blake2-rfc no longer maintained - change to blake2

[DragonDev1906]

The blake2-rfc dependency hasn't been updated in 3 years, has outdated dependencies and open PRs for those. To me this looks like it is no longer maintained. How about switching to https://crates.io/crates/blake2 (RustCrypto)?

EDIT: The same goes for the libsecp256k1 dependency (no updates since 1 year and open dependency update PRs): https://github.com/paritytech/libsecp256k1/pulls → https://github.com/RustCrypto/elliptic-curves/tree/master/k256

[tomaka]

I fundamentally disagree that because a library doesn't get updated means that we should no longer use it. If anything, a library not getting any update can be a sign of stability/maturity.

[DragonDev1906]

That is true. It also leads to increased compile times due to the use of outdated transitive dependencies (even though there is a PR for it) and does not explain why a simple PR updating the readme is over 5 years old and didn't even get a comment.

Besides that there is also a benefit of using a library that has 5x as many users/downloads, especially for security relevant dependencies and the knowledge that if there is an issue it is more likely to get fixed.

In the end it is up to you, I hope you have considered both and actively decided to stay on blake2-rfc.