From aad1865ae54ddcfc91eb1788b42952f20f6844be Mon Sep 17 00:00:00 2001
From: Mike Pilgrem <mpilgrem@users.noreply.github.com>
Date: Sun, 1 Mar 2026 16:00:32 +0000
Subject: [PATCH 1/2] Re #6753 Use tls versions that reduce dependency on
 unmaintained packages

---
 CONTRIBUTING.md |  3 ++-
 cabal.config    | 26 +++++++++++-------
 stack.cabal     |  2 +-
 stack.yaml      | 18 +++++++++++++
 stack.yaml.lock | 70 +++++++++++++++++++++++++++++++++++++++++++++++++
 5 files changed, 107 insertions(+), 12 deletions(-)

diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
index 2b6c3147df..6cc43e2e90 100644
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -354,7 +354,8 @@ not aim to be compatible with more than one version of the `Cabal` package at
 any time. At the time of writing (January 2026) the package versions are
 primarily ones in Stackage snapshot LTS Haskell 24.24 (for GHC 9.10.3), the
 latest version of `Cabal` released on Hackage (`Cabal-3.16.0.0`),
-`pantry-0.11.2`, and `persistent-2.18.0.0`.
+`pantry-0.11.2`, `persistent-2.18.0.0` and the latest version of packages in
+the `tls` family (which reduce dependencies on unmaintained packages).
 
 A Stack executable makes use of Cabal (the library) through a small 'Setup'
 executable that it compiles from Haskell source code. The executable compiles
diff --git a/cabal.config b/cabal.config
index bc73024f38..ac763c0758 100644
--- a/cabal.config
+++ b/cabal.config
@@ -14,9 +14,6 @@ constraints:
   , ansi-terminal-types ==1.1.3
   , appar ==0.1.8
   , array ==0.5.8.0
-  , asn1-encoding ==0.9.6
-  , asn1-parse ==0.9.5
-  , asn1-types ==0.3.4
   , assoc ==1.1.1
   , async ==2.2.5
   , atomic-counter ==0.1.2.4
@@ -25,7 +22,9 @@ constraints:
   , auto-update ==0.2.6
   , base ==4.20.2.0
   , base-orphans ==0.9.3
+  , base16 ==1.0
   , base16-bytestring ==1.0.2.0
+  , base64 ==1.0
   , base64-bytestring ==1.2.1.0
   , basement ==0.0.16
   , bifunctors ==5.6.2
@@ -55,13 +54,17 @@ constraints:
   , cookie ==0.5.1
   , cryptohash-sha256 ==0.11.102.1
   , crypton ==1.0.4
+  , crypton-asn1-encoding ==0.10.0
+  , crypton-asn1-parse ==0.10.0
+  , crypton-asn1-types ==0.4.1
   , crypton-conduit ==0.2.3
   , crypton-connection ==0.4.5
+  , crypton-pem ==0.3.0
   , crypton-socks ==0.6.2
-  , crypton-x509 ==1.7.7
-  , crypton-x509-store ==1.6.12
-  , crypton-x509-system ==1.6.7
-  , crypton-x509-validation ==1.6.14
+  , crypton-x509 ==1.8.0
+  , crypton-x509-store ==1.8.0
+  , crypton-x509-system ==1.8.0
+  , crypton-x509-validation ==1.8.0
   , data-default ==0.8.0.1
   , data-default-class ==0.2.0.0
   , data-fix ==0.3.4
@@ -72,6 +75,7 @@ constraints:
   , distributive ==0.6.2.1
   , dlist ==1.0
   , easy-file ==0.2.5
+  , ech-config ==0.0.1
   , echo ==0.1.4
   , ed25519 ==0.0.5.0
   , exceptions ==0.10.9
@@ -99,9 +103,9 @@ constraints:
   , haskell-src-exts ==1.23.1
   , haskell-src-meta ==0.8.15
   , hi-file-parser ==0.1.8.0
-  , hourglass ==0.2.12
   , hpack ==0.39.1
   , hpc ==0.7.0.2
+  , hpke ==0.0.0
   , http-api-data ==0.6.2
   , http-client ==0.7.19
   , http-client-tls ==0.3.6.4
@@ -135,6 +139,7 @@ constraints:
   , mustache ==2.4.3.1
   , neat-interpolation ==0.5.1.4
   , network ==3.2.8.0
+  , network-byte-order ==0.1.7
   , network-uri ==2.6.4.2
   , old-locale ==1.0.0.7
   , old-time ==1.1.0.4
@@ -148,7 +153,6 @@ constraints:
   , path ==0.9.6
   , path-io ==1.8.2
   , path-pieces ==0.2.1
-  , pem ==0.2.4
   , persistent ==2.18.0.0
   , persistent-sqlite ==2.13.3.1
   , persistent-template ==2.12.0.0
@@ -170,6 +174,7 @@ constraints:
   , safe ==0.3.21
   , safe-exceptions ==0.1.7.4
   , scientific ==0.3.8.0
+  , semaphore-compat ==1.0.0
   , semialign ==1.3.1
   , semigroupoids ==6.0.1
   , serialise ==0.2.6.1
@@ -205,7 +210,8 @@ constraints:
   , these ==1.2.1
   , time ==1.12.2
   , time-compat ==1.9.8
-  , tls ==2.1.8
+  , time-hourglass ==0.3.0
+  , tls ==2.2.2
   , transformers ==0.6.1.1
   , transformers-base ==0.4.6
   , transformers-compat ==0.7.2
diff --git a/stack.cabal b/stack.cabal
index 58e9c912c0..d6671e9a9d 100644
--- a/stack.cabal
+++ b/stack.cabal
@@ -1,6 +1,6 @@
 cabal-version: 2.2
 
--- This file has been generated from package.yaml by hpack version 0.38.1.
+-- This file has been generated from package.yaml by hpack version 0.39.1.
 --
 -- see: https://github.com/sol/hpack
 
diff --git a/stack.yaml b/stack.yaml
index e70fd9b25b..038d95d7af 100644
--- a/stack.yaml
+++ b/stack.yaml
@@ -4,12 +4,30 @@ extra-deps:
 # lts-24.24 specifies Cabal-3.12.1.0
 - Cabal-3.16.0.0@sha256:9972c2bd263168a20bd990962a68d4fd024f50c30a00519a6b942e8871d1bd67,14455
 - Cabal-syntax-3.16.0.0@sha256:6a35036763557301876c5b7a448de4f1cb54fe1e223ff6c4c0c1fdd6df635a65,7509
+# lts-24.24 does not include crypton-asn1-*
+- crypton-asn1-encoding-0.10.0@sha256:45494a1723a047a815d0d620481c1028dca28a4ea5cf2554868687da90753961,2497
+- crypton-asn1-parse-0.10.0@sha256:4a2cfc4980957d1a279ef69137ee5f665c247ccd8bb962812d5b071d543893fb,1359
+- crypton-asn1-types-0.4.1@sha256:02f3ec473011b3da92f7bf738bea19cadf88a6470b25a6cb5042216c7549c912,1326
+# lts-24.24 specifies crypton-connection-0.4.5 (before revision)
+- crypton-connection-0.4.5@sha256:521d61fd6b0e528fd1c534475700ca3a60618b6d4b5bc798c7ab3d161b0aae11,1575
+# lts-24.24 specifies crypton-x509-1.7.7
+- crypton-x509-1.8.0@sha256:d4822ba8dcb19ee3233fc98152f5afda383ac952770a1d07f1d01168e9fcdbc2,2006
+# lts-24.24 specifies crypton-x509-store-1.6.12
+- crypton-x509-store-1.8.0@sha256:075ba50a3daa0fdbb493481a665926e1ced2135c6b4ed56f97398aa855f0aecb,1674
+# lts-24.24 specifies crypton-x509-system-1.6.7
+- crypton-x509-system-1.8.0
+# lts-24.24 specifies crypton-x509-validation-1.6.14
+- crypton-x509-validation-1.8.0@sha256:63acb2df06f28c3ffdddaf6d9402105b9026796036aa10d7347ae4f7db51c36b,2018
 # lts-24.24 specifies hpack-0.38.3
 - hpack-0.39.1@sha256:d7378debd96e805760540e3640aeda3a1ebee1d000dac99726ed55c827c81a94,5229
 # lts-24.24 specifies pantry-0.10.1
 - pantry-0.11.2@sha256:bc14e75f512deb22e0d9d645e62eb63b319d1732bfed6509491601215ecbd307,7896
 # lts-24.24 specifies persistent-2.17.1.0
 - persistent-2.18.0.0@sha256:baa3e0959cf10bbd1da462efeb61d4f073d0cc924a149325494ba5ce29bc17a4,7096
+# lts-24.24 does not include time-hourglass
+- time-hourglass-0.3.0@sha256:ee02356fe24919ec43ae17fc0007398c2fd0bbe822833b2d7a9c849537b90580,3114
+# lts-24.24 specifies tls-2.1.8
+- tls-2.2.2@sha256:95f5acd4ce76cbd6bdc46b737370dcbd93c59cf1cd1934a30e55c61c1dc140e9,7283
 
 docker:
   enable: false
diff --git a/stack.yaml.lock b/stack.yaml.lock
index 02abb3fef1..1979ca1c32 100644
--- a/stack.yaml.lock
+++ b/stack.yaml.lock
@@ -18,6 +18,62 @@ packages:
       size: 11238
   original:
     hackage: Cabal-syntax-3.16.0.0@sha256:6a35036763557301876c5b7a448de4f1cb54fe1e223ff6c4c0c1fdd6df635a65,7509
+- completed:
+    hackage: crypton-asn1-encoding-0.10.0@sha256:45494a1723a047a815d0d620481c1028dca28a4ea5cf2554868687da90753961,2497
+    pantry-tree:
+      sha256: c2ff6c426e6910075a971ee2801d200c8dc0f88cfcb8619534097902e6e655a8
+      size: 1011
+  original:
+    hackage: crypton-asn1-encoding-0.10.0@sha256:45494a1723a047a815d0d620481c1028dca28a4ea5cf2554868687da90753961,2497
+- completed:
+    hackage: crypton-asn1-parse-0.10.0@sha256:4a2cfc4980957d1a279ef69137ee5f665c247ccd8bb962812d5b071d543893fb,1359
+    pantry-tree:
+      sha256: c78bd2c09da1390c124cff07844ddb99778a8cff82df98c5d53b52adb04dfef9
+      size: 326
+  original:
+    hackage: crypton-asn1-parse-0.10.0@sha256:4a2cfc4980957d1a279ef69137ee5f665c247ccd8bb962812d5b071d543893fb,1359
+- completed:
+    hackage: crypton-asn1-types-0.4.1@sha256:02f3ec473011b3da92f7bf738bea19cadf88a6470b25a6cb5042216c7549c912,1326
+    pantry-tree:
+      sha256: 03e810ce724980eacfd49ed816d769ae74769f3941d8cc3c9067de4a896eedf2
+      size: 722
+  original:
+    hackage: crypton-asn1-types-0.4.1@sha256:02f3ec473011b3da92f7bf738bea19cadf88a6470b25a6cb5042216c7549c912,1326
+- completed:
+    hackage: crypton-connection-0.4.5@sha256:521d61fd6b0e528fd1c534475700ca3a60618b6d4b5bc798c7ab3d161b0aae11,1575
+    pantry-tree:
+      sha256: f15579ede43437fc33a1425115e7001a95a5706f71e07525d88211e9e1a42d13
+      size: 464
+  original:
+    hackage: crypton-connection-0.4.5@sha256:521d61fd6b0e528fd1c534475700ca3a60618b6d4b5bc798c7ab3d161b0aae11,1575
+- completed:
+    hackage: crypton-x509-1.8.0@sha256:d4822ba8dcb19ee3233fc98152f5afda383ac952770a1d07f1d01168e9fcdbc2,2006
+    pantry-tree:
+      sha256: 882a699e305fffcb77dd40bd40f959f062a8997a53560dca64462087aed3e4cd
+      size: 1132
+  original:
+    hackage: crypton-x509-1.8.0@sha256:d4822ba8dcb19ee3233fc98152f5afda383ac952770a1d07f1d01168e9fcdbc2,2006
+- completed:
+    hackage: crypton-x509-store-1.8.0@sha256:075ba50a3daa0fdbb493481a665926e1ced2135c6b4ed56f97398aa855f0aecb,1674
+    pantry-tree:
+      sha256: 2c7e00e593d399624264172cbd5e2fa55feaf8239cf33bee7e33bbc7509d0a2e
+      size: 458
+  original:
+    hackage: crypton-x509-store-1.8.0@sha256:075ba50a3daa0fdbb493481a665926e1ced2135c6b4ed56f97398aa855f0aecb,1674
+- completed:
+    hackage: crypton-x509-system-1.8.0@sha256:76bab32c7d9cb3ea356a905f85829c70967fb6f9b4b890f00d67dc54130d45ca,1521
+    pantry-tree:
+      sha256: 9ac33c993a82ac4da84804028c5398caec7aada7a83beeec3f28883fe470d68f
+      size: 512
+  original:
+    hackage: crypton-x509-system-1.8.0
+- completed:
+    hackage: crypton-x509-validation-1.8.0@sha256:63acb2df06f28c3ffdddaf6d9402105b9026796036aa10d7347ae4f7db51c36b,2018
+    pantry-tree:
+      sha256: 64baf1be6e65ade9ad8eaef819c9cc4c0fcb7d3b968641dcf28a3f859fe87dc5
+      size: 691
+  original:
+    hackage: crypton-x509-validation-1.8.0@sha256:63acb2df06f28c3ffdddaf6d9402105b9026796036aa10d7347ae4f7db51c36b,2018
 - completed:
     hackage: hpack-0.39.1@sha256:d7378debd96e805760540e3640aeda3a1ebee1d000dac99726ed55c827c81a94,5229
     pantry-tree:
@@ -39,6 +95,20 @@ packages:
       size: 7184
   original:
     hackage: persistent-2.18.0.0@sha256:baa3e0959cf10bbd1da462efeb61d4f073d0cc924a149325494ba5ce29bc17a4,7096
+- completed:
+    hackage: time-hourglass-0.3.0@sha256:ee02356fe24919ec43ae17fc0007398c2fd0bbe822833b2d7a9c849537b90580,3114
+    pantry-tree:
+      sha256: 7d6acc1a643fe8692d1858c96cc04a417b8da53e53b6bdba6fe0ce6aa6aba774
+      size: 1594
+  original:
+    hackage: time-hourglass-0.3.0@sha256:ee02356fe24919ec43ae17fc0007398c2fd0bbe822833b2d7a9c849537b90580,3114
+- completed:
+    hackage: tls-2.2.2@sha256:95f5acd4ce76cbd6bdc46b737370dcbd93c59cf1cd1934a30e55c61c1dc140e9,7283
+    pantry-tree:
+      sha256: 6ddac1e644efe75dbf62bbd35fa38897caca307d62bac538ae29b0c54bf6ff00
+      size: 7056
+  original:
+    hackage: tls-2.2.2@sha256:95f5acd4ce76cbd6bdc46b737370dcbd93c59cf1cd1934a30e55c61c1dc140e9,7283
 snapshots:
 - completed:
     sha256: 4bc8e0388916c4000645c068dff642482d6ed1b68b747c2d4d444857979963e0

From e869263cbd84a9e59ce1fa467e82993c8e7fb1dd Mon Sep 17 00:00:00 2001
From: Mike Pilgrem <mpilgrem@users.noreply.github.com>
Date: Wed, 4 Mar 2026 00:10:00 +0000
Subject: [PATCH 2/2] Add Nix's cacert package to Stack's Nix integration

---
 ChangeLog.md                  | 3 +++
 doc/topics/nix_integration.md | 5 +++--
 src/Stack/Nix.hs              | 4 +++-
 stack.yaml                    | 2 +-
 stack.yaml.lock               | 2 +-
 5 files changed, 11 insertions(+), 5 deletions(-)

diff --git a/ChangeLog.md b/ChangeLog.md
index fab94bed08..6257019cac 100644
--- a/ChangeLog.md
+++ b/ChangeLog.md
@@ -10,6 +10,9 @@ Major changes:
 
 Behavior changes:
 
+* Stack's default Nix integration now includes the `cacert` Nix package, in
+  order to support Stack's use of `crypton-x509-system >= 1.6.8`. 
+
 Other enhancements:
 
 * Experimental: Add flag `--[no-]semaphore` (default: disabled) to Stack's
diff --git a/doc/topics/nix_integration.md b/doc/topics/nix_integration.md
index 3726391a21..7d822529d1 100644
--- a/doc/topics/nix_integration.md
+++ b/doc/topics/nix_integration.md
@@ -37,8 +37,9 @@ environment:
 
 1. provide a list of [Nix packages][nix-search-packages]. To these, Stack will
    add Nix packages for the GHC compiler, `git` (the distributed version control
-   system), `gcc` (the GNU compiler collection) and `gmp` (the GNU multiple
-   precision arithmetic library); and
+   system), `gcc` (the GNU compiler collection), `gmp` (the GNU multiple
+   precision arithmetic library) and `cacert` (a bundle of X.509 certificates of 
+   public Certificate Authorities); and
 2. provide a `shell.nix` file that gives you more control over the libraries and
    tools available inside the shell.
 
diff --git a/src/Stack/Nix.hs b/src/Stack/Nix.hs
index d25d678a19..0387706ef5 100644
--- a/src/Stack/Nix.hs
+++ b/src/Stack/Nix.hs
@@ -80,7 +80,9 @@ runShellAndExit = do
     ghc <- either throwIO pure $ nixCompiler compilerVersion
     ghcVersion <- either throwIO pure $ nixCompilerVersion compilerVersion
     let pkgsInConfig = config.nix.packages
-        pkgs = pkgsInConfig ++ [ghc, "git", "gcc", "gmp"]
+        -- It appears that cacert needs to be specified in order for
+        -- crypton-x509-system >= 1.6.8 to work with Stack's Nix integration:
+        pkgs = pkgsInConfig ++ [ghc, "git", "gcc", "gmp", "cacert"]
         pkgsStr = "[" <> T.intercalate " " pkgs <> "]"
         pureShell = config.nix.pureShell
         addGCRoots = config.nix.addGCRoots
diff --git a/stack.yaml b/stack.yaml
index 038d95d7af..9f5ad519fb 100644
--- a/stack.yaml
+++ b/stack.yaml
@@ -15,7 +15,7 @@ extra-deps:
 # lts-24.24 specifies crypton-x509-store-1.6.12
 - crypton-x509-store-1.8.0@sha256:075ba50a3daa0fdbb493481a665926e1ced2135c6b4ed56f97398aa855f0aecb,1674
 # lts-24.24 specifies crypton-x509-system-1.6.7
-- crypton-x509-system-1.8.0
+- crypton-x509-system-1.8.0@sha256:76bab32c7d9cb3ea356a905f85829c70967fb6f9b4b890f00d67dc54130d45ca,1521
 # lts-24.24 specifies crypton-x509-validation-1.6.14
 - crypton-x509-validation-1.8.0@sha256:63acb2df06f28c3ffdddaf6d9402105b9026796036aa10d7347ae4f7db51c36b,2018
 # lts-24.24 specifies hpack-0.38.3
diff --git a/stack.yaml.lock b/stack.yaml.lock
index 1979ca1c32..d40f5d4603 100644
--- a/stack.yaml.lock
+++ b/stack.yaml.lock
@@ -66,7 +66,7 @@ packages:
       sha256: 9ac33c993a82ac4da84804028c5398caec7aada7a83beeec3f28883fe470d68f
       size: 512
   original:
-    hackage: crypton-x509-system-1.8.0
+    hackage: crypton-x509-system-1.8.0@sha256:76bab32c7d9cb3ea356a905f85829c70967fb6f9b4b890f00d67dc54130d45ca,1521
 - completed:
     hackage: crypton-x509-validation-1.8.0@sha256:63acb2df06f28c3ffdddaf6d9402105b9026796036aa10d7347ae4f7db51c36b,2018
     pantry-tree: