From f73d48bc91f7e611b943ca321d2b2f341d103089 Mon Sep 17 00:00:00 2001
From: Alistair Burrowes <alistair.burrowes@gmail.com>
Date: Sun, 12 Sep 2021 10:38:25 +1000
Subject: [PATCH 1/3] Install GHC directly + bumps

Bump ghc to 8.10.5. Bump cabal to 3.6.0.0.

Also sha256 verify GHC + stack and other minor clean up.
---
 .github/workflows/ci.yml |  4 +--
 8.10/buster/Dockerfile   | 73 +++++++++++++++++++++++++++-------------
 8.10/stretch/Dockerfile  | 72 +++++++++++++++++++++++++++------------
 9.0/buster/Dockerfile    | 73 +++++++++++++++++++++++++++-------------
 9.0/stretch/Dockerfile   | 72 +++++++++++++++++++++++++++------------
 5 files changed, 202 insertions(+), 92 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 29dc71b..1514f2a 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -13,10 +13,10 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        ghc: ['8.10.4', '9.0.1']
+        ghc: ['8.10.5', '9.0.1']
         deb: ['stretch', 'buster']
         include:
-          - ghc: '8.10.4'
+          - ghc: '8.10.5'
             ghc_minor: '8.10'
           - ghc: '9.0.1'
             ghc_minor: '9.0'
diff --git a/8.10/buster/Dockerfile b/8.10/buster/Dockerfile
index ddf001a..f8a0198 100644
--- a/8.10/buster/Dockerfile
+++ b/8.10/buster/Dockerfile
@@ -2,14 +2,18 @@ FROM debian:buster
 
 ENV LANG C.UTF-8
 
+# common haskell + stack dependencies
 RUN apt-get update && \
     apt-get install -y --no-install-recommends \
         ca-certificates \
         curl \
-        dirmngr \
-        g++ \
         git \
+        gcc \
         gnupg \
+        g++ \
+        libc6-dev \
+        libffi-dev \
+        libgmp-dev \
         libsqlite3-dev \
         libtinfo-dev \
         make \
@@ -19,36 +23,59 @@ RUN apt-get update && \
         zlib1g-dev && \
     rm -rf /var/lib/apt/lists/*
 
-ARG GHC=8.10.4
-ARG DEBIAN_KEY=427CB69AAC9D00F2A43CAF1CBA3CBA3FFE22B574
-ARG CABAL_INSTALL=3.4
+ARG CABAL_INSTALL=3.6.0.0
+ARG CABAL_INSTALL_RELEASE_KEY=A970DF3AC3B9709706D74544B3D9F94B8DCAE210
+# get from https://downloads.haskell.org/~cabal/cabal-install-$CABAL_INSTALL/SHA256SUMS
+ARG CABAL_INSTALL_RELEASE_SHA256=BFCB7350966DAFE95051B5FC9FCB989C5708AB9E78191E71FC04647061668A11
 
-RUN export GNUPGHOME="$(mktemp -d)" && \
-    gpg --batch --keyserver keyserver.ubuntu.com --recv-keys ${DEBIAN_KEY} && \
-    gpg --batch --armor --export ${DEBIAN_KEY} > /etc/apt/trusted.gpg.d/haskell.org.gpg.asc && \
-    gpgconf --kill all && \
-    echo 'deb http://downloads.haskell.org/debian buster main' > /etc/apt/sources.list.d/ghc.list && \
-    apt-get update && \
-    apt-get install -y --no-install-recommends \
-        cabal-install-${CABAL_INSTALL} \
-        ghc-${GHC} && \
-    rm -rf "$GNUPGHOME" /var/lib/apt/lists/*
+RUN cd /tmp && \
+    export GNUPGHOME="$(mktemp -d)" && \
+    gpg --batch --keyserver keyserver.ubuntu.com --recv-keys ${CABAL_INSTALL_RELEASE_KEY} && \
+    curl -fSLO https://downloads.haskell.org/~cabal/cabal-install-$CABAL_INSTALL/SHA256SUMS && \
+    curl -fSLO https://downloads.haskell.org/~cabal/cabal-install-$CABAL_INSTALL/SHA256SUMS.sig && \
+    gpg --batch --trusted-key B3D9F94B8DCAE210 --verify SHA256SUMS.sig SHA256SUMS && \
+    curl -fSL https://downloads.haskell.org/~cabal/cabal-install-$CABAL_INSTALL/cabal-install-$CABAL_INSTALL-x86_64-linux.tar.xz -o cabal-install.tar.gz && \
+    echo "$CABAL_INSTALL_RELEASE_SHA256 cabal-install.tar.gz" | sha256sum --strict --check && \
+    tar -xf cabal-install.tar.gz -C /usr/local/bin && \
+    rm -rf "$GNUPGHOME" /var/lib/apt/lists/* /tmp/*
+
+ARG GHC=8.10.5
+ARG GHC_RELEASE_KEY=88B57FCF7DB53B4DB3BFA4B1588764FBE22D19C4
+# get from https://downloads.haskell.org/~ghc/$GHC/SHA256SUMS
+ARG GHC_RELEASE_SHA256=BC623C20CA4C5C18E952071BA14AA0CFC5C94D34219BFFAA615F7B491F376787
+
+RUN cd /tmp && \
+  export GNUPGHOME="$(mktemp -d)" && \
+  curl -sSL https://downloads.haskell.org/~ghc/$GHC/ghc-$GHC-x86_64-deb10-linux.tar.xz -o ghc.tar.xz && \
+  curl -sSL https://downloads.haskell.org/~ghc/$GHC/ghc-$GHC-x86_64-deb10-linux.tar.xz.sig -o ghc.tar.xz.sig && \
+  gpg --batch --keyserver keyserver.ubuntu.com --receive-keys ${GHC_RELEASE_KEY} && \
+  gpg --batch --trusted-key 588764FBE22D19C4 --verify ghc.tar.xz.sig ghc.tar.xz && \
+  echo "$GHC_RELEASE_SHA256 ghc.tar.xz" | sha256sum --strict --check && \
+  tar xf ghc.tar.xz && \
+  cd ghc-$GHC && \
+  ./configure --prefix /opt/ghc/$GHC && \
+  make install && \
+  find /opt/ghc/$GHC/ \( -name "*_p.a" -o -name "*.p_hi" \) -type f -delete && \
+  rm -rf /opt/ghc/$GHC/share/ && \
+  rm -rf "$GNUPGHOME" /tmp/*
 
 ARG STACK=2.7.3
-ARG STACK_KEY=C5705533DA4F78D8664B5DC0575159689BEFB442
-ARG STACK_RELEASE_KEY=2C6A674E85EE3FB896AFC9B965101FF31C5C154D
+ARG STACK_RELEASE_KEY=C5705533DA4F78D8664B5DC0575159689BEFB442
+# get from https://github.com/commercialhaskell/stack/releases/download/v${STACK}/stack-${STACK}-linux-x86_64.tar.gz.sha256
+ARG STACK_RELEASE_SHA256=A6C090555FA1C64AA61C29AA4449765A51D79E870CF759CDE192937CD614E72B
 
-RUN export GNUPGHOME="$(mktemp -d)" && \
-    gpg --batch --keyserver keyserver.ubuntu.com --recv-keys ${STACK_KEY} && \
+RUN cd /tmp && \
+    export GNUPGHOME="$(mktemp -d)" && \
     gpg --batch --keyserver keyserver.ubuntu.com --recv-keys ${STACK_RELEASE_KEY} && \
     curl -fSL https://github.com/commercialhaskell/stack/releases/download/v${STACK}/stack-${STACK}-linux-x86_64.tar.gz -o stack.tar.gz && \
     curl -fSL https://github.com/commercialhaskell/stack/releases/download/v${STACK}/stack-${STACK}-linux-x86_64.tar.gz.asc -o stack.tar.gz.asc && \
-    gpg --batch --trusted-key 0x575159689BEFB442 --verify stack.tar.gz.asc stack.tar.gz && \
-    tar -xf stack.tar.gz -C /usr/local/bin --strip-components=1 && \
+    gpg --batch --trusted-key 575159689BEFB442 --verify stack.tar.gz.asc stack.tar.gz && \
+    echo "$STACK_RELEASE_SHA256 stack.tar.gz" | sha256sum --strict --check && \
+    tar -xf stack.tar.gz -C /usr/local/bin --strip-components=1 stack-$STACK-linux-x86_64/stack && \
     /usr/local/bin/stack config set system-ghc --global true && \
     /usr/local/bin/stack config set install-ghc --global false && \
-    rm -rf "$GNUPGHOME" /var/lib/apt/lists/* /stack.tar.gz.asc /stack.tar.gz
+    rm -rf "$GNUPGHOME" /var/lib/apt/lists/* /tmp/*
 
-ENV PATH /root/.cabal/bin:/root/.local/bin:/opt/cabal/${CABAL_INSTALL}/bin:/opt/ghc/${GHC}/bin:$PATH
+ENV PATH /root/.cabal/bin:/root/.local/bin:/opt/ghc/${GHC}/bin:$PATH
 
 CMD ["ghci"]
diff --git a/8.10/stretch/Dockerfile b/8.10/stretch/Dockerfile
index 37a7d7b..e1f6d2b 100644
--- a/8.10/stretch/Dockerfile
+++ b/8.10/stretch/Dockerfile
@@ -2,14 +2,19 @@ FROM debian:stretch
 
 ENV LANG C.UTF-8
 
+# common haskell + stack dependencies
 RUN apt-get update && \
     apt-get install -y --no-install-recommends \
         ca-certificates \
         curl \
         dirmngr \
-        g++ \
         git \
+        gcc \
         gnupg \
+        g++ \
+        libc6-dev \
+        libffi-dev \
+        libgmp-dev \
         libsqlite3-dev \
         libtinfo-dev \
         make \
@@ -19,36 +24,59 @@ RUN apt-get update && \
         zlib1g-dev && \
     rm -rf /var/lib/apt/lists/*
 
-ARG GHC=8.10.4
-ARG DEBIAN_KEY=427CB69AAC9D00F2A43CAF1CBA3CBA3FFE22B574
-ARG CABAL_INSTALL=3.4
+ARG CABAL_INSTALL=3.6.0.0
+ARG CABAL_INSTALL_RELEASE_KEY=A970DF3AC3B9709706D74544B3D9F94B8DCAE210
+# get from https://downloads.haskell.org/~cabal/cabal-install-$CABAL_INSTALL/SHA256SUMS
+ARG CABAL_INSTALL_RELEASE_SHA256=BFCB7350966DAFE95051B5FC9FCB989C5708AB9E78191E71FC04647061668A11
 
-RUN export GNUPGHOME="$(mktemp -d)" && \
-    gpg --batch --keyserver keyserver.ubuntu.com --recv-keys ${DEBIAN_KEY} && \
-    gpg --batch --armor --export ${DEBIAN_KEY} > /etc/apt/trusted.gpg.d/haskell.org.gpg.asc && \
-    gpgconf --kill all && \
-    echo 'deb http://downloads.haskell.org/debian stretch main' > /etc/apt/sources.list.d/ghc.list && \
-    apt-get update && \
-    apt-get install -y --no-install-recommends \
-        cabal-install-${CABAL_INSTALL} \
-        ghc-${GHC} && \
-    rm -rf "$GNUPGHOME" /var/lib/apt/lists/*
+RUN cd /tmp && \
+    export GNUPGHOME="$(mktemp -d)" && \
+    gpg --batch --keyserver keyserver.ubuntu.com --recv-keys ${CABAL_INSTALL_RELEASE_KEY} && \
+    curl -fSLO https://downloads.haskell.org/~cabal/cabal-install-$CABAL_INSTALL/SHA256SUMS && \
+    curl -fSLO https://downloads.haskell.org/~cabal/cabal-install-$CABAL_INSTALL/SHA256SUMS.sig && \
+    gpg --batch --trusted-key B3D9F94B8DCAE210 --verify SHA256SUMS.sig SHA256SUMS && \
+    curl -fSL https://downloads.haskell.org/~cabal/cabal-install-$CABAL_INSTALL/cabal-install-$CABAL_INSTALL-x86_64-linux.tar.xz -o cabal-install.tar.gz && \
+    echo "$CABAL_INSTALL_RELEASE_SHA256 cabal-install.tar.gz" | sha256sum --strict --check && \
+    tar -xf cabal-install.tar.gz -C /usr/local/bin && \
+    rm -rf "$GNUPGHOME" /var/lib/apt/lists/* /tmp/*
+
+ARG GHC=8.10.5
+ARG GHC_RELEASE_KEY=88B57FCF7DB53B4DB3BFA4B1588764FBE22D19C4
+# get from https://downloads.haskell.org/~ghc/$GHC/SHA256SUMS
+ARG GHC_RELEASE_SHA256=15E71325C3BDFE3804BE0F84C2FC5C913D811322D19B0F4D4CFF20F29CDD804D
+
+RUN cd /tmp && \
+  export GNUPGHOME="$(mktemp -d)" && \
+  curl -sSL https://downloads.haskell.org/~ghc/$GHC/ghc-$GHC-x86_64-deb9-linux.tar.xz -o ghc.tar.xz && \
+  curl -sSL https://downloads.haskell.org/~ghc/$GHC/ghc-$GHC-x86_64-deb9-linux.tar.xz.sig -o ghc.tar.xz.sig && \
+  gpg --batch --keyserver keyserver.ubuntu.com --receive-keys ${GHC_RELEASE_KEY} && \
+  gpg --batch --trusted-key 588764FBE22D19C4 --verify ghc.tar.xz.sig ghc.tar.xz && \
+  echo "$GHC_RELEASE_SHA256 ghc.tar.xz" | sha256sum --strict --check && \
+  tar xf ghc.tar.xz && \
+  cd ghc-$GHC && \
+  ./configure --prefix /opt/ghc/$GHC && \
+  make install && \
+  find /opt/ghc/$GHC/ \( -name "*_p.a" -o -name "*.p_hi" \) -type f -delete && \
+  rm -rf /opt/ghc/$GHC/share/ && \
+  rm -rf "$GNUPGHOME" /tmp/*
 
 ARG STACK=2.7.3
-ARG STACK_KEY=C5705533DA4F78D8664B5DC0575159689BEFB442
-ARG STACK_RELEASE_KEY=2C6A674E85EE3FB896AFC9B965101FF31C5C154D
+ARG STACK_RELEASE_KEY=C5705533DA4F78D8664B5DC0575159689BEFB442
+# get from https://github.com/commercialhaskell/stack/releases/download/v${STACK}/stack-${STACK}-linux-x86_64.tar.gz.sha256
+ARG STACK_RELEASE_SHA256=A6C090555FA1C64AA61C29AA4449765A51D79E870CF759CDE192937CD614E72B
 
-RUN export GNUPGHOME="$(mktemp -d)" && \
-    gpg --batch --keyserver keyserver.ubuntu.com --recv-keys ${STACK_KEY} && \
+RUN cd /tmp && \
+    export GNUPGHOME="$(mktemp -d)" && \
     gpg --batch --keyserver keyserver.ubuntu.com --recv-keys ${STACK_RELEASE_KEY} && \
     curl -fSL https://github.com/commercialhaskell/stack/releases/download/v${STACK}/stack-${STACK}-linux-x86_64.tar.gz -o stack.tar.gz && \
     curl -fSL https://github.com/commercialhaskell/stack/releases/download/v${STACK}/stack-${STACK}-linux-x86_64.tar.gz.asc -o stack.tar.gz.asc && \
-    gpg --batch --trusted-key 0x575159689BEFB442 --verify stack.tar.gz.asc stack.tar.gz && \
-    tar -xf stack.tar.gz -C /usr/local/bin --strip-components=1 && \
+    gpg --batch --trusted-key 575159689BEFB442 --verify stack.tar.gz.asc stack.tar.gz && \
+    echo "$STACK_RELEASE_SHA256 stack.tar.gz" | sha256sum --strict --check && \
+    tar -xf stack.tar.gz -C /usr/local/bin --strip-components=1 stack-$STACK-linux-x86_64/stack && \
     /usr/local/bin/stack config set system-ghc --global true && \
     /usr/local/bin/stack config set install-ghc --global false && \
-    rm -rf "$GNUPGHOME" /var/lib/apt/lists/* /stack.tar.gz.asc /stack.tar.gz
+    rm -rf "$GNUPGHOME" /var/lib/apt/lists/* /tmp/*
 
-ENV PATH /root/.cabal/bin:/root/.local/bin:/opt/cabal/${CABAL_INSTALL}/bin:/opt/ghc/${GHC}/bin:$PATH
+ENV PATH /root/.cabal/bin:/root/.local/bin:/opt/ghc/${GHC}/bin:$PATH
 
 CMD ["ghci"]
diff --git a/9.0/buster/Dockerfile b/9.0/buster/Dockerfile
index 958c808..ab535be 100644
--- a/9.0/buster/Dockerfile
+++ b/9.0/buster/Dockerfile
@@ -2,14 +2,18 @@ FROM debian:buster
 
 ENV LANG C.UTF-8
 
+# common haskell + stack dependencies
 RUN apt-get update && \
     apt-get install -y --no-install-recommends \
         ca-certificates \
         curl \
-        dirmngr \
-        g++ \
         git \
+        gcc \
         gnupg \
+        g++ \
+        libc6-dev \
+        libffi-dev \
+        libgmp-dev \
         libsqlite3-dev \
         libtinfo-dev \
         make \
@@ -19,36 +23,59 @@ RUN apt-get update && \
         zlib1g-dev && \
     rm -rf /var/lib/apt/lists/*
 
+ARG CABAL_INSTALL=3.6.0.0
+ARG CABAL_INSTALL_RELEASE_KEY=A970DF3AC3B9709706D74544B3D9F94B8DCAE210
+# get from https://downloads.haskell.org/~cabal/cabal-install-$CABAL_INSTALL/SHA256SUMS
+ARG CABAL_INSTALL_RELEASE_SHA256=BFCB7350966DAFE95051B5FC9FCB989C5708AB9E78191E71FC04647061668A11
+
+RUN cd /tmp && \
+    export GNUPGHOME="$(mktemp -d)" && \
+    gpg --batch --keyserver keyserver.ubuntu.com --recv-keys ${CABAL_INSTALL_RELEASE_KEY} && \
+    curl -fSLO https://downloads.haskell.org/~cabal/cabal-install-$CABAL_INSTALL/SHA256SUMS && \
+    curl -fSLO https://downloads.haskell.org/~cabal/cabal-install-$CABAL_INSTALL/SHA256SUMS.sig && \
+    gpg --batch --trusted-key B3D9F94B8DCAE210 --verify SHA256SUMS.sig SHA256SUMS && \
+    curl -fSL https://downloads.haskell.org/~cabal/cabal-install-$CABAL_INSTALL/cabal-install-$CABAL_INSTALL-x86_64-linux.tar.xz -o cabal-install.tar.gz && \
+    echo "$CABAL_INSTALL_RELEASE_SHA256 cabal-install.tar.gz" | sha256sum --strict --check && \
+    tar -xf cabal-install.tar.gz -C /usr/local/bin && \
+    rm -rf "$GNUPGHOME" /var/lib/apt/lists/* /tmp/*
+
 ARG GHC=9.0.1
-ARG DEBIAN_KEY=427CB69AAC9D00F2A43CAF1CBA3CBA3FFE22B574
-ARG CABAL_INSTALL=3.4
-
-RUN export GNUPGHOME="$(mktemp -d)" && \
-    gpg --batch --keyserver keyserver.ubuntu.com --recv-keys ${DEBIAN_KEY} && \
-    gpg --batch --armor --export ${DEBIAN_KEY} > /etc/apt/trusted.gpg.d/haskell.org.gpg.asc && \
-    gpgconf --kill all && \
-    echo 'deb http://downloads.haskell.org/debian buster main' > /etc/apt/sources.list.d/ghc.list && \
-    apt-get update && \
-    apt-get install -y --no-install-recommends \
-        cabal-install-${CABAL_INSTALL} \
-        ghc-${GHC} && \
-    rm -rf "$GNUPGHOME" /var/lib/apt/lists/*
+ARG GHC_RELEASE_KEY=FFEB7CE81E16A36B3E2DED6F2DE04D4E97DB64AD
+# get from https://downloads.haskell.org/~ghc/$GHC/SHA256SUMS
+ARG GHC_RELEASE_SHA256=C253E7EB62CC9DA6524C491C85EC8D3727C2CA6035A8653388E636AAA30A2A0F
+
+RUN cd /tmp && \
+  export GNUPGHOME="$(mktemp -d)" && \
+  curl -sSL https://downloads.haskell.org/~ghc/$GHC/ghc-$GHC-x86_64-deb10-linux.tar.xz -o ghc.tar.xz && \
+  curl -sSL https://downloads.haskell.org/~ghc/$GHC/ghc-$GHC-x86_64-deb10-linux.tar.xz.sig -o ghc.tar.xz.sig && \
+  gpg --batch --keyserver keyserver.ubuntu.com --receive-keys ${GHC_RELEASE_KEY} && \
+  gpg --batch --trusted-key 2DE04D4E97DB64AD --verify ghc.tar.xz.sig ghc.tar.xz && \
+  echo "$GHC_RELEASE_SHA256 ghc.tar.xz" | sha256sum --strict --check && \
+  tar xf ghc.tar.xz && \
+  cd ghc-$GHC && \
+  ./configure --prefix /opt/ghc/$GHC && \
+  make install && \
+  find /opt/ghc/$GHC/ \( -name "*_p.a" -o -name "*.p_hi" \) -type f -delete && \
+  rm -rf /opt/ghc/$GHC/share/ && \
+  rm -rf "$GNUPGHOME" /tmp/*
 
 ARG STACK=2.7.3
-ARG STACK_KEY=C5705533DA4F78D8664B5DC0575159689BEFB442
-ARG STACK_RELEASE_KEY=2C6A674E85EE3FB896AFC9B965101FF31C5C154D
+ARG STACK_RELEASE_KEY=C5705533DA4F78D8664B5DC0575159689BEFB442
+# get from https://github.com/commercialhaskell/stack/releases/download/v${STACK}/stack-${STACK}-linux-x86_64.tar.gz.sha256
+ARG STACK_RELEASE_SHA256=A6C090555FA1C64AA61C29AA4449765A51D79E870CF759CDE192937CD614E72B
 
-RUN export GNUPGHOME="$(mktemp -d)" && \
-    gpg --batch --keyserver keyserver.ubuntu.com --recv-keys ${STACK_KEY} && \
+RUN cd /tmp && \
+    export GNUPGHOME="$(mktemp -d)" && \
     gpg --batch --keyserver keyserver.ubuntu.com --recv-keys ${STACK_RELEASE_KEY} && \
     curl -fSL https://github.com/commercialhaskell/stack/releases/download/v${STACK}/stack-${STACK}-linux-x86_64.tar.gz -o stack.tar.gz && \
     curl -fSL https://github.com/commercialhaskell/stack/releases/download/v${STACK}/stack-${STACK}-linux-x86_64.tar.gz.asc -o stack.tar.gz.asc && \
-    gpg --batch --trusted-key 0x575159689BEFB442 --verify stack.tar.gz.asc stack.tar.gz && \
-    tar -xf stack.tar.gz -C /usr/local/bin --strip-components=1 && \
+    gpg --batch --trusted-key 575159689BEFB442 --verify stack.tar.gz.asc stack.tar.gz && \
+    echo "$STACK_RELEASE_SHA256 stack.tar.gz" | sha256sum --strict --check && \
+    tar -xf stack.tar.gz -C /usr/local/bin --strip-components=1 stack-$STACK-linux-x86_64/stack && \
     /usr/local/bin/stack config set system-ghc --global true && \
     /usr/local/bin/stack config set install-ghc --global false && \
-    rm -rf "$GNUPGHOME" /var/lib/apt/lists/* /stack.tar.gz.asc /stack.tar.gz
+    rm -rf "$GNUPGHOME" /var/lib/apt/lists/* /tmp/*
 
-ENV PATH /root/.cabal/bin:/root/.local/bin:/opt/cabal/${CABAL_INSTALL}/bin:/opt/ghc/${GHC}/bin:$PATH
+ENV PATH /root/.cabal/bin:/root/.local/bin:/opt/ghc/${GHC}/bin:$PATH
 
 CMD ["ghci"]
diff --git a/9.0/stretch/Dockerfile b/9.0/stretch/Dockerfile
index 892fc72..2e13b09 100644
--- a/9.0/stretch/Dockerfile
+++ b/9.0/stretch/Dockerfile
@@ -2,14 +2,19 @@ FROM debian:stretch
 
 ENV LANG C.UTF-8
 
+# common haskell + stack dependencies
 RUN apt-get update && \
     apt-get install -y --no-install-recommends \
         ca-certificates \
         curl \
         dirmngr \
-        g++ \
         git \
+        gcc \
         gnupg \
+        g++ \
+        libc6-dev \
+        libffi-dev \
+        libgmp-dev \
         libsqlite3-dev \
         libtinfo-dev \
         make \
@@ -19,36 +24,59 @@ RUN apt-get update && \
         zlib1g-dev && \
     rm -rf /var/lib/apt/lists/*
 
+ARG CABAL_INSTALL=3.6.0.0
+ARG CABAL_INSTALL_RELEASE_KEY=A970DF3AC3B9709706D74544B3D9F94B8DCAE210
+# get from https://downloads.haskell.org/~cabal/cabal-install-$CABAL_INSTALL/SHA256SUMS
+ARG CABAL_INSTALL_RELEASE_SHA256=BFCB7350966DAFE95051B5FC9FCB989C5708AB9E78191E71FC04647061668A11
+
+RUN cd /tmp && \
+    export GNUPGHOME="$(mktemp -d)" && \
+    gpg --batch --keyserver keyserver.ubuntu.com --recv-keys ${CABAL_INSTALL_RELEASE_KEY} && \
+    curl -fSLO https://downloads.haskell.org/~cabal/cabal-install-$CABAL_INSTALL/SHA256SUMS && \
+    curl -fSLO https://downloads.haskell.org/~cabal/cabal-install-$CABAL_INSTALL/SHA256SUMS.sig && \
+    gpg --batch --trusted-key B3D9F94B8DCAE210 --verify SHA256SUMS.sig SHA256SUMS && \
+    curl -fSL https://downloads.haskell.org/~cabal/cabal-install-$CABAL_INSTALL/cabal-install-$CABAL_INSTALL-x86_64-linux.tar.xz -o cabal-install.tar.gz && \
+    echo "$CABAL_INSTALL_RELEASE_SHA256 cabal-install.tar.gz" | sha256sum --strict --check && \
+    tar -xf cabal-install.tar.gz -C /usr/local/bin && \
+    rm -rf "$GNUPGHOME" /var/lib/apt/lists/* /tmp/*
+
 ARG GHC=9.0.1
-ARG DEBIAN_KEY=427CB69AAC9D00F2A43CAF1CBA3CBA3FFE22B574
-ARG CABAL_INSTALL=3.4
-
-RUN export GNUPGHOME="$(mktemp -d)" && \
-    gpg --batch --keyserver keyserver.ubuntu.com --recv-keys ${DEBIAN_KEY} && \
-    gpg --batch --armor --export ${DEBIAN_KEY} > /etc/apt/trusted.gpg.d/haskell.org.gpg.asc && \
-    gpgconf --kill all && \
-    echo 'deb http://downloads.haskell.org/debian stretch main' > /etc/apt/sources.list.d/ghc.list && \
-    apt-get update && \
-    apt-get install -y --no-install-recommends \
-        cabal-install-${CABAL_INSTALL} \
-        ghc-${GHC} && \
-    rm -rf "$GNUPGHOME" /var/lib/apt/lists/*
+ARG GHC_RELEASE_KEY=FFEB7CE81E16A36B3E2DED6F2DE04D4E97DB64AD
+# get from https://downloads.haskell.org/~ghc/$GHC/SHA256SUMS
+ARG GHC_RELEASE_SHA256=4CA6252492F59FE589029FADCA4B6F922D6A9F0FF39D19A2BD9886FDE4E183D5
+
+RUN cd /tmp && \
+  export GNUPGHOME="$(mktemp -d)" && \
+  curl -sSL https://downloads.haskell.org/~ghc/$GHC/ghc-$GHC-x86_64-deb9-linux.tar.xz -o ghc.tar.xz && \
+  curl -sSL https://downloads.haskell.org/~ghc/$GHC/ghc-$GHC-x86_64-deb9-linux.tar.xz.sig -o ghc.tar.xz.sig && \
+  gpg --batch --keyserver keyserver.ubuntu.com --receive-keys ${GHC_RELEASE_KEY} && \
+  gpg --batch --trusted-key 2DE04D4E97DB64AD --verify ghc.tar.xz.sig ghc.tar.xz && \
+  echo "$GHC_RELEASE_SHA256 ghc.tar.xz" | sha256sum --strict --check && \
+  tar xf ghc.tar.xz && \
+  cd ghc-$GHC && \
+  ./configure --prefix /opt/ghc/$GHC && \
+  make install && \
+  find /opt/ghc/$GHC/ \( -name "*_p.a" -o -name "*.p_hi" \) -type f -delete && \
+  rm -rf /opt/ghc/$GHC/share/ && \
+  rm -rf "$GNUPGHOME" /tmp/*
 
 ARG STACK=2.7.3
-ARG STACK_KEY=C5705533DA4F78D8664B5DC0575159689BEFB442
-ARG STACK_RELEASE_KEY=2C6A674E85EE3FB896AFC9B965101FF31C5C154D
+ARG STACK_RELEASE_KEY=C5705533DA4F78D8664B5DC0575159689BEFB442
+# get from https://github.com/commercialhaskell/stack/releases/download/v${STACK}/stack-${STACK}-linux-x86_64.tar.gz.sha256
+ARG STACK_RELEASE_SHA256=A6C090555FA1C64AA61C29AA4449765A51D79E870CF759CDE192937CD614E72B
 
-RUN export GNUPGHOME="$(mktemp -d)" && \
-    gpg --batch --keyserver keyserver.ubuntu.com --recv-keys ${STACK_KEY} && \
+RUN cd /tmp && \
+    export GNUPGHOME="$(mktemp -d)" && \
     gpg --batch --keyserver keyserver.ubuntu.com --recv-keys ${STACK_RELEASE_KEY} && \
     curl -fSL https://github.com/commercialhaskell/stack/releases/download/v${STACK}/stack-${STACK}-linux-x86_64.tar.gz -o stack.tar.gz && \
     curl -fSL https://github.com/commercialhaskell/stack/releases/download/v${STACK}/stack-${STACK}-linux-x86_64.tar.gz.asc -o stack.tar.gz.asc && \
-    gpg --batch --trusted-key 0x575159689BEFB442 --verify stack.tar.gz.asc stack.tar.gz && \
-    tar -xf stack.tar.gz -C /usr/local/bin --strip-components=1 && \
+    gpg --batch --trusted-key 575159689BEFB442 --verify stack.tar.gz.asc stack.tar.gz && \
+    echo "$STACK_RELEASE_SHA256 stack.tar.gz" | sha256sum --strict --check && \
+    tar -xf stack.tar.gz -C /usr/local/bin --strip-components=1 stack-$STACK-linux-x86_64/stack && \
     /usr/local/bin/stack config set system-ghc --global true && \
     /usr/local/bin/stack config set install-ghc --global false && \
-    rm -rf "$GNUPGHOME" /var/lib/apt/lists/* /stack.tar.gz.asc /stack.tar.gz
+    rm -rf "$GNUPGHOME" /var/lib/apt/lists/* /tmp/*
 
-ENV PATH /root/.cabal/bin:/root/.local/bin:/opt/cabal/${CABAL_INSTALL}/bin:/opt/ghc/${GHC}/bin:$PATH
+ENV PATH /root/.cabal/bin:/root/.local/bin:/opt/ghc/${GHC}/bin:$PATH
 
 CMD ["ghci"]

From 7fc8a7a585dba812046c1b2481fc106c1d640a2e Mon Sep 17 00:00:00 2001
From: Alistair Burrowes <alistair.burrowes@gmail.com>
Date: Wed, 6 Oct 2021 15:59:36 +1100
Subject: [PATCH 2/3] Bump ghc to 8.10.6

---
 .github/workflows/ci.yml | 4 ++--
 8.10/buster/Dockerfile   | 4 ++--
 8.10/stretch/Dockerfile  | 4 ++--
 3 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 1514f2a..28796d4 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -13,10 +13,10 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        ghc: ['8.10.5', '9.0.1']
+        ghc: ['8.10.6', '9.0.1']
         deb: ['stretch', 'buster']
         include:
-          - ghc: '8.10.5'
+          - ghc: '8.10.6'
             ghc_minor: '8.10'
           - ghc: '9.0.1'
             ghc_minor: '9.0'
diff --git a/8.10/buster/Dockerfile b/8.10/buster/Dockerfile
index f8a0198..d61263f 100644
--- a/8.10/buster/Dockerfile
+++ b/8.10/buster/Dockerfile
@@ -39,10 +39,10 @@ RUN cd /tmp && \
     tar -xf cabal-install.tar.gz -C /usr/local/bin && \
     rm -rf "$GNUPGHOME" /var/lib/apt/lists/* /tmp/*
 
-ARG GHC=8.10.5
+ARG GHC=8.10.6
 ARG GHC_RELEASE_KEY=88B57FCF7DB53B4DB3BFA4B1588764FBE22D19C4
 # get from https://downloads.haskell.org/~ghc/$GHC/SHA256SUMS
-ARG GHC_RELEASE_SHA256=BC623C20CA4C5C18E952071BA14AA0CFC5C94D34219BFFAA615F7B491F376787
+ARG GHC_RELEASE_SHA256=95BE925E310B8C419E1099D620A727A1CA2D8C918F33EB905A8221D7EB16467B
 
 RUN cd /tmp && \
   export GNUPGHOME="$(mktemp -d)" && \
diff --git a/8.10/stretch/Dockerfile b/8.10/stretch/Dockerfile
index e1f6d2b..0681814 100644
--- a/8.10/stretch/Dockerfile
+++ b/8.10/stretch/Dockerfile
@@ -40,10 +40,10 @@ RUN cd /tmp && \
     tar -xf cabal-install.tar.gz -C /usr/local/bin && \
     rm -rf "$GNUPGHOME" /var/lib/apt/lists/* /tmp/*
 
-ARG GHC=8.10.5
+ARG GHC=8.10.6
 ARG GHC_RELEASE_KEY=88B57FCF7DB53B4DB3BFA4B1588764FBE22D19C4
 # get from https://downloads.haskell.org/~ghc/$GHC/SHA256SUMS
-ARG GHC_RELEASE_SHA256=15E71325C3BDFE3804BE0F84C2FC5C913D811322D19B0F4D4CFF20F29CDD804D
+ARG GHC_RELEASE_SHA256=C14B631437EBC867F1FE1648579BC1DBE1A9B9AD31D7C801C3C77639523A83AE
 
 RUN cd /tmp && \
   export GNUPGHOME="$(mktemp -d)" && \

From 74db531da13febbc7fb626f32e7f6d0fcb828bf4 Mon Sep 17 00:00:00 2001
From: Alistair Burrowes <alistair.burrowes@gmail.com>
Date: Wed, 6 Oct 2021 16:02:55 +1100
Subject: [PATCH 3/3] Bump ghc to 8.10.7

---
 .github/workflows/ci.yml | 4 ++--
 8.10/buster/Dockerfile   | 4 ++--
 8.10/stretch/Dockerfile  | 4 ++--
 3 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 28796d4..79db96a 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -13,10 +13,10 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        ghc: ['8.10.6', '9.0.1']
+        ghc: ['8.10.7', '9.0.1']
         deb: ['stretch', 'buster']
         include:
-          - ghc: '8.10.6'
+          - ghc: '8.10.7'
             ghc_minor: '8.10'
           - ghc: '9.0.1'
             ghc_minor: '9.0'
diff --git a/8.10/buster/Dockerfile b/8.10/buster/Dockerfile
index d61263f..fe359ce 100644
--- a/8.10/buster/Dockerfile
+++ b/8.10/buster/Dockerfile
@@ -39,10 +39,10 @@ RUN cd /tmp && \
     tar -xf cabal-install.tar.gz -C /usr/local/bin && \
     rm -rf "$GNUPGHOME" /var/lib/apt/lists/* /tmp/*
 
-ARG GHC=8.10.6
+ARG GHC=8.10.7
 ARG GHC_RELEASE_KEY=88B57FCF7DB53B4DB3BFA4B1588764FBE22D19C4
 # get from https://downloads.haskell.org/~ghc/$GHC/SHA256SUMS
-ARG GHC_RELEASE_SHA256=95BE925E310B8C419E1099D620A727A1CA2D8C918F33EB905A8221D7EB16467B
+ARG GHC_RELEASE_SHA256=A13719BCA87A0D3AC0C7D4157A4E60887009A7F1A8DBE95C4759EC413E086D30
 
 RUN cd /tmp && \
   export GNUPGHOME="$(mktemp -d)" && \
diff --git a/8.10/stretch/Dockerfile b/8.10/stretch/Dockerfile
index 0681814..5f83609 100644
--- a/8.10/stretch/Dockerfile
+++ b/8.10/stretch/Dockerfile
@@ -40,10 +40,10 @@ RUN cd /tmp && \
     tar -xf cabal-install.tar.gz -C /usr/local/bin && \
     rm -rf "$GNUPGHOME" /var/lib/apt/lists/* /tmp/*
 
-ARG GHC=8.10.6
+ARG GHC=8.10.7
 ARG GHC_RELEASE_KEY=88B57FCF7DB53B4DB3BFA4B1588764FBE22D19C4
 # get from https://downloads.haskell.org/~ghc/$GHC/SHA256SUMS
-ARG GHC_RELEASE_SHA256=C14B631437EBC867F1FE1648579BC1DBE1A9B9AD31D7C801C3C77639523A83AE
+ARG GHC_RELEASE_SHA256=CED9870EA351AF64FB48274B81A664CDB6A9266775F1598A79CBB6FDD5770A23
 
 RUN cd /tmp && \
   export GNUPGHOME="$(mktemp -d)" && \