Ring's version-compatibility policy is basically an abdication of all responsibility. A developer who can't be bothered to write a changelog is probably not very careful, and this is software where I'd like the authors to be careful.

Let's find an alternative to ring that can provide the necessary cryptographic primitives with more responsible policies.

https://docs.rs/hmac/0.7.1/hmac/ looks like a good choice? Also, we already support OpenSSL so perhaps just removing the ring option would make sense, if OpenSSL doesn't have disadvantages that might be blockers.

@djmitche Is this still the case?

Yep