Backport TUF security bugfix to < 3.10

[hasufell]

• https://github.com/haskell/security-advisories/blob/main/advisories/hackage/cabal-install/HSEC-2023-0015.md
• dcfdc9c

Since 3.10.2.0 has major regressions on windows, this would leave the 'recommended' version in GHCup vulnerable.

Bumping 'recommended' to 3.10.2.0 is not an option at this time.

[gbaz]

Just to be clear: 3.10.2.0 is recommended on platforms besides windows, right? Also, is there a full inventory of the windows regressions that we need to look into?

[hasufell]

3.10.2.0 is recommended on platforms besides windows, right?

No, 'recommended' is across all platforms. We can't recommend a version that works on only some platforms.

Teams should be confident to get the exact same versions of tools when they install 'recommended'. Everything else is calling for confusion.

The regression is described here: #9334

[andreabedini]

There is no plan for either a 3.6 or 3.8 release. See https://mail.haskell.org/pipermail/cabal-devel/2023-November/010578.html. The fix is included in 3.10+.