.4
-haskell:8.10.4-buster
-haskell:8.10.4-stretch
+haskell:8.10.5
+haskell:8.10.5-buster
+haskell:8.10.5-stretch
+haskell:8.10.6
+haskell:8.10.6-buster
+haskell:8.10.6-stretch
+haskell:8.10.7
+haskell:8.10.7-buster
+haskell:8.10.7-stretch
 haskell:9
 haskell:9-buster
 haskell:9-stretch
diff --git a/haskell_8-stretch/Dockerfile b/haskell_8-stretch/Dockerfile
index 37a7d7b..5f83609 100644
--- a/haskell_8-stretch/Dockerfile
+++ b/haskell_8-stretch/Dockerfile
@@ -2,14 +2,19 @@ FROM debian:stretch
 
 ENV LANG C.UTF-8
 
+# common haskell + stack dependencies
 RUN apt-get update && \
     apt-get install -y --no-install-recommends \
         ca-certificates \
         curl \
         dirmngr \
-        g++ \
         git \
+        gcc \
         gnupg \
+        g++ \
+        libc6-dev \
+        libffi-dev \
+        libgmp-dev \
         libsqlite3-dev \
         libtinfo-dev \
         make \
@@ -19,36 +24,59 @@ RUN apt-get update && \
         zlib1g-dev && \
     rm -rf /var/lib/apt/lists/*
 
-ARG GHC=8.10.4
-ARG DEBIAN_KEY=427CB69AAC9D00F2A43CAF1CBA3CBA3FFE22B574
-ARG CABAL_INSTALL=3.4
+ARG CABAL_INSTALL=3.6.0.0
+ARG CABAL_INSTALL_RELEASE_KEY=A970DF3AC3B9709706D74544B3D9F94B8DCAE210
+# get from https://downloads.haskell.org/~cabal/cabal-install-$CABAL_INSTALL/SHA256SUMS
+ARG CABAL_INSTALL_RELEASE_SHA256=BFCB7350966DAFE95051B5FC9FCB989C5708AB9E78191E71FC04647061668A11
 
-RUN export GNUPGHOME="$(mktemp -d)" && \
-    gpg --batch --keyserver keyserver.ubuntu.com --recv-keys ${DEBIAN_KEY} && \
-    gpg --batch --armor --export ${DEBIAN_KEY} > /etc/apt/trusted.gpg.d/haskell.org.gpg.asc && \
-    gpgconf --kill all && \
-    echo 'deb http://downloads.haskell.org/debian stretch main' > /etc/apt/sources.list.d/ghc.list && \
-    apt-get update && \
-    apt-get install -y --no-install-recommends \
-        cabal-install-${CABAL_INSTALL} \
-        ghc-${GHC} && \
-    rm -rf "$GNUPGHOME" /var/lib/apt/lists/*
+RUN cd /tmp && \
+    export GNUPGHOME="$(mktemp -d)" && \
+    gpg --batch --keyserver keyserver.ubuntu.com --recv-keys ${CABAL_INSTALL_RELEASE_KEY} && \
+    curl -fSLO https://downloads.haskell.org/~cabal/cabal-install-$CABAL_INSTALL/SHA256SUMS && \
+    curl -fSLO https://downloads.haskell.org/~cabal/cabal-install-$CABAL_INSTALL/SHA256SUMS.sig && \
+    gpg --batch --trusted-key B3D9F94B8DCAE210 --verify SHA256SUMS.sig SHA256SUMS && \
+    curl -fSL https://downloads.haskell.org/~cabal/cabal-install-$CABAL_INSTALL/cabal-install-$CABAL_INSTALL-x86_64-linux.tar.xz -o cabal-install.tar.gz && \
+    echo "$CABAL_INSTALL_RELEASE_SHA256 cabal-install.tar.gz" | sha256sum --strict --check && \
+    tar -xf cabal-install.tar.gz -C /usr/local/bin && \
+    rm -rf "$GNUPGHOME" /var/lib/apt/lists/* /tmp/*
+
+ARG GHC=8.10.7
+ARG GHC_RELEASE_KEY=88B57FCF7DB53B4DB3BFA4B1588764FBE22D19C4
+# get from https://downloads.haskell.org/~ghc/$GHC/SHA256SUMS
+ARG GHC_RELEASE_SHA256=CED9870EA351AF64FB48274B81A664CDB6A9266775F1598A79CBB6FDD5770A23
+
+RUN cd /tmp && \
+  export GNUPGHOME="$(mktemp -d)" && \
+  curl -sSL https://downloads.haskell.org/~ghc/$GHC/ghc-$GHC-x86_64-deb9-linux.tar.xz -o ghc.tar.xz && \
+  curl -sSL https://downloads.haskell.org/~ghc/$GHC/ghc-$GHC-x86_64-deb9-linux.tar.xz.sig -o ghc.tar.xz.sig && \
+  gpg --batch --keyserver keyserver.ubuntu.com --receive-keys ${GHC_RELEASE_KEY} && \
+  gpg --batch --trusted-key 588764FBE22D19C4 --verify ghc.tar.xz.sig ghc.tar.xz && \
+  echo "$GHC_RELEASE_SHA256 ghc.tar.xz" | sha256sum --strict --check && \
+  tar xf ghc.tar.xz && \
+  cd ghc-$GHC && \
+  ./configure --prefix /opt/ghc/$GHC && \
+  make install && \
+  find /opt/ghc/$GHC/ \( -name "*_p.a" -o -name "*.p_hi" \) -type f -delete && \
+  rm -rf /opt/ghc/$GHC/share/ && \
+  rm -rf "$GNUPGHOME" /tmp/*
 
 ARG STACK=2.7.3
-ARG STACK_KEY=C5705533DA4F78D8664B5DC0575159689BEFB442
-ARG STACK_RELEASE_KEY=2C6A674E85EE3FB896AFC9B965101FF31C5C154D
+ARG STACK_RELEASE_KEY=C5705533DA4F78D8664B5DC0575159689BEFB442
+# get from https://github.com/commercialhaskell/stack/releases/download/v${STACK}/stack-${STACK}-linux-x86_64.tar.gz.sha256
+ARG STACK_RELEASE_SHA256=A6C090555FA1C64AA61C29AA4449765A51D79E870CF759CDE192937CD614E72B
 
-RUN export GNUPGHOME="$(mktemp -d)" && \
-    gpg --batch --keyserver keyserver.ubuntu.com --recv-keys ${STACK_KEY} && \
+RUN cd /tmp && \
+    export GNUPGHOME="$(mktemp -d)" && \
     gpg --batch --keyserver keyserver.ubuntu.com --recv-keys ${STACK_RELEASE_KEY} && \
     curl -fSL https://github.com/commercialhaskell/stack/releases/download/v${STACK}/stack-${STACK}-linux-x86_64.tar.gz -o stack.tar.gz && \
     curl -fSL https://github.com/commercialhaskell/stack/releases/download/v${STACK}/stack-${STACK}-linux-x86_64.tar.gz.asc -o stack.tar.gz.asc && \
-    gpg --batch --trusted-key 0x575159689BEFB442 --verify stack.tar.gz.asc stack.tar.gz && \
-    tar -xf stack.tar.gz -C /usr/local/bin --strip-components=1 && \
+    gpg --batch --trusted-key 575159689BEFB442 --verify stack.tar.gz.asc stack.tar.gz && \
+    echo "$STACK_RELEASE_SHA256 stack.tar.gz" | sha256sum --strict --check && \
+    tar -xf stack.tar.gz -C /usr/local/bin --strip-components=1 stack-$STACK-linux-x86_64/stack && \
     /usr/local/bin/stack config set system-ghc --global true && \
     /usr/local/bin/stack config set install-ghc --global false && \
-    rm -rf "$GNUPGHOME" /var/lib/apt/lists/* /stack.tar.gz.asc /stack.tar.gz
+    rm -rf "$GNUPGHOME" /var/lib/apt/lists/* /tmp/*
 
-ENV PATH /root/.cabal/bin:/root/.local/bin:/opt/cabal/${CABAL_INSTALL}/bin:/opt/ghc/${GHC}/bin:$PATH
+ENV PATH /root/.cabal/bin:/root/.local/bin:/opt/ghc/${GHC}/bin:$PATH
 
 CMD ["ghci"]
diff --git a/haskell_stretch/Dockerfile b/haskell_8.10.5-stretch/Dockerfile
similarity index 26%
copy from haskell_stretch/Dockerfile
copy to haskell_8.10.5-stretch/Dockerfile
index 892fc72..e1f6d2b 100644
--- a/haskell_stretch/Dockerfile
+++ b/haskell_8.10.5-stretch/Dockerfile
@@ -2,14 +2,19 @@ FROM debian:stretch
 
 ENV LANG C.UTF-8
 
+# common haskell + stack dependencies
 RUN apt-get update && \
     apt-get install -y --no-install-recommends \
         ca-certificates \
         curl \
         dirmngr \
-        g++ \
         git \
+        gcc \
         gnupg \
+        g++ \
+        libc6-dev \
+        libffi-dev \
+        libgmp-dev \
         libsqlite3-dev \
         libtinfo-dev \
         make \
@@ -19,36 +24,59 @@ RUN apt-get update && \
         zlib1g-dev && \
     rm -rf /var/lib/apt/lists/*
 
-ARG GHC=9.0.1
-ARG DEBIAN_KEY=427CB69AAC9D00F2A43CAF1CBA3CBA3FFE22B574
-ARG CABAL_INSTALL=3.4
+ARG CABAL_INSTALL=3.6.0.0
+ARG CABAL_INSTALL_RELEASE_KEY=A970DF3AC3B9709706D74544B3D9F94B8DCAE210
+# get from https://downloads.haskell.org/~cabal/cabal-install-$CABAL_INSTALL/SHA256SUMS
+ARG CABAL_INSTALL_RELEASE_SHA256=BFCB7350966DAFE95051B5FC9FCB989C5708AB9E78191E71FC04647061668A11
 
-RUN export GNUPGHOME="$(mktemp -d)" && \
-    gpg --batch --keyserver keyserver.ubuntu.com --recv-keys ${DEBIAN_KEY} && \
-    gpg --batch --armor --export ${DEBIAN_KEY} > /etc/apt/trusted.gpg.d/haskell.org.gpg.asc && \
-    gpgconf --kill all && \
-    echo 'deb http://downloads.haskell.org/debian stretch main' > /etc/apt/sources.list.d/ghc.list && \
-    apt-get update && \
-    apt-get install -y --no-install-recommends \
-        cabal-install-${CABAL_INSTALL} \
-        ghc-${GHC} && \
-    rm -rf "$GNUPGHOME" /var/lib/apt/lists/*
+RUN cd /tmp && \
+    export GNUPGHOME="$(mktemp -d)" && \
+    gpg --batch --keyserver keyserver.ubuntu.com --recv-keys ${CABAL_INSTALL_RELEASE_KEY} && \
+    curl -fSLO https://downloads.haskell.org/~cabal/cabal-install-$CABAL_INSTALL/SHA256SUMS && \
+    curl -fSLO https://downloads.haskell.org/~cabal/cabal-install-$CABAL_INSTALL/SHA256SUMS.sig && \
+    gpg --batch --trusted-key B3D9F94B8DCAE210 --verify SHA256SUMS.sig SHA256SUMS && \
+    curl -fSL https://downloads.haskell.org/~cabal/cabal-install-$CABAL_INSTALL/cabal-install-$CABAL_INSTALL-x86_64-linux.tar.xz -o cabal-install.tar.gz && \
+    echo "$CABAL_INSTALL_RELEASE_SHA256 cabal-install.tar.gz" | sha256sum --strict --check && \
+    tar -xf cabal-install.tar.gz -C /usr/local/bin && \
+    rm -rf "$GNUPGHOME" /var/lib/apt/lists/* /tmp/*
+
+ARG GHC=8.10.5
+ARG GHC_RELEASE_KEY=88B57FCF7DB53B4DB3BFA4B1588764FBE22D19C4
+# get from https://downloads.haskell.org/~ghc/$GHC/SHA256SUMS
+ARG GHC_RELEASE_SHA256=15E71325C3BDFE3804BE0F84C2FC5C913D811322D19B0F4D4CFF20F29CDD804D
+
+RUN cd /tmp && \
+  export GNUPGHOME="$(mktemp -d)" && \
+  curl -sSL https://downloads.haskell.org/~ghc/$GHC/ghc-$GHC-x86_64-deb9-linux.tar.xz -o ghc.tar.xz && \
+  curl -sSL https://downloads.haskell.org/~ghc/$GHC/ghc-$GHC-x86_64-deb9-linux.tar.xz.sig -o ghc.tar.xz.sig && \
+  gpg --batch --keyserver keyserver.ubuntu.com --receive-keys ${GHC_RELEASE_KEY} && \
+  gpg --batch --trusted-key 588764FBE22D19C4 --verify ghc.tar.xz.sig ghc.tar.xz && \
+  echo "$GHC_RELEASE_SHA256 ghc.tar.xz" | sha256sum --strict --check && \
+  tar xf ghc.tar.xz && \
+  cd ghc-$GHC && \
+  ./configure --prefix /opt/ghc/$GHC && \
+  make install && \
+  find /opt/ghc/$GHC/ \( -name "*_p.a" -o -name "*.p_hi" \) -type f -delete && \
+  rm -rf /opt/ghc/$GHC/share/ && \
+  rm -rf "$GNUPGHOME" /tmp/*
 
 ARG STACK=2.7.3
-ARG STACK_KEY=C5705533DA4F78D8664B5DC0575159689BEFB442
-ARG STACK_RELEASE_KEY=2C6A674E85EE3FB896AFC9B965101FF31C5C154D
+ARG STACK_RELEASE_KEY=C5705533DA4F78D8664B5DC0575159689BEFB442
+# get from https://github.com/commercialhaskell/stack/releases/download/v${STACK}/stack-${STACK}-linux-x86_64.tar.gz.sha256
+ARG STACK_RELEASE_SHA256=A6C090555FA1C64AA61C29AA4449765A51D79E870CF759CDE192937CD614E72B
 
-RUN export GNUPGHOME="$(mktemp -d)" && \
-    gpg --batch --keyserver keyserver.ubuntu.com --recv-keys ${STACK_KEY} && \
+RUN cd /tmp && \
+    export GNUPGHOME="$(mktemp -d)" && \
     gpg --batch --keyserver keyserver.ubuntu.com --recv-keys ${STACK_RELEASE_KEY} && \
     curl -fSL https://github.com/commercialhaskell/stack/releases/download/v${STACK}/stack-${STACK}-linux-x86_64.tar.gz -o stack.tar.gz && \
     curl -fSL https://github.com/commercialhaskell/stack/releases/download/v${STACK}/stack-${STACK}-linux-x86_64.tar.gz.asc -o stack.tar.gz.asc && \
-    gpg --batch --trusted-key 0x575159689BEFB442 --verify stack.tar.gz.asc stack.tar.gz && \
-    tar -xf stack.tar.gz -C /usr/local/bin --strip-components=1 && \
+    gpg --batch --trusted-key 575159689BEFB442 --verify stack.tar.gz.asc stack.tar.gz && \
+    echo "$STACK_RELEASE_SHA256 stack.tar.gz" | sha256sum --strict --check && \
+    tar -xf stack.tar.gz -C /usr/local/bin --strip-components=1 stack-$STACK-linux-x86_64/stack && \
     /usr/local/bin/stack config set system-ghc --global true && \
     /usr/local/bin/stack config set install-ghc --global false && \
-    rm -rf "$GNUPGHOME" /var/lib/apt/lists/* /stack.tar.gz.asc /stack.tar.gz
+    rm -rf "$GNUPGHOME" /var/lib/apt/lists/* /tmp/*
 
-ENV PATH /root/.cabal/bin:/root/.local/bin:/opt/cabal/${CABAL_INSTALL}/bin:/opt/ghc/${GHC}/bin:$PATH
+ENV PATH /root/.cabal/bin:/root/.local/bin:/opt/ghc/${GHC}/bin:$PATH
 
 CMD ["ghci"]
diff --git a/haskell_8/Dockerfile b/haskell_8.10.5/Dockerfile
similarity index 25%
copy from haskell_8/Dockerfile
copy to haskell_8.10.5/Dockerfile
index ddf001a..f8a0198 100644
--- a/haskell_8/Dockerfile
+++ b/haskell_8.10.5/Dockerfile
@@ -2,14 +2,18 @@ FROM debian:buster
 
 ENV LANG C.UTF-8
 
+# common haskell + stack dependencies
 RUN apt-get update && \
     apt-get install -y --no-install-recommends \
         ca-certificates \
         curl \
-        dirmngr \
-        g++ \
         git \
+        gcc \
         gnupg \
+        g++ \
+        libc6-dev \
+        libffi-dev \
+        libgmp-dev \
         libsqlite3-dev \
         libtinfo-dev \
         make \
@@ -19,36 +23,59 @@ RUN apt-get update && \
         zlib1g-dev && \
     rm -rf /var/lib/apt/lists/*
 
-ARG GHC=8.10.4
-ARG DEBIAN_KEY=427CB69AAC9D00F2A43CAF1CBA3CBA3FFE22B574
-ARG CABAL_INSTALL=3.4
+ARG CABAL_INSTALL=3.6.0.0
+ARG CABAL_INSTALL_RELEASE_KEY=A970DF3AC3B9709706D74544B3D9F94B8DCAE210
+# get from https://downloads.haskell.org/~cabal/cabal-install-$CABAL_INSTALL/SHA256SUMS
+ARG CABAL_INSTALL_RELEASE_SHA256=BFCB7350966DAFE95051B5FC9FCB989C5708AB9E78191E71FC04647061668A11
 
-RUN export GNUPGHOME="$(mktemp -d)" && \
-    gpg --batch --keyserver keyserver.ubuntu.com --recv-keys ${DEBIAN_KEY} && \
-    gpg --batch --armor --export ${DEBIAN_KEY} > /etc/apt/trusted.gpg.d/haskell.org.gpg.asc && \
-    gpgconf --kill all && \
-    echo 'deb http://downloads.haskell.org/debian buster main' > /etc/apt/sources.list.d/ghc.list && \
-    apt-get update && \
-    apt-get install -y --no-install-recommends \
-        cabal-install-${CABAL_INSTALL} \
-        ghc-${GHC} && \
-    rm -rf "$GNUPGHOME" /var/lib/apt/lists/*
+RUN cd /tmp && \
+    export GNUPGHOME="$(mktemp -d)" && \
+    gpg --batch --keyserver keyserver.ubuntu.com --recv-keys ${CABAL_INSTALL_RELEASE_KEY} && \
+    curl -fSLO https://downloads.haskell.org/~cabal/cabal-install-$CABAL_INSTALL/SHA256SUMS && \
+    curl -fSLO https://downloads.haskell.org/~cabal/cabal-install-$CABAL_INSTALL/SHA256SUMS.sig && \
+    gpg --batch --trusted-key B3D9F94B8DCAE210 --verify SHA256SUMS.sig SHA256SUMS && \
+    curl -fSL https://downloads.haskell.org/~cabal/cabal-install-$CABAL_INSTALL/cabal-install-$CABAL_INSTALL-x86_64-linux.tar.xz -o cabal-install.tar.gz && \
+    echo "$CABAL_INSTALL_RELEASE_SHA256 cabal-install.tar.gz" | sha256sum --strict --check && \
+    tar -xf cabal-install.tar.gz -C /usr/local/bin && \
+    rm -rf "$GNUPGHOME" /var/lib/apt/lists/* /tmp/*
+
+ARG GHC=8.10.5
+ARG GHC_RELEASE_KEY=88B57FCF7DB53B4DB3BFA4B1588764FBE22D19C4
+# get from https://downloads.haskell.org/~ghc/$GHC/SHA256SUMS
+ARG GHC_RELEASE_SHA256=BC623C20CA4C5C18E952071BA14AA0CFC5C94D34219BFFAA615F7B491F376787
+
+RUN cd /tmp && \
+  export GNUPGHOME="$(mktemp -d)" && \
+  curl -sSL https://downloads.haskell.org/~ghc/$GHC/ghc-$GHC-x86_64-deb10-linux.tar.xz -o ghc.tar.xz && \
+  curl -sSL https://downloads.haskell.org/~ghc/$GHC/ghc-$GHC-x86_64-deb10-linux.tar.xz.sig -o ghc.tar.xz.sig && \
+  gpg --batch --keyserver keyserver.ubuntu.com --receive-keys ${GHC_RELEASE_KEY} && \
+  gpg --batch --trusted-key 588764FBE22D19C4 --verify ghc.tar.xz.sig ghc.tar.xz && \
+  echo "$GHC_RELEASE_SHA256 ghc.tar.xz" | sha256sum --strict --check && \
+  tar xf ghc.tar.xz && \
+  cd ghc-$GHC && \
+  ./configure --prefix /opt/ghc/$GHC && \
+  make install && \
+  find /opt/ghc/$GHC/ \( -name "*_p.a" -o -name "*.p_hi" \) -type f -delete && \
+  rm -rf /opt/ghc/$GHC/share/ && \
+  rm -rf "$GNUPGHOME" /tmp/*
 
 ARG STACK=2.7.3
-ARG STACK_KEY=C5705533DA4F78D8664B5DC0575159689BEFB442
-ARG STACK_RELEASE_KEY=2C6A674E85EE3FB896AFC9B965101FF31C5C154D
+ARG STACK_RELEASE_KEY=C5705533DA4F78D8664B5DC0575159689BEFB442
+# get from https://github.com/commercialhaskell/stack/releases/download/v${STACK}/stack-${STACK}-linux-x86_64.tar.gz.sha256
+ARG STACK_RELEASE_SHA256=A6C090555FA1C64AA61C29AA4449765A51D79E870CF759CDE192937CD614E72B
 
-RUN export GNUPGHOME="$(mktemp -d)" && \
-    gpg --batch --keyserver keyserver.ubuntu.com --recv-keys ${STACK_KEY} && \
+RUN cd /tmp && \
+    export GNUPGHOME="$(mktemp -d)" && \
     gpg --batch --keyserver keyserver.ubuntu.com --recv-keys ${STACK_RELEASE_KEY} && \
     curl -fSL https://github.com/commercialhaskell/stack/releases/download/v${STACK}/stack-${STACK}-linux-x86_64.tar.gz -o stack.tar.gz && \
     curl -fSL https://github.com/commercialhaskell/stack/releases/download/v${STACK}/stack-${STACK}-linux-x86_64.tar.gz.asc -o stack.tar.gz.asc && \
-    gpg --batch --trusted-key 0x575159689BEFB442 --verify stack.tar.gz.asc stack.tar.gz && \
-    tar -xf stack.tar.gz -C /usr/local/bin --strip-components=1 && \
+    gpg --batch --trusted-key 575159689BEFB442 --verify stack.tar.gz.asc stack.tar.gz && \
+    echo "$STACK_RELEASE_SHA256 stack.tar.gz" | sha256sum --strict --check && \
+    tar -xf stack.tar.gz -C /usr/local/bin --strip-components=1 stack-$STACK-linux-x86_64/stack && \
     /usr/local/bin/stack config set system-ghc --global true && \
     /usr/local/bin/stack config set install-ghc --global false && \
-    rm -rf "$GNUPGHOME" /var/lib/apt/lists/* /stack.tar.gz.asc /stack.tar.gz
+    rm -rf "$GNUPGHOME" /var/lib/apt/lists/* /tmp/*
 
-ENV PATH /root/.cabal/bin:/root/.local/bin:/opt/cabal/${CABAL_INSTALL}/bin:/opt/ghc/${GHC}/bin:$PATH
+ENV PATH /root/.cabal/bin:/root/.local/bin:/opt/ghc/${GHC}/bin:$PATH
 
 CMD ["ghci"]
diff --git a/haskell_stretch/Dockerfile b/haskell_8.10.6-stretch/Dockerfile
similarity index 26%
copy from haskell_stretch/Dockerfile
copy to haskell_8.10.6-stretch/Dockerfile
index 892fc72..0681814 100644
--- a/haskell_stretch/Dockerfile
+++ b/haskell_8.10.6-stretch/Dockerfile
@@ -2,14 +2,19 @@ FROM debian:stretch
 
 ENV LANG C.UTF-8
 
+# common haskell + stack dependencies
 RUN apt-get update && \
     apt-get install -y --no-install-recommends \
         ca-certificates \
         curl \
         dirmngr \
-        g++ \
         git \
+        gcc \
         gnupg \
+        g++ \
+        libc6-dev \
+        libffi-dev \
+        libgmp-dev \
         libsqlite3-dev \
         libtinfo-dev \
         make \
@@ -19,36 +24,59 @@ RUN apt-get update && \
         zlib1g-dev && \
     rm -rf /var/lib/apt/lists/*
 
-ARG GHC=9.0.1
-ARG DEBIAN_KEY=427CB69AAC9D00F2A43CAF1CBA3CBA3FFE22B574
-ARG CABAL_INSTALL=3.4
+ARG CABAL_INSTALL=3.6.0.0
+ARG CABAL_INSTALL_RELEASE_KEY=A970DF3AC3B9709706D74544B3D9F94B8DCAE210
+# get from https://downloads.haskell.org/~cabal/cabal-install-$CABAL_INSTALL/SHA256SUMS
+ARG CABAL_INSTALL_RELEASE_SHA256=BFCB7350966DAFE95051B5FC9FCB989C5708AB9E78191E71FC04647061668A11
 
-RUN export GNUPGHOME="$(mktemp -d)" && \
-    gpg --batch --keyserver keyserver.ubuntu.com --recv-keys ${DEBIAN_KEY} && \
-    gpg --batch --armor --export ${DEBIAN_KEY} > /etc/apt/trusted.gpg.d/haskell.org.gpg.asc && \
-    gpgconf --kill all && \
-    echo 'deb http://downloads.haskell.org/debian stretch main' > /etc/apt/sources.list.d/ghc.list && \
-    apt-get update && \
-    apt-get install -y --no-install-recommends \
-        cabal-install-${CABAL_INSTALL} \
-        ghc-${GHC} && \
-    rm -rf "$GNUPGHOME" /var/lib/apt/lists/*
+RUN cd /tmp && \
+    export GNUPGHOME="$(mktemp -d)" && \
+    gpg --batch --keyserver keyserver.ubuntu.com --recv-keys ${CABAL_INSTALL_RELEASE_KEY} && \
+    curl -fSLO https://downloads.haskell.org/~cabal/cabal-install-$CABAL_INSTALL/SHA256SUMS && \
+    curl -fSLO https://downloads.haskell.org/~cabal/cabal-install-$CABAL_INSTALL/SHA256SUMS.sig && \
+    gpg --batch --trusted-key B3D9F94B8DCAE210 --verify SHA256SUMS.sig SHA256SUMS && \
+    curl -fSL https://downloads.haskell.org/~cabal/cabal-install-$CABAL_INSTALL/cabal-install-$CABAL_INSTALL-x86_64-linux.tar.xz -o cabal-install.tar.gz && \
+    echo "$CABAL_INSTALL_RELEASE_SHA256 cabal-install.tar.gz" | sha256sum --strict --check && \
+    tar -xf cabal-install.tar.gz -C /usr/local/bin && \
+    rm -rf "$GNUPGHOME" /var/lib/apt/lists/* /tmp/*
+
+ARG GHC=8.10.6
+ARG GHC_RELEASE_KEY=88B57FCF7DB53B4DB3BFA4B1588764FBE22D19C4
+# get from https://downloads.haskell.org/~ghc/$GHC/SHA256SUMS
+ARG GHC_RELEASE_SHA256=C14B631437EBC867F1FE1648579BC1DBE1A9B9AD31D7C801C3C77639523A83AE
+
+RUN cd /tmp && \
+  export GNUPGHOME="$(mktemp -d)" && \
+  curl -sSL https://downloads.haskell.org/~ghc/$GHC/ghc-$GHC-x86_64-deb9-linux.tar.xz -o ghc.tar.xz && \
+  curl -sSL https://downloads.haskell.org/~ghc/$GHC/ghc-$GHC-x86_64-deb9-linux.tar.xz.sig -o ghc.tar.xz.sig && \
+  gpg --batch --keyserver keyserver.ubuntu.com --receive-keys ${GHC_RELEASE_KEY} && \
+  gpg --batch --trusted-key 588764FBE22D19C4 --verify ghc.tar.xz.sig ghc.tar.xz && \
+  echo "$GHC_RELEASE_SHA256 ghc.tar.xz" | sha256sum --strict --check && \
+  tar xf ghc.tar.xz && \
+  cd ghc-$GHC && \
+  ./configure --prefix /opt/ghc/$GHC && \
+  make install && \
+  find /opt/ghc/$GHC/ \( -name "*_p.a" -o -name "*.p_hi" \) -type f -delete && \
+  rm -rf /opt/ghc/$GHC/share/ && \
+  rm -rf "$GNUPGHOME" /tmp/*
 
 ARG STACK=2.7.3
-ARG STACK_KEY=C5705533DA4F78D8664B5DC0575159689BEFB442
-ARG STACK_RELEASE_KEY=2C6A674E85EE3FB896AFC9B965101FF31C5C154D
+ARG STACK_RELEASE_KEY=C5705533DA4F78D8664B5DC0575159689BEFB442
+# get from https://github.com/commercialhaskell/stack/releases/download/v${STACK}/stack-${STACK}-linux-x86_64.tar.gz.sha256
+ARG STACK_RELEASE_SHA256=A6C090555FA1C64AA61C29AA4449765A51D79E870CF759CDE192937CD614E72B
 
-RUN export GNUPGHOME="$(mktemp -d)" && \
-    gpg --batch --keyserver keyserver.ubuntu.com --recv-keys ${STACK_KEY} && \
+RUN cd /tmp && \
+    export GNUPGHOME="$(mktemp -d)" && \
     gpg --batch --keyserver keyserver.ubuntu.com --recv-keys ${STACK_RELEASE_KEY} && \
     curl -fSL https://github.com/commercialhaskell/stack/releases/download/v${STACK}/stack-${STACK}-linux-x86_64.tar.gz -o stack.tar.gz && \
     curl -fSL https://github.com/commercialhaskell/stack/releases/download/v${STACK}/stack-${STACK}-linux-x86_64.tar.gz.asc -o stack.tar.gz.asc && \
-    gpg --batch --trusted-key 0x575159689BEFB442 --verify stack.tar.gz.asc stack.tar.gz && \
-    tar -xf stack.tar.gz -C /usr/local/bin --strip-components=1 && \
+    gpg --batch --trusted-key 575159689BEFB442 --verify stack.tar.gz.asc stack.tar.gz && \
+    echo "$STACK_RELEASE_SHA256 stack.tar.gz" | sha256sum --strict --check && \
+    tar -xf stack.tar.gz -C /usr/local/bin --strip-components=1 stack-$STACK-linux-x86_64/stack && \
     /usr/local/bin/stack config set system-ghc --global true && \
     /usr/local/bin/stack config set install-ghc --global false && \
-    rm -rf "$GNUPGHOME" /var/lib/apt/lists/* /stack.tar.gz.asc /stack.tar.gz
+    rm -rf "$GNUPGHOME" /var/lib/apt/lists/* /tmp/*
 
-ENV PATH /root/.cabal/bin:/root/.local/bin:/opt/cabal/${CABAL_INSTALL}/bin:/opt/ghc/${GHC}/bin:$PATH
+ENV PATH /root/.cabal/bin:/root/.local/bin:/opt/ghc/${GHC}/bin:$PATH
 
 CMD ["ghci"]
diff --git a/haskell_8/Dockerfile b/haskell_8.10.6/Dockerfile
similarity index 25%
copy from haskell_8/Dockerfile
copy to haskell_8.10.6/Dockerfile
index ddf001a..d61263f 100644
--- a/haskell_8/Dockerfile
+++ b/haskell_8.10.6/Dockerfile
@@ -2,14 +2,18 @@ FROM debian:buster
 
 ENV LANG C.UTF-8
 
+# common haskell + stack dependencies
 RUN apt-get update && \
     apt-get install -y --no-install-recommends \
         ca-certificates \
         curl \
-        dirmngr \
-        g++ \
         git \
+        gcc \
         gnupg \
+        g++ \
+        libc6-dev \
+        libffi-dev \
+        libgmp-dev \
         libsqlite3-dev \
         libtinfo-dev \
         make \
@@ -19,36 +23,59 @@ RUN apt-get update && \
         zlib1g-dev && \
     rm -rf /var/lib/apt/lists/*
 
-ARG GHC=8.10.4
-ARG DEBIAN_KEY=427CB69AAC9D00F2A43CAF1CBA3CBA3FFE22B574
-ARG CABAL_INSTALL=3.4
+ARG CABAL_INSTALL=3.6.0.0
+ARG CABAL_INSTALL_RELEASE_KEY=A970DF3AC3B9709706D74544B3D9F94B8DCAE210
+# get from https://downloads.haskell.org/~cabal/cabal-install-$CABAL_INSTALL/SHA256SUMS
+ARG CABAL_INSTALL_RELEASE_SHA256=BFCB7350966DAFE95051B5FC9FCB989C5708AB9E78191E71FC04647061668A11
 
-RUN export GNUPGHOME="$(mktemp -d)" && \
-    gpg --batch --keyserver keyserver.ubuntu.com --recv-keys ${DEBIAN_KEY} && \
-    gpg --batch --armor --export ${DEBIAN_KEY} > /etc/apt/trusted.gpg.d/haskell.org.gpg.asc && \
-    gpgconf --kill all && \
-    echo 'deb http://downloads.haskell.org/debian buster main' > /etc/apt/sources.list.d/ghc.list && \
-    apt-get update && \
-    apt-get install -y --no-install-recommends \
-        cabal-install-${CABAL_INSTALL} \
-        ghc-${GHC} && \
-    rm -rf "$GNUPGHOME" /var/lib/apt/lists/*
+RUN cd /tmp && \
+    export GNUPGHOME="$(mktemp -d)" && \
+    gpg --batch --keyserver keyserver.ubuntu.com --recv-keys ${CABAL_INSTALL_RELEASE_KEY} && \
+    curl -fSLO https://downloads.haskell.org/~cabal/cabal-install-$CABAL_INSTALL/SHA256SUMS && \
+    curl -fSLO https://downloads.haskell.org/~cabal/cabal-install-$CABAL_INSTALL/SHA256SUMS.sig && \
+    gpg --batch --trusted-key B3D9F94B8DCAE210 --verify SHA256SUMS.sig SHA256SUMS && \
+    curl -fSL https://downloads.haskell.org/~cabal/cabal-install-$CABAL_INSTALL/cabal-install-$CABAL_INSTALL-x86_64-linux.tar.xz -o cabal-install.tar.gz && \
+    echo "$CABAL_INSTALL_RELEASE_SHA256 cabal-install.tar.gz" | sha256sum --strict --check && \
+    tar -xf cabal-install.tar.gz -C /usr/local/bin && \
+    rm -rf "$GNUPGHOME" /var/lib/apt/lists/* /tmp/*
+
+ARG GHC=8.10.6
+ARG GHC_RELEASE_KEY=88B57FCF7DB53B4DB3BFA4B1588764FBE22D19C4
+# get from https://downloads.haskell.org/~ghc/$GHC/SHA256SUMS
+ARG GHC_RELEASE_SHA256=95BE925E310B8C419E1099D620A727A1CA2D8C918F33EB905A8221D7EB16467B
+
+RUN cd /tmp && \
+  export GNUPGHOME="$(mktemp -d)" && \
+  curl -sSL https://downloads.haskell.org/~ghc/$GHC/ghc-$GHC-x86_64-deb10-linux.tar.xz -o ghc.tar.xz && \
+  curl -sSL https://downloads.haskell.org/~ghc/$GHC/ghc-$GHC-x86_64-deb10-linux.tar.xz.sig -o ghc.tar.xz.sig && \
+  gpg --batch --keyserver keyserver.ubuntu.com --receive-keys ${GHC_RELEASE_KEY} && \
+  gpg --batch --trusted-key 588764FBE22D19C4 --verify ghc.tar.xz.sig ghc.tar.xz && \
+  echo "$GHC_RELEASE_SHA256 ghc.tar.xz" | sha256sum --strict --check && \
+  tar xf ghc.tar.xz && \
+  cd ghc-$GHC && \
+  ./configure --prefix /opt/ghc/$GHC && \
+  make install && \
+  find /opt/ghc/$GHC/ \( -name "*_p.a" -o -name "*.p_hi" \) -type f -delete && \
+  rm -rf /opt/ghc/$GHC/share/ && \
+  rm -rf "$GNUPGHOME" /tmp/*
 
 ARG STACK=2.7.3
-ARG STACK_KEY=C5705533DA4F78D8664B5DC0575159689BEFB442
-ARG STACK_RELEASE_KEY=2C6A674E85EE3FB896AFC9B965101FF31C5C154D
+ARG STACK_RELEASE_KEY=C5705533DA4F78D8664B5DC0575159689BEFB442
+# get from https://github.com/commercialhaskell/stack/releases/download/v${STACK}/stack-${STACK}-linux-x86_64.tar.gz.sha256
+ARG STACK_RELEASE_SHA256=A6C090555FA1C64AA61C29AA4449765A51D79E870CF759CDE192937CD614E72B
 
-RUN export GNUPGHOME="$(mktemp -d)" && \
-    gpg --batch --keyserver keyserver.ubuntu.com --recv-keys ${STACK_KEY} && \
+RUN cd /tmp && \
+    export GNUPGHOME="$(mktemp -d)" && \
     gpg --batch --keyserver keyserver.ubuntu.com --recv-keys ${STACK_RELEASE_KEY} && \
     curl -fSL https://github.com/commercialhaskell/stack/releases/download/v${STACK}/stack-${STACK}-linux-x86_64.tar.gz -o stack.tar.gz && \
     curl -fSL https://github.com/commercialhaskell/stack/releases/download/v${STACK}/stack-${STACK}-linux-x86_64.tar.gz.asc -o stack.tar.gz.asc && \
-    gpg --batch --trusted-key 0x575159689BEFB442 --verify stack.tar.gz.asc stack.tar.gz && \
-    tar -xf stack.tar.gz -C /usr/local/bin --strip-components=1 && \
+    gpg --batch --trusted-key 575159689BEFB442 --verify stack.tar.gz.asc stack.tar.gz && \
+    echo "$STACK_RELEASE_SHA256 stack.tar.gz" | sha256sum --strict --check && \
+    tar -xf stack.tar.gz -C /usr/local/bin --strip-components=1 stack-$STACK-linux-x86_64/stack && \
     /usr/local/bin/stack config set system-ghc --global true && \
     /usr/local/bin/stack config set install-ghc --global false && \
-    rm -rf "$GNUPGHOME" /var/lib/apt/lists/* /stack.tar.gz.asc /stack.tar.gz
+    rm -rf "$GNUPGHOME" /var/lib/apt/lists/* /tmp/*
 
-ENV PATH /root/.cabal/bin:/root/.local/bin:/opt/cabal/${CABAL_INSTALL}/bin:/opt/ghc/${GHC}/bin:$PATH
+ENV PATH /root/.cabal/bin:/root/.local/bin:/opt/ghc/${GHC}/bin:$PATH
 
 CMD ["ghci"]
diff --git a/haskell_8/Dockerfile b/haskell_8/Dockerfile
index ddf001a..fe359ce 100644
--- a/haskell_8/Dockerfile
+++ b/haskell_8/Dockerfile
@@ -2,14 +2,18 @@ FROM debian:buster
 
 ENV LANG C.UTF-8
 
+# common haskell + stack dependencies
 RUN apt-get update && \
     apt-get install -y --no-install-recommends \
         ca-certificates \
         curl \
-        dirmngr \
-        g++ \
         git \
+        gcc \
         gnupg \
+        g++ \
+        libc6-dev \
+        libffi-dev \
+        libgmp-dev \
         libsqlite3-dev \
         libtinfo-dev \
         make \
@@ -19,36 +23,59 @@ RUN apt-get update && \
         zlib1g-dev && \
     rm -rf /var/lib/apt/lists/*
 
-ARG GHC=8.10.4
-ARG DEBIAN_KEY=427CB69AAC9D00F2A43CAF1CBA3CBA3FFE22B574
-ARG CABAL_INSTALL=3.4
+ARG CABAL_INSTALL=3.6.0.0
+ARG CABAL_INSTALL_RELEASE_KEY=A970DF3AC3B9709706D74544B3D9F94B8DCAE210
+# get from https://downloads.haskell.org/~cabal/cabal-install-$CABAL_INSTALL/SHA256SUMS
+ARG CABAL_INSTALL_RELEASE_SHA256=BFCB7350966DAFE95051B5FC9FCB989C5708AB9E78191E71FC04647061668A11
 
-RUN export GNUPGHOME="$(mktemp -d)" && \
-    gpg --batch --keyserver keyserver.ubuntu.com --recv-keys ${DEBIAN_KEY} && \
-    gpg --batch --armor --export ${DEBIAN_KEY} > /etc/apt/trusted.gpg.d/haskell.org.gpg.asc && \
-    gpgconf --kill all && \
-    echo 'deb http://downloads.haskell.org/debian buster main' > /etc/apt/sources.list.d/ghc.list && \
-    apt-get update && \
-    apt-get install -y --no-install-recommends \
-        cabal-install-${CABAL_INSTALL} \
-        ghc-${GHC} && \
-    rm -rf "$GNUPGHOME" /var/lib/apt/lists/*
+RUN cd /tmp && \
+    export GNUPGHOME="$(mktemp -d)" && \
+    gpg --batch --keyserver keyserver.ubuntu.com --recv-keys ${CABAL_INSTALL_RELEASE_KEY} && \
+    curl -fSLO https://downloads.haskell.org/~cabal/cabal-install-$CABAL_INSTALL/SHA256SUMS && \
+    curl -fSLO https://downloads.haskell.org/~cabal/cabal-install-$CABAL_INSTALL/SHA256SUMS.sig && \
+    gpg --batch --trusted-key B3D9F94B8DCAE210 --verify SHA256SUMS.sig SHA256SUMS && \
+    curl -fSL https://downloads.haskell.org/~cabal/cabal-install-$CABAL_INSTALL/cabal-install-$CABAL_INSTALL-x86_64-linux.tar.xz -o cabal-install.tar.gz && \
+    echo "$CABAL_INSTALL_RELEASE_SHA256 cabal-install.tar.gz" | sha256sum --strict --check && \
+    tar -xf cabal-install.tar.gz -C /usr/local/bin && \
+    rm -rf "$GNUPGHOME" /var/lib/apt/lists/* /tmp/*
+
+ARG GHC=8.10.7
+ARG GHC_RELEASE_KEY=88B57FCF7DB53B4DB3BFA4B1588764FBE22D19C4
+# get from https://downloads.haskell.org/~ghc/$GHC/SHA256SUMS
+ARG GHC_RELEASE_SHA256=A13719BCA87A0D3AC0C7D4157A4E60887009A7F1A8DBE95C4759EC413E086D30
+
+RUN cd /tmp && \
+  export GNUPGHOME="$(mktemp -d)" && \
+  curl -sSL https://downloads.haskell.org/~ghc/$GHC/ghc-$GHC-x86_64-deb10-linux.tar.xz -o ghc.tar.xz && \
+  curl -sSL https://downloads.haskell.org/~ghc/$GHC/ghc-$GHC-x86_64-deb10-linux.tar.xz.sig -o ghc.tar.xz.sig && \
+  gpg --batch --keyserver keyserver.ubuntu.com --receive-keys ${GHC_RELEASE_KEY} && \
+  gpg --batch --trusted-key 588764FBE22D19C4 --verify ghc.tar.xz.sig ghc.tar.xz && \
+  echo "$GHC_RELEASE_SHA256 ghc.tar.xz" | sha256sum --strict --check && \
+  tar xf ghc.tar.xz && \
+  cd ghc-$GHC && \
+  ./configure --prefix /opt/ghc/$GHC && \
+  make install && \
+  find /opt/ghc/$GHC/ \( -name "*_p.a" -o -name "*.p_hi" \) -type f -delete && \
+  rm -rf /opt/ghc/$GHC/share/ && \
+  rm -rf "$GNUPGHOME" /tmp/*
 
 ARG STACK=2.7.3
-ARG STACK_KEY=C5705533DA4F78D8664B5DC0575159689BEFB442
-ARG STACK_RELEASE_KEY=2C6A674E85EE3FB896AFC9B965101FF31C5C154D
+ARG STACK_RELEASE_KEY=C5705533DA4F78D8664B5DC0575159689BEFB442
+# get from https://github.com/commercialhaskell/stack/releases/download/v${STACK}/stack-${STACK}-linux-x86_64.tar.gz.sha256
+ARG STACK_RELEASE_SHA256=A6C090555FA1C64AA61C29AA4449765A51D79E870CF759CDE192937CD614E72B
 
-RUN export GNUPGHOME="$(mktemp -d)" && \
-    gpg --batch --keyserver keyserver.ubuntu.com --recv-keys ${STACK_KEY} && \
+RUN cd /tmp && \
+    export GNUPGHOME="$(mktemp -d)" && \
     gpg --batch --keyserver keyserver.ubuntu.com --recv-keys ${STACK_RELEASE_KEY} && \
     curl -fSL https://github.com/commercialhaskell/stack/releases/download/v${STACK}/stack-${STACK}-linux-x86_64.tar.gz -o stack.tar.gz && \
     curl -fSL https://github.com/commercialhaskell/stack/releases/download/v${STACK}/stack-${STACK}-linux-x86_64.tar.gz.asc -o stack.tar.gz.asc && \
-    gpg --batch --trusted-key 0x575159689BEFB442 --verify stack.tar.gz.asc stack.tar.gz && \
-    tar -xf stack.tar.gz -C /usr/local/bin --strip-components=1 && \
+    gpg --batch --trusted-key 575159689BEFB442 --verify stack.tar.gz.asc stack.tar.gz && \
+    echo "$STACK_RELEASE_SHA256 stack.tar.gz" | sha256sum --strict --check && \
+    tar -xf stack.tar.gz -C /usr/local/bin --strip-components=1 stack-$STACK-linux-x86_64/stack && \
     /usr/local/bin/stack config set system-ghc --global true && \
     /usr/local/bin/stack config set install-ghc --global false && \
-    rm -rf "$GNUPGHOME" /var/lib/apt/lists/* /stack.tar.gz.asc /stack.tar.gz
+    rm -rf "$GNUPGHOME" /var/lib/apt/lists/* /tmp/*
 
-ENV PATH /root/.cabal/bin:/root/.local/bin:/opt/cabal/${CABAL_INSTALL}/bin:/opt/ghc/${GHC}/bin:$PATH
+ENV PATH /root/.cabal/bin:/root/.local/bin:/opt/ghc/${GHC}/bin:$PATH
 
 CMD ["ghci"]
diff --git a/haskell_latest/Dockerfile b/haskell_latest/Dockerfile
index 958c808..ab535be 100644
--- a/haskell_latest/Dockerfile
+++ b/haskell_latest/Dockerfile
@@ -2,14 +2,18 @@ FROM debian:buster
 
 ENV LANG C.UTF-8
 
+# common haskell + stack dependencies
 RUN apt-get update && \
     apt-get install -y --no-install-recommends \
         ca-certificates \
         curl \
-        dirmngr \
-        g++ \
         git \
+        gcc \
         gnupg \
+        g++ \
+        libc6-dev \
+        libffi-dev \
+        libgmp-dev \
         libsqlite3-dev \
         libtinfo-dev \
         make \
@@ -19,36 +23,59 @@ RUN apt-get update && \
         zlib1g-dev && \
     rm -rf /var/lib/apt/lists/*
 
+ARG CABAL_INSTALL=3.6.0.0
+ARG CABAL_INSTALL_RELEASE_KEY=A970DF3AC3B9709706D74544B3D9F94B8DCAE210
+# get from https://downloads.haskell.org/~cabal/cabal-install-$CABAL_INSTALL/SHA256SUMS
+ARG CABAL_INSTALL_RELEASE_SHA256=BFCB7350966DAFE95051B5FC9FCB989C5708AB9E78191E71FC04647061668A11
+
+RUN cd /tmp && \
+    export GNUPGHOME="$(mktemp -d)" && \
+    gpg --batch --keyserver keyserver.ubuntu.com --recv-keys ${CABAL_INSTALL_RELEASE_KEY} && \
+    curl -fSLO https://downloads.haskell.org/~cabal/cabal-install-$CABAL_INSTALL/SHA256SUMS && \
+    curl -fSLO https://downloads.haskell.org/~cabal/cabal-install-$CABAL_INSTALL/SHA256SUMS.sig && \
+    gpg --batch --trusted-key B3D9F94B8DCAE210 --verify SHA256SUMS.sig SHA256SUMS && \
+    curl -fSL https://downloads.haskell.org/~cabal/cabal-install-$CABAL_INSTALL/cabal-install-$CABAL_INSTALL-x86_64-linux.tar.xz -o cabal-install.tar.gz && \
+    echo "$CABAL_INSTALL_RELEASE_SHA256 cabal-install.tar.gz" | sha256sum --strict --check && \
+    tar -xf cabal-install.tar.gz -C /usr/local/bin && \
+    rm -rf "$GNUPGHOME" /var/lib/apt/lists/* /tmp/*
+
 ARG GHC=9.0.1
-ARG DEBIAN_KEY=427CB69AAC9D00F2A43CAF1CBA3CBA3FFE22B574
-ARG CABAL_INSTALL=3.4
-
-RUN export GNUPGHOME="$(mktemp -d)" && \
-    gpg --batch --keyserver keyserver.ubuntu.com --recv-keys ${DEBIAN_KEY} && \
-    gpg --batch --armor --export ${DEBIAN_KEY} > /etc/apt/trusted.gpg.d/haskell.org.gpg.asc && \
-    gpgconf --kill all && \
-    echo 'deb http://downloads.haskell.org/debian buster main' > /etc/apt/sources.list.d/ghc.list && \
-    apt-get update && \
-    apt-get install -y --no-install-recommends \
-        cabal-install-${CABAL_INSTALL} \
-        ghc-${GHC} && \
-    rm -rf "$GNUPGHOME" /var/lib/apt/lists/*
+ARG GHC_RELEASE_KEY=FFEB7CE81E16A36B3E2DED6F2DE04D4E97DB64AD
+# get from https://downloads.haskell.org/~ghc/$GHC/SHA256SUMS
+ARG GHC_RELEASE_SHA256=C253E7EB62CC9DA6524C491C85EC8D3727C2CA6035A8653388E636AAA30A2A0F
+
+RUN cd /tmp && \
+  export GNUPGHOME="$(mktemp -d)" && \
+  curl -sSL https://downloads.haskell.org/~ghc/$GHC/ghc-$GHC-x86_64-deb10-linux.tar.xz -o ghc.tar.xz && \
+  curl -sSL https://downloads.haskell.org/~ghc/$GHC/ghc-$GHC-x86_64-deb10-linux.tar.xz.sig -o ghc.tar.xz.sig && \
+  gpg --batch --keyserver keyserver.ubuntu.com --receive-keys ${GHC_RELEASE_KEY} && \
+  gpg --batch --trusted-key 2DE04D4E97DB64AD --verify ghc.tar.xz.sig ghc.tar.xz && \
+  echo "$GHC_RELEASE_SHA256 ghc.tar.xz" | sha256sum --strict --check && \
+  tar xf ghc.tar.xz && \
+  cd ghc-$GHC && \
+  ./configure --prefix /opt/ghc/$GHC && \
+  make install && \
+  find /opt/ghc/$GHC/ \( -name "*_p.a" -o -name "*.p_hi" \) -type f -delete && \
+  rm -rf /opt/ghc/$GHC/share/ && \
+  rm -rf "$GNUPGHOME" /tmp/*
 
 ARG STACK=2.7.3
-ARG STACK_KEY=C5705533DA4F78D8664B5DC0575159689BEFB442
-ARG STACK_RELEASE_KEY=2C6A674E85EE3FB896AFC9B965101FF31C5C154D
+ARG STACK_RELEASE_KEY=C5705533DA4F78D8664B5DC0575159689BEFB442
+# get from https://github.com/commercialhaskell/stack/releases/download/v${STACK}/stack-${STACK}-linux-x86_64.tar.gz.sha256
+ARG STACK_RELEASE_SHA256=A6C090555FA1C64AA61C29AA4449765A51D79E870CF759CDE192937CD614E72B
 
-RUN export GNUPGHOME="$(mktemp -d)" && \
-    gpg --batch --keyserver keyserver.ubuntu.com --recv-keys ${STACK_KEY} && \
+RUN cd /tmp && \
+    export GNUPGHOME="$(mktemp -d)" && \
     gpg --batch --keyserver keyserver.ubuntu.com --recv-keys ${STACK_RELEASE_KEY} && \
     curl -fSL https://github.com/commercialhaskell/stack/releases/download/v${STACK}/stack-${STACK}-linux-x86_64.tar.gz -o stack.tar.gz && \
     curl -fSL https://github.com/commercialhaskell/stack/releases/download/v${STACK}/stack-${STACK}-linux-x86_64.tar.gz.asc -o stack.tar.gz.asc && \
-    gpg --batch --trusted-key 0x575159689BEFB442 --verify stack.tar.gz.asc stack.tar.gz && \
-    tar -xf stack.tar.gz -C /usr/local/bin --strip-components=1 && \
+    gpg --batch --trusted-key 575159689BEFB442 --verify stack.tar.gz.asc stack.tar.gz && \
+    echo "$STACK_RELEASE_SHA256 stack.tar.gz" | sha256sum --strict --check && \
+    tar -xf stack.tar.gz -C /usr/local/bin --strip-components=1 stack-$STACK-linux-x86_64/stack && \
     /usr/local/bin/stack config set system-ghc --global true && \
     /usr/local/bin/stack config set install-ghc --global false && \
-    rm -rf "$GNUPGHOME" /var/lib/apt/lists/* /stack.tar.gz.asc /stack.tar.gz
+    rm -rf "$GNUPGHOME" /var/lib/apt/lists/* /tmp/*
 
-ENV PATH /root/.cabal/bin:/root/.local/bin:/opt/cabal/${CABAL_INSTALL}/bin:/opt/ghc/${GHC}/bin:$PATH
+ENV PATH /root/.cabal/bin:/root/.local/bin:/opt/ghc/${GHC}/bin:$PATH
 
 CMD ["ghci"]
diff --git a/haskell_stretch/Dockerfile b/haskell_stretch/Dockerfile
index 892fc72..2e13b09 100644
--- a/haskell_stretch/Dockerfile
+++ b/haskell_stretch/Dockerfile
@@ -2,14 +2,19 @@ FROM debian:stretch
 
 ENV LANG C.UTF-8
 
+# common haskell + stack dependencies
 RUN apt-get update && \
     apt-get install -y --no-install-recommends \
         ca-certificates \
         curl \
         dirmngr \
-        g++ \
         git \
+        gcc \
         gnupg \
+        g++ \
+        libc6-dev \
+        libffi-dev \
+        libgmp-dev \
         libsqlite3-dev \
         libtinfo-dev \
         make \
@@ -19,36 +24,59 @@ RUN apt-get update && \
         zlib1g-dev && \
     rm -rf /var/lib/apt/lists/*
 
+ARG CABAL_INSTALL=3.6.0.0
+ARG CABAL_INSTALL_RELEASE_KEY=A970DF3AC3B9709706D74544B3D9F94B8DCAE210
+# get from https://downloads.haskell.org/~cabal/cabal-install-$CABAL_INSTALL/SHA256SUMS
+ARG CABAL_INSTALL_RELEASE_SHA256=BFCB7350966DAFE95051B5FC9FCB989C5708AB9E78191E71FC04647061668A11
+
+RUN cd /tmp && \
+    export GNUPGHOME="$(mktemp -d)" && \
+    gpg --batch --keyserver keyserver.ubuntu.com --recv-keys ${CABAL_INSTALL_RELEASE_KEY} && \
+    curl -fSLO https://downloads.haskell.org/~cabal/cabal-install-$CABAL_INSTALL/SHA256SUMS && \
+    curl -fSLO https://downloads.haskell.org/~cabal/cabal-install-$CABAL_INSTALL/SHA256SUMS.sig && \
+    gpg --batch --trusted-key B3D9F94B8DCAE210 --verify SHA256SUMS.sig SHA256SUMS && \
+    curl -fSL https://downloads.haskell.org/~cabal/cabal-install-$CABAL_INSTALL/cabal-install-$CABAL_INSTALL-x86_64-linux.tar.xz -o cabal-install.tar.gz && \
+    echo "$CABAL_INSTALL_RELEASE_SHA256 cabal-install.tar.gz" | sha256sum --strict --check && \
+    tar -xf cabal-install.tar.gz -C /usr/local/bin && \
+    rm -rf "$GNUPGHOME" /var/lib/apt/lists/* /tmp/*
+
 ARG GHC=9.0.1
-ARG DEBIAN_KEY=427CB69AAC9D00F2A43CAF1CBA3CBA3FFE22B574
-ARG CABAL_INSTALL=3.4
-
-RUN export GNUPGHOME="$(mktemp -d)" && \
-    gpg --batch --keyserver keyserver.ubuntu.com --recv-keys ${DEBIAN_KEY} && \
-    gpg --batch --armor --export ${DEBIAN_KEY} > /etc/apt/trusted.gpg.d/haskell.org.gpg.asc && \
-    gpgconf --kill all && \
-    echo 'deb http://downloads.haskell.org/debian stretch main' > /etc/apt/sources.list.d/ghc.list && \
-    apt-get update && \
-    apt-get install -y --no-install-recommends \
-        cabal-install-${CABAL_INSTALL} \
-        ghc-${GHC} && \
-    rm -rf "$GNUPGHOME" /var/lib/apt/lists/*
+ARG GHC_RELEASE_KEY=FFEB7CE81E16A36B3E2DED6F2DE04D4E97DB64AD
+# get from https://downloads.haskell.org/~ghc/$GHC/SHA256SUMS
+ARG GHC_RELEASE_SHA256=4CA6252492F59FE589029FADCA4B6F922D6A9F0FF39D19A2BD9886FDE4E183D5
+
+RUN cd /tmp && \
+  export GNUPGHOME="$(mktemp -d)" && \
+  curl -sSL https://downloads.haskell.org/~ghc/$GHC/ghc-$GHC-x86_64-deb9-linux.tar.xz -o ghc.tar.xz && \
+  curl -sSL https://downloads.haskell.org/~ghc/$GHC/ghc-$GHC-x86_64-deb9-linux.tar.xz.sig -o ghc.tar.xz.sig && \
+  gpg --batch --keyserver keyserver.ubuntu.com --receive-keys ${GHC_RELEASE_KEY} && \
+  gpg --batch --trusted-key 2DE04D4E97DB64AD --verify ghc.tar.xz.sig ghc.tar.xz && \
+  echo "$GHC_RELEASE_SHA256 ghc.tar.xz" | sha256sum --strict --check && \
+  tar xf ghc.tar.xz && \
+  cd ghc-$GHC && \
+  ./configure --prefix /opt/ghc/$GHC && \
+  make install && \
+  find /opt/ghc/$GHC/ \( -name "*_p.a" -o -name "*.p_hi" \) -type f -delete && \
+  rm -rf /opt/ghc/$GHC/share/ && \
+  rm -rf "$GNUPGHOME" /tmp/*
 
 ARG STACK=2.7.3
-ARG STACK_KEY=C5705533DA4F78D8664B5DC0575159689BEFB442
-ARG STACK_RELEASE_KEY=2C6A674E85EE3FB896AFC9B965101FF31C5C154D
+ARG STACK_RELEASE_KEY=C5705533DA4F78D8664B5DC0575159689BEFB442
+# get from https://github.com/commercialhaskell/stack/releases/download/v${STACK}/stack-${STACK}-linux-x86_64.tar.gz.sha256
+ARG STACK_RELEASE_SHA256=A6C090555FA1C64AA61C29AA4449765A51D79E870CF759CDE192937CD614E72B
 
-RUN export GNUPGHOME="$(mktemp -d)" && \
-    gpg --batch --keyserver keyserver.ubuntu.com --recv-keys ${STACK_KEY} && \
+RUN cd /tmp && \
+    export GNUPGHOME="$(mktemp -d)" && \
     gpg --batch --keyserver keyserver.ubuntu.com --recv-keys ${STACK_RELEASE_KEY} && \
     curl -fSL https://github.com/commercialhaskell/stack/releases/download/v${STACK}/stack-${STACK}-linux-x86_64.tar.gz -o stack.tar.gz && \
     curl -fSL https://github.com/commercialhaskell/stack/releases/download/v${STACK}/stack-${STACK}-linux-x86_64.tar.gz.asc -o stack.tar.gz.asc && \
-    gpg --batch --trusted-key 0x575159689BEFB442 --verify stack.tar.gz.asc stack.tar.gz && \
-    tar -xf stack.tar.gz -C /usr/local/bin --strip-components=1 && \
+    gpg --batch --trusted-key 575159689BEFB442 --verify stack.tar.gz.asc stack.tar.gz && \
+    echo "$STACK_RELEASE_SHA256 stack.tar.gz" | sha256sum --strict --check && \
+    tar -xf stack.tar.gz -C /usr/local/bin --strip-components=1 stack-$STACK-linux-x86_64/stack && \
     /usr/local/bin/stack config set system-ghc --global true && \
     /usr/local/bin/stack config set install-ghc --global false && \
-    rm -rf "$GNUPGHOME" /var/lib/apt/lists/* /stack.tar.gz.asc /stack.tar.gz
+    rm -rf "$GNUPGHOME" /var/lib/apt/lists/* /tmp/*
 
-ENV PATH /root/.cabal/bin:/root/.local/bin:/opt/cabal/${CABAL_INSTALL}/bin:/opt/ghc/${GHC}/bin:$PATH
+ENV PATH /root/.cabal/bin:/root/.local/bin:/opt/ghc/${GHC}/bin:$PATH
 
 CMD ["ghci"]

AlistairB · 2021-10-07T20:32:28Z

@tianon Ah I see. I have added the versions to backfill as separate entries. Let me know if it looks ok thanks!

tianon · 2021-10-07T20:40:47Z

Looks good! As soon as the builds at https://doi-janky.infosiftr.net/job/multiarch/job/amd64/job/haskell/ finish, it should be safe to make a new PR dropping the backfilled versions. 👍

github-actions bot added the library/haskell label Oct 7, 2021

AlistairB force-pushed the haskell-new-versions branch from 036454d to adcaaaa Compare October 7, 2021 20:23

AlistairB force-pushed the haskell-new-versions branch from adcaaaa to 7790e99 Compare October 7, 2021 20:24

AlistairB mentioned this pull request Oct 7, 2021

Continually blocked on upstream packages haskell/docker-haskell#45

Closed

tianon merged commit 4ede2f8 into docker-library:master Oct 7, 2021

AlistairB mentioned this pull request Oct 8, 2021

Remove redundant haskell entries #11066

Merged

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Some bumps for Haskell #11050

Some bumps for Haskell #11050

AlistairB commented Oct 7, 2021 •

edited

Loading

tianon commented Oct 7, 2021

github-actions bot commented Oct 7, 2021

AlistairB commented Oct 7, 2021

tianon commented Oct 7, 2021

Some bumps for Haskell #11050

Some bumps for Haskell #11050

Conversation

AlistairB commented Oct 7, 2021 • edited Loading

tianon commented Oct 7, 2021

github-actions bot commented Oct 7, 2021

AlistairB commented Oct 7, 2021

tianon commented Oct 7, 2021

AlistairB commented Oct 7, 2021 •

edited

Loading