don't assume boto will remain secure

On second thought, best to default to being secure even if boto changes
http libraries to one that happens to follow redirects.

Remote/Glacier.hs

@@ -56,8 +56,10 @@ gen r u c gc = new <$> remoteCost gc veryExpensiveRemoteCost
 			, retrieveKeyFile = retreiveKeyFileDummy
 			, retrieveKeyFileCheap = retrieveCheap this
 			-- glacier-cli does not follow redirects and does
-			-- not support file://, so this is secure.
-			, retrievalSecurityPolicy = RetrievalAllKeysSecure
+			-- not support file://, as far as we know, but
+			-- there's no guarantee that will continue to be
+			-- the case, so require verifiable keys.
+			, retrievalSecurityPolicy = RetrievalVerifiableKeysSecure
 			, removeKey = removeKeyDummy
 			, lockContent = Nothing
 			, checkPresent = checkPresentDummy