Property integrate the new HTTPS/curl support from cabal with http-security-curl

[edsko]

[edsko]

Currently cabal-install already provides an instance of the HTTP interface required by the hackage-security library; we just need to change this to use the transport abstraction in cabal-install.

[edsko]

This is now done, but the integration is not perfect; this has both a (minor) performance impact as well as a (minor) security impact, as documented in the comment above transportAdapter:

-- * The 'HttpTransport' wants to know where to place the resulting file,
--   whereas the 'HttpLib' expects an 'IO' action which streams the download;
--   the security library then makes sure that the file gets written to a
--   location which is suitable (in particular, to a temporary file in the
--   directory where the file needs to end up, so that it can "finalize" the
--   file simply by doing 'renameFile'). Right now we write the file to a
--   temporary file in the system temp directory here and then read it again
--   to pass it to the security library; this is a problem for two reasons: it
--   is a source of inefficiency; and it means that the security library cannot
--   insist on a minimum download rate (potential security attack).
--   Fixing it however would require changing the 'HttpTransport'.

[edsko]

See also #28 .