This package provides an executable,
stackage-update, which provides the same
cabal update (it updates your local package index). However,
instead of downloading the entire package index as a compressed tarball over
insecure HTTP, it uses
git to incrementally update your package list, and
downloads over secure HTTPS.
It has minimal Haskell library dependencies (all dependencies are shipped with
GHC itself) and only requires that the
git executable be available on the
PATH. It builds on top of the
cabal update, using
stackage-update gives the following advantages:
- Only downloads the deltas from the last time you updated your index, threby requiring significantly less bandwidth
- Downloads over a secure HTTPS connection instead of an insecure HTTP connection
- Note that the
all-cabal-filesrepo is also updated from Hackage over a secure HTTPS connection
Install from Hackage as usual with:
cabal update cabal install stackage-update
From then on, simply run
stackage-update instead of
This currently has no respect for customized remote-repos in your
~/.cabal/config file. It assumes you have a remote-repo named
hackage.haskell.org which should be populated from the all-cabal-files repo.
If you have some kind of custom setup, this tool won't work for you. The vast
majority of users tend to not modify their remote-repos, so
should work for most people most of the time.
GPG signature verification
Since version 0.1.1.0, stackage-update supports verifying the GPG signature. In
order to do so, you pass in the
--verify argument. You must first set up your
GPG keychain to trust the relevant key, such as with the following commands:
$ gpg --recv-key --keyserver keyserver.ubuntu.com D6CF60FD $ gpg --edit D6CF60FD gpg> trust Your decision? 3 gpg> quit
This is an example session, and not intended to be a guide to good GPG and cryptography practice. If you would like to verify this signing key properly via a web of trust, you can contact Michael Snoyman, who is already a signer for this key. The fingerprint is:
E595 AD42 14AF A6BB 1552 0B23 E40D 74D6 D6CF 60FD
Note: the GPG key may be updated in the future following standard key rotation policies. If you note that the key information listed here is out of date, please open an issue/send a pull request.
When run with the
--hashes command line argument, this tool instead downloads
repository, which contains additional information for verifying the accuracy of
a tarball. While
stackage-update does nothing with this extra information,
other tools (like stackage-install)
may do so.
You may be wondering why this tool is called
stackage-update, when in fact
the functionality is useful outside of the Stackage
project itself. The reason is that the naming
allows it to play nicely with the other Stackage command line tooling.
Concretely, that means that if you have stackage-cli installed, stackage-update
works as a plugin. However, you can certainly use
stackage-update on its own
without any other tooling or dependencies on the Stackage project.
- Detect modified remote-repos and warn the user
Data is stored as a git-repository at app-directory retrieved by getAppUserDataDirectory, so for Unix it is
$HOME/.stackage-update/all-cabal-files. This is convenient because you can
cd there and use regular git tools to see what's new.