Bump upstream dependencies

[Demi-Marie]

Also remove spurious braces.

[burdges]

Thanks!

As written, this should not build, or at least not build for tests, because rand_os 0.2.2 needs rand_core 0.5 https://docs.rs/crate/rand_os/0.2.2 but dalek refuses to upgrade due to semver.

Is substrate on rand_core 0.5 aka rand 0.7 yet? I could just merge https://github.com/w3f/schnorrkel/commit/8150ef6333df6238d8d861aec74bf7ccd87119aa maybe?

I think my only caveats reasons for not merging that yet were:

1. substrate uses ed25519-dalek, so it must be using rand_core 0.4 somewhere, and
2. maybe cargo-features = ["rename-dependencies"] requires nightly, not sure.

I think 1 can be avoided by splitting RngCore5As4 out into a separate crate, which then substrate can use directly to invoke ed25519-dalek. If 2 is even an issue, then it could be addressed by splitting RngCore5As4 out with a second separate crates for its old_rand_core.

What do you think? Should we just split out RngCore5As4 into a subcrate and be done with it?

[Demi-Marie]

@burdges Substrate uses both 0.4 and 0.5. I think your answer is a good one.

[koushiro]

zeroize v1.0.0 has been released.

[burdges]

curve25519-dalek v2.0.0-alpha.0 has upgraded rand_core in https://github.com/dalek-cryptography/curve25519-dalek/pull/298 so merlin should soon follow

[Demi-Marie]

@burdges do you want me to bump curve25519-dalek to v2.0.0-alpha.0, or should I wait for a release?

[burdges]

I'll do something on this soon, just busy lately, but sure whatever. :)

It's actually more merlin updating rand_core that I care about than curve25519-dalek https://github.com/dalek-cryptography/merlin/blob/master/Cargo.toml#L24 but they've no issue, so maybe I cannot escape the RandCore5As4 thing.

[burdges]

Anyone know what happened with bincode here? I merged this despite the CI failing I guess.

[burdges]

Easy to fix, never mind.