Separating fetching from building for better security

grothesque:

So it tends to fetch too much, which may or may not be a problem.

Hmm, I've never noticed cargo build not fetching the entire Cargo.lock before, but then I guess I never normally try to do a smaller build as the first step in a new project, I would start with a complete cargo check and so I wouldn't ever see it pulling extras.

grothesque:

cargo build --features foo/tls

Ah, right, I have run into such a situation before; I just disregard that as feeling like a bug in Cargo's CLI. It shouldn't be possible to activate a feature on a non-workspace crate during a particular build since the Cargo.lock doesn't contain the info necessary to do so. I assume it will just pull the latest of the unactivated optional dependencies each time?