Replace chrono dependency with humantime

[juntyr]

Avoids RUSTSEC-2020-0071 and RUSTSEC-2020-0159 vulnerabilities in crates using tskit

[molpopgen]

Does this give UTC with local offsets, or plain UTC?

[juntyr]

Does this give UTC with local offsets, or plain UTC?

std::time::SystemTime gives just pure UTC. Since fixing RUSTSEC-2020-0159 seems to require reimplementing a libc function (to get the local time zone) in Rust, getting the local timestamp in a non-vulnerable way will likely take some time. Once it is fixed, you could then switch back if you wanted.

[molpopgen]

Sounds great. I'll dig in more tomorrow. I imagine I'll merge this and make a release after adding a security audit action.

[molpopgen]

I just pulled this and looked at the docs--are you happy with the doc examples still using chrono to decode the time values?

[juntyr]

I just pulled this and looked at the docs--are you happy with the doc examples still using chrono to decode the time values?

Yes, as doc examples and dev-dependencies in general don't appear in the compilation process (and crucially the Cargo.lock file) of any projects using a crate. And chrono still is the goto crate for this functionality and expect it to be fixed at some point in the future. What's important to me is to not indirectly depend on a vulnerable crate in my project.