See also http://pvp.haskell.org/faq

0.6.3.0

• Make lukko flag automatic and off by default, using file locking facilities from GHC.IO.Handle.Lock and not from on lukko package. The change is not expected to affect anyone detrimentally, but one can set the flag on in their configuration to restore the previous behaviour.
• Allow building against newer releases of dependencies.
• Tested with GHC 8.4 - 9.12.

0.6.2.6

• Drop flag use-network-uri and support for network-2.5.
• Fix build failure in testsuite with tar-0.5 (PR #312).
• Tested with GHC 8.4 - 9.8.

0.6.2.5

• Allow Cabal-3.12 and Cabal-syntax-3.12.
• Allow zlib-0.7.
• Drop flag use-old-time and support for old-time, require time ≥ 1.5 (PR #304).
• Drop support for GHC < 8.4 (PR #306).
• Code maintenance: address warning star-is-type, unused-record-wildcards etc. (PR #306).
• Tested with GHC 8.4 - 9.8.

0.6.2.4

• Allow tar-0.6
• Drop support for GHC < 7.8 in favor of PatternSynonyms
• Drop flags base48, mtl21, old-directory and support for GHC 7.8, mtl < 2.2 and directory < 1.2
• Tested with GHC 7.10 - 9.8

0.6.2.3

• Bump base for GHC 9.4 comp
• Fix code to really support mtl-2.3

0.6.2.2

• Fix broken compilation of test-suite with Cabal-syntax-3.8.1.0 on Hackage
• Huge README updates

0.6.2.1

• Allow GHC-9.0 (base-4.15) (#265)
• Fix running cabal repl hackage-security (#263)

0.6.2.0

• Safely prepare for when cabal factors out Cabal-syntax

0.6.1.0

• Support basic auth in package-indices (#252)
• Fix tests due to new aeson handling of unescaped control sequences (#256)
• Bump a lot of bounds on packages we depend on

0.6.0.1

• Fix bug in non-default -lukko build-configuration (#242)
• Add support for template-haskell-2.16.0.0 (#240)

0.6.0.0

• Remove Hackage.Security.TUF.FileMap.lookupM
• Don't expose Hackage.Security.Util.IO module
• Don't expose Hackage.Security.Util.Lens module
• Report missing keys in .meta objects more appropriately as ReportSchemaErrors(expected) instead of via Monad(fail)
• Add support for GHC 8.8 / base-4.13
• Use lukko for file-locking
• Extend LogMessage to signal events for cache lock acquiring and release
• New lockCacheWithLogger operation

0.5.3.0

• Use flock(2)-based locking where available (compat-shim taken from cabal-install's code-base) (#207)
• Improve handling of async exceptions (#187)
• Detect & recover from local corruption of uncompressed index tarball (#196)
• Support base-4.11

0.5.2.2

• Fix client in case where server provides MD5 hashes (ignore them, use only SHA256)
• Fix warnings with GHC 8

0.5.2.1

• Fix accidental breakage with GHC 8

0.5.2.0

• Change path handling to work on Windows (#162).
• Add new MD5 hash type (#163). This is not for security (only SHA256 is used for verification) but to provide as metadata to help with other services like mirroring (e.g. HTTP & S3 use MD5 checksum headers).
• Adjust reading of JSON maps to ignore unknown keys. This allows adding e.g. new hash types in future without breaking existing clients.
• Fix build warnings on GHC 8

0.5.1.0

• Fix for other local programs corrputing the 00-index.tar. Detect it and do a full rewrite rather than incremental append.
• New JSON pretty-printer (not canonical rendering)
• Round-trip tests for Canonical JSON parser and printers
• Minor fix for Canonical JSON parser
• Switch from cryptohash to cryptohash-sha256 to avoid new dependencies

0.5.0.2

• Use tar 0.5.0
• Relax lower bound on directory

0.5.0.1

• Relaxed dependency bounds

0.5.0.0

• Treat deserialization errors as verification errors (#108, #75)
• Avoid Content-Length: 0 in GET requests (#103)
• Fix bug in Trusted
• Build tar-index incrementally (#22)
• Generalize 'Repository' over the representation of downloaded remote files.
• Update index incrementally by downloading delta of .tar.gz and writing only tail of local .tar file (#101). Content compression no longer used.
• Take a lock on the cache directory before updating it, and no longer use atomic file ops (pointless since we now update some files incrementally)
• Code refactoring/simplification.
• Support for ed25519 >= 0.0.4
• downloadPackage no longer takes a callback.
• API for accessing the Hackage index contents changed; it should now be easier for clients to do their own incremental updates should they wish to do so.
• Relies on tar >= 0.4.4
• Removed obsolete option for downloading the compressed index (we now always download the compressed index)
• Path module now works on Windows (#118)
• Dropped support for ghc 7.2
• Replaced uses of Int with Int54, to make sure canonical JSON really is canonical (#141).

0.4.0.0

• Allow clients to pass in their own time for expiry verification (this is an API change hence the major version bump)
• Export .Client.Formats (necessary to define new Repositories)
• Start work on basic test framework

0.3.0.0

• Don't use compression for range requests (#101)
• Download index.tar.gz, not index.tar, if range request fails (#99)
• Minor change in the LogMessage type (hence the API version bumb)
• Include ChangeLog.md in the tarball (#98)

0.2.0.0

• Allow for network-2.5 (rather than network-uri-2.6)
• Use cryptohash rather than SHA
• Various bugfixes
• API change: introduce RepoOpts in the Remote repository

0.1.0.0

• Initial beta release