* support list of repos for hex packages

repos are defined under the hex key in rebar configs. They can be
defined at the top level of a project or globally, but not in
profiles and the repos configured in dependencies are also ignored.

Searching for packages involves first checking for a match in the
local repo index cache, in the order repos are defined. If not found
each repo is checked through the hex api for any known versions of
the package and the first repo with a version that fits the constraint
is used.

* add {repos, replace, []} for overriding the global & default repos

This replaces all deprecated function usage by alternative ones based on
a version switch enacted at compile time, preventing all warnings.

This will likely introduce some possible runtime errors in using a
Rebar3 compiled on OTP-20 or OTP-21 back in versions 19 and earlier, but
we can't really work around that.

A bunch of dependencies have been updated to support OTP-21 without
warnings as well.

This is done through 3 main change groups:

- replacing `~s` by `~ts` in format strings, so that strings that
  contain unicode are properly printed rather than crashing
- adding the `unicode` argument to all function of the `re` module to
  ensure transformations on strings containing unicode data are valid
  instead of crashing (see issue #1302)
- replacing `ec_cnv:to_binary/1` and `ec_cnv:to_list/1` with matching
  functions in `rebar_utils`.

The last point has been done, rather than modifying and updating erlware
commons, because binary and list conversions can be a contentious
subject. For example, if what is being handled is actually bytes from a
given binary stream, then forcing a byte-oriented interpretation of the
data can corrupt it. As such, it does not appear safe to modify erlware
commons' conversion functions since it may not be safe for all its
users.

Instead, rebar3 reimplements a subset of them (only converting
atoms and chardata, ignoring numbers) with the explicit purpose of
handling unicode string data.

Tests were left as unchanged as possible. This may impact the ability to
run rebar3's own suites in a unicode path, but respects a principle of
least change for such a large patch.

- also making sure unlocking works fine

- the internal representation for package locks moves from `{Name, {pkg,
  PkgName, Vsn}, Lvl}` to `{Name, {pkg, PkgName, Vsn, Hash}, Lvl}`
- the internal representation for packages moves from `{pkg, PkgName,
  Vsn}` to `{pkg, PkgName, Vsn, Hash}`
- the hash can be `undefined`, meaning no check will be done
- no checking is done yet.

Makes use of several var types: integers,
strings, binaries, binary strings and tuples.

* modify compiler interface to work on either application objects or
  directories containing source files
* compile all sources in `src_dirs` to the application `ebin` dir and
  all sources in `extra_src_dirs` to a directory mirroring it's
  position in the app's `_build` directory. for example, `apps/foo/more`
  would compile to `_build/default/lib/foo/more`
  for `extra_src_dirs` in the root of a project with multiple
  applications (so orphan directories that don't "belong" to an
  application) compile to `_build/default/extras/more`
* copy directories specified in `extra_src_dirs` into the `_build`
  directory so tools like `ct` and `xref` that expect source to be
  in a particular location still work
* clean compiled artifacts from all `extra_src_dirs`
* alter `eunit`, `ct` and `cover` to work with the new directory
  structure
* billions of new tests

Requires a rework of other test suites using the same dep-handling
mechanism.

Seed random with erlang:now() because os:timestamp precision is not enough
on windows.

Seed random with erlang:now() because os:timestamp precision is not enough
on windows.

The test works by using a parse transform that stamps modules with an
attribute as it runs them. It then compiles everything, loads the
module, and makes sure the stamps respect the defined order.

test utils and add better eunit tests

Add one test case to verify the dev_mode option for a release and
another to verify overriding the dev_mode option in a profile for a
release. Verification of proper dev_mode functioning is done in the
rebar_test_utils:check_results/2 function by checking if all the
directories in the release lib dir are symlinks or not and comparing
that result to the dev_mode expectation passed as input to
the check_results function.

The option {deps_error_on_conflict, true} will make it so conflicts in
deps being fetched interrupts the operation rather than just display a
warning.

Defaults to `false'.

- Track level of packages properly, they're not level 0 anymore (this
  could yield an issue where a src dep takes precedence over a pkg dep)
- Proper stable sort of vertices in the digraph module
- PkgDeps no longer 'see themselves' when fetching and upgrading after
  locking themselves
- Pkg Locks are added to pkg deps rather than source deps
- Updating test cases to support pkg mocking on top of src mocking

- Many apps is supported through and through
- Not mentioning any app upgrades all apps
- Locks are refreshed on disk and tested as such after an upgrade

The problem with the current effort is handling of transitive dependency
upgrades and possible values.

Test that all the correct locks are set for an upgrade run.

Now to actually re-run the install deps and prove it works