chacha20: v0.10.0-rc.6

[baloo]

Bump rand_core to 0.10.0-rc-3

[baloo]

A release of chacha20 would be appreciated to get over the API break hump made in rand_core 0.10.0-rc-3.

This is required for crypto-primes, which is itself a dependency of rsa, amongst other things.
Also: rand now re-exports chacha20! (this is going to be fun!)
https://github.com/rust-random/rand/blob/8336923fbd76760156009cb9765327af506d680e/src/rngs/mod.rs#L129

[dhardy]

Relying on Cargo.lock works for local testing, but does not guarantee dependants of this crate will get a compatible rand_core version. But if this is the way you prefer to handle pre-releases it's not a deal breaker for rand which will depend on both chacha20 and rand_core directly (with fixed versions) anyway.

[tarcieri]

@dhardy we've used = pinning for dependencies in the past, including earlier in this particular release cycle, and it just becomes untenable the more crates are involved. Upgrading anything becomes a nightmare

[dhardy]

@tarcieri the alternative requires committing Cargo.lock, which also has its costs. Personally I prefer keeping inter-dependent crates in the same repo, but that didn't work out in this case, so I guess we are just paying the price of that.

[tarcieri]

Committing Cargo.lock keeps the build reproducible and allows git bisect to work, even in the presence of e.g. yanked crates that would otherwise prevent the resolver from finding solutions.

We have many cross-repo interdependencies. Higher-level crates consume lower-level ones, e.g. pretty much all asymmetric constructions are paired in some way with hash functions, which in turn consume the relevant trait-related crates.