OSTree: Drop privileges for HTTP fetches

OSTree currently runs as root while doing all operations, including doing fetches from external repositories over HTTP. But libsoup is not exactly a secure well-tested library, and few projects use it. Running the fetch operations in a separate low-privileged process will add more security, as will switching to libcurl.

Furthermore, the aria2 project implements a feature not found in Curl or LibSoup, namely multiplexing downloads from multiple servers. (e.g. for file A, aria2 can download 50% from server 1 and 50% from server 2). Moving to an external process will allow a pluggable fetching implementation, allowing the use of aria2's features for those who want it

Further work may be done for the Fedora Modularization WG or ostree-related projects (such as GNOME Continuous)

Full project proposal: https://fedoraproject.org/w/index.php?title=GSOC_2016/Student_Application_allangardner