Changelog of @hackage/hackage-security 0.6.3.0

0.6.3.0

Make lukko flag automatic and off by default, using file locking facilities from GHC.IO.Handle.Lock and not from on lukko package. The change is not expected to affect anyone detrimentally, but one can set the flag on in their configuration to restore the previous behaviour.
Allow building against newer releases of dependencies.
Tested with GHC 8.4 - 9.12.

Allow Cabal-3.12 and Cabal-syntax-3.12.
Allow zlib-0.7.
Drop flag use-old-time and support for old-time, require time ≥ 1.5 (PR #304).
Drop support for GHC < 8.4 (PR #306).
Code maintenance: address warning star-is-type, unused-record-wildcards etc. (PR #306).
Tested with GHC 8.4 - 9.8.

Allow tar-0.6
Drop support for GHC < 7.8 in favor of PatternSynonyms
Drop flags base48, mtl21, old-directory and support for GHC 7.8, mtl < 2.2 and directory < 1.2
Tested with GHC 7.10 - 9.8

Remove Hackage.Security.TUF.FileMap.lookupM
Don't expose Hackage.Security.Util.IO module
Don't expose Hackage.Security.Util.Lens module
Report missing keys in .meta objects more appropriately as ReportSchemaErrors(expected) instead of via Monad(fail)
Add support for GHC 8.8 / base-4.13
Use lukko for file-locking
Extend LogMessage to signal events for cache lock acquiring and release
New lockCacheWithLogger operation

Use flock(2)-based locking where available (compat-shim taken from cabal-install's code-base) (#207)
Improve handling of async exceptions (#187)
Detect & recover from local corruption of uncompressed index tarball (#196)
Support base-4.11

Fix client in case where server provides MD5 hashes (ignore them, use only SHA256)
Fix warnings with GHC 8

Change path handling to work on Windows (#162).
Add new MD5 hash type (#163). This is not for security (only SHA256 is used for verification) but to provide as metadata to help with other services like mirroring (e.g. HTTP & S3 use MD5 checksum headers).
Adjust reading of JSON maps to ignore unknown keys. This allows adding e.g. new hash types in future without breaking existing clients.
Fix build warnings on GHC 8

Fix for other local programs corrputing the 00-index.tar. Detect it and do a full rewrite rather than incremental append.
New JSON pretty-printer (not canonical rendering)
Round-trip tests for Canonical JSON parser and printers
Minor fix for Canonical JSON parser
Switch from cryptohash to cryptohash-sha256 to avoid new dependencies

Treat deserialization errors as verification errors (#108, #75)
Avoid Content-Length: 0 in GET requests (#103)
Fix bug in Trusted
Build tar-index incrementally (#22)
Generalize 'Repository' over the representation of downloaded remote files.
Update index incrementally by downloading delta of .tar.gz and writing only tail of local .tar file (#101). Content compression no longer used.
Take a lock on the cache directory before updating it, and no longer use atomic file ops (pointless since we now update some files incrementally)
Code refactoring/simplification.
Support for ed25519 >= 0.0.4
downloadPackage no longer takes a callback.
API for accessing the Hackage index contents changed; it should now be easier for clients to do their own incremental updates should they wish to do so.
Relies on tar >= 0.4.4
Removed obsolete option for downloading the compressed index (we now always download the compressed index)
Path module now works on Windows (#118)
Dropped support for ghc 7.2
Replaced uses of Int with Int54, to make sure canonical JSON really is canonical (#141).

Allow clients to pass in their own time for expiry verification (this is an API change hence the major version bump)
Export .Client.Formats (necessary to define new Repositories)
Start work on basic test framework