Closed AlistairB closed 2 years ago
hasufell
commented
2 years ago Can directly tweak the GHC install in the future ie. control the BuildFlavor or whatever.
To control the build flavor you have to compile from source. And ghcup both supports compiling from source and setting the build flavor. So this point is a bit confusing.
hasufell
commented
2 years ago A bit more manual.
Again, you're missing from the Cons:
AlistairB
commented
2 years ago To control the build flavor you have to compile from source. And ghcup both supports compiling from source and setting the build flavor. So this point is a bit confusing.
My mistake, makes sense. I removed it.
can't quickly switch into container and install a different GHC/cabal, but instead have to meddle with multi stage docker builds (which are now oddly discouraged) or figure out how to download and install bindists manually
Multi-stage builds are discouraged for official docker images, but for not discouraged for general use. I do not see how this relates anyway. You don't need multi-stage to extend a docker image and add in more stuff.
I do not think installing multiple ghc / cabal in a container is a common use case. I think we will have to agree to disagree here.
hasufell
commented
2 years ago I do not think installing multiple ghc / cabal in a container is a common use case. I think we will have to agree to disagree here.
Sure, I think it's best if ghcup provides its own set of docker images.
AlistairB
commented
2 years ago @hasufell
Sorry, to be clear I still want @psftw to make the call here re: leaving ghcup in the image if we go for ghcup. I just don't see a point in us rehashing the same arguments in this PR.
Of course you are welcome to make your own docker images. I would still generally be in favor of a haskell:ghcup image if you are interested in creating a separate issue for that.
hasufell
commented
2 years ago Can use gpg to verify the GHC release (ghcup does not currently do this).
This isn't strictly true either. Here's an example:
FROM alpine:latest
# install deps needed by GHC
RUN apk add --no-cache \
curl \
gcc \
g++ \
coreutils \
binutils \
binutils-gold \
gmp \
ncurses \
libffi \
make \
xz \
tar \
perl \
gnupg
ARG GHCUP_VERSION=0.1.16.2
ARG GHCUP_METADATA_VER=0.0.6
ARG GPG_KEY=7784930957807690A66EBDBE3786C5262ECB4A3F
# install ghcup
RUN gpg --batch --keyserver keys.openpgp.org --recv-keys $GPG_KEY && \
curl -sSfL -O https://downloads.haskell.org/~ghcup/$GHCUP_VERSION/x86_64-linux-ghcup-$GHCUP_VERSION && \
curl -sSfL -O https://downloads.haskell.org/~ghcup/$GHCUP_VERSION/SHA256SUMS && \
curl -sSfL -O https://downloads.haskell.org/~ghcup/$GHCUP_VERSION/SHA256SUMS.sig && \
gpg --verify SHA256SUMS.sig SHA256SUMS && \
sha256sum -c --ignore-missing SHA256SUMS && \
mv x86_64-linux-ghcup-$GHCUP_VERSION /usr/bin/ghcup && \
chmod +x /usr/bin/ghcup && \
rm SHA256SUMS*
ENV GHCUP_INSTALL_BASE_PREFIX=/usr/local
ENV PATH=/usr/local/.ghcup/bin:$PATH
ENV GHCUP_METADATA_FILE=ghcup-${GHCUP_METADATA_VER}.yaml
ENV GHCUP_METADATA_URL=https://www.haskell.org/ghcup/data/$GHCUP_METADATA_FILE
RUN mkdir -p "$GHCUP_INSTALL_BASE_PREFIX"/.ghcup/cache && \
cd "$GHCUP_INSTALL_BASE_PREFIX"/.ghcup/cache && \
curl -sSfL $GHCUP_METADATA_URL > $GHCUP_METADATA_FILE && \
curl -sSfL $GHCUP_METADATA_URL.sig > $GHCUP_METADATA_FILE.sig && \
gpg --verify $GHCUP_METADATA_FILE.sig $GHCUP_METADATA_FILE && \
ghcup -s file://$(pwd)/$GHCUP_METADATA_FILE install ghc --set 8.10.7 && \
ghcup -s file://$(pwd)/$GHCUP_METADATA_FILE install cabal latest && \
ghcup -s file://$(pwd)/$GHCUP_METADATA_FILE install stack latestGPG support in ghcup has landed: https://gitlab.haskell.org/haskell/ghcup-hs/#gpg-verification
Can immediately update to new versions upon release. (Although to be fair ghcup is very prompt adding new releases)
It happens on release day.
AlistairB
commented
2 years ago I was thinking about waiting on this cabal issue for upgrading cabal to 3.6, but I think I will just go ahead and do it using option 2 from that issue. I'll make that change as well now.
AlistairB
commented
2 years ago Thanks @psftw . This should be good for a final review now.
Alternative fix for https://github.com/haskell/docker-haskell/issues/45 rather than using ghcup
I mostly just copied https://gitlab.b-data.ch/ghc/ghc4pandoc/-/blob/master/8.10.6.Dockerfile :sweat_smile:
Pros
Cons
GHC GPG key issues
I'm getting some issues with the GHC GPG key. https://gitlab.haskell.org/ghc/ghc/-/issues/20362 Should be pretty straight forward to add the key to keyserver.ubuntu.com which would resolve it.
Cabal
So I have left cabal install 3.4 with the current technique which will need to change. The cabal releases do not contain GPG signatures for the binary tar files. There is SHA256SUMS.sig which can be used to verify the SHA256SUMS, then you could use those sha256 hashes to verify the tar file?
Actually I'm struggling to find the GPG key I need to verify SHA256SUMS.sig . Regardless, I guess ideally gpg signature files are created for the cabal releases? I could ask on the cabal repo for this?
Anyway, I have created https://github.com/haskell/cabal/issues/7639 to get some feedback from Cabal on how best to do this.
Current Preference
Overall I think this is better than the ghcup based solution if we can get a nice solution to the cabal problem.