convert to crypton

[frasertweedale]

crypton is today the dominant cryptographic primitives "kitchen
sink" library. There is a need and want of additional cryptographic
primitives in hackage-server, including HMAC (various use cases)
and, later, additional public key signature algorithms to support
OpenID Connect (for trusted publishing) and Passkeys/webauthn login.

This change migrates hackage-server to crypton. The changes are
kept to a minimum without any refactoring.

Dependencies on cryptohash-md5 and cryptohash-sha256 have been
dropped. It would have been nice to drop ed25519, but without it
we would be depending on internal implementation details to define
the MemSize instance for the hackage-security Key type.

NOTE: not tested yet. Made PR for early review and for others to
start building upon.

[gbaz]

memsize is i believe an approximate heuristic and its fine to give an instance thats a crude estimate

…

Message ID: ***@***.*** com>

[frasertweedale]

memsize is i believe an approximate heuristic and its fine to give an instance thats a crude estimate

@gbaz I'd prefer to leave it alone. The ed25519 package doesn't interfere with anything else, and we only use the data constructors. If you insist, I will replace the existing calculations with a "magic number" and try not to lose sleep over it 😅

Never mind all that. I see that it is used for memory usage monitoring and am satisfied that estimates are indeed fine. I removed the dependency and replaced it with a magic number.

[mergify]

Tick the box to add this pull request to the merge queue (same as @mergifyio queue).

• Queue this pull request

[ysangkok]

seems like this is blocked on

• Bump base upper bound to allow 4.22 well-typed/cborg#379

it seems like it isn't an issue on master since it was building with tls-1.9.0: https://github.com/haskell/hackage-server/actions/runs/27108585879/job/80002069176 , which does not need serialise