crono not maintaned - CVE-2020-26235 in time

[acim]

crono depends on vulnerable version of time and it seems not to be well maintained. Could you maybe replace it completely with some newer version of time as suggested here.

[Arnavion]

We can continue discussing in kube-rs/kube#650 to keep the conversation in one place.

[Arnavion]

v0.14.0 has been released with default features disabled, as discussed in kube-rs/kube#650 (comment) This means that time 0.1 is already not pulled in by default. And if chrono ever removes chrono::Local or puts it behind a feature, that too will not be pulled in by default, without needing any change in k8s-openapi.

I'm not planning on replacing chrono with time completely at this time, unless there is more reason to. time resolved the vuln first by making the local time API fail unconditionally, and now by making it fail if it cannot determine that there's only one thread in the process. In my opinion this is going too far for what is reasonable for a library, especially since the trigger for this vuln is such an uncommon thing in the first place.

For posterity, this branch has the change for such a switch in case I change my mind in the future.