-
During planning we calculate the nix-style package ids by hashing everything. A crucial component of the package id hashes is the hash of the package source, which currently is just hashes of tarballs. For packages from hackage repos we currently have to download the tarballs after running the solver but before elaborating the install plan. So we have the slightly surprising behaviour that doing cabal (new-)build --dry-run will already download the packages. With packages from repos that support the new TUF-based format we do have hashes available up front as part of the repo metadata / index, without having to download the tarballs and hash them. This patch takes advantage of secure TUF repos to get the package source hashes without having to download tarballs. For classic non-secure repos it has the same old behaviour of downloading up front. (cherry picked from commit 2e4533a0)
dd898373
