Separating fetching from building for better security

grothesque:

While working on this, I realized that in addition to simply sandboxing Cargo, a meaningful security improvement can be obtained by separating fetching and building so that, for example, an invocation of cargo build is split into two phases:

There are test runners and rustc wrappers (for proc macros). There is an experiment for something similar for build scripts.