Separating fetching from building for better security

mathstuf:

grothesque:

The --fetch-only idea is just one possible step towards this general goal. It won’t magically make Cargo safe, but I believe that it would be a useful building block whenever sandboxing primitives are available.

Is cargo vendor not sufficient for this? It's how we make sure that all jobs get the same set of dependencies even if rerun hours later (all cargo commands use --offline --locked after the initial cargo update && cargo vendor job)

According to my understanding cargo vendor suffers from the same problem as cargo fetch with regard to features (see above).

It also requires specific config and creates a separate vendor/ tree, making it as far as I can see not fit as a building block for a two-phase cargo build replacement that otherwise behaves as the original.