{
  "$type": "site.standard.document",
  "bskyPostRef": {
    "cid": "bafyreigangyoc2nfroveebe7ju7ja5krobm7a5b5353ym5fdt4hwgqfk7m",
    "uri": "at://did:plc:ivbknywyskln22er3nkssdhl/app.bsky.feed.post/3mo4ooqdq7rr2"
  },
  "path": "/t/separating-fetching-from-building-for-better-security/24390#post_12",
  "publishedAt": "2026-06-12T21:02:53.000Z",
  "site": "https://internals.rust-lang.org",
  "textContent": "mathstuf:\n\n> grothesque:\n>\n>> The `--fetch-only` idea is just one possible step towards this general goal. It won’t magically make Cargo safe, but I believe that it would be a useful building block whenever sandboxing primitives are available.\n>\n> Is `cargo vendor` not sufficient for this? It's how we make sure that all jobs get the same set of dependencies even if rerun hours later (all `cargo` commands use `--offline --locked` after the initial `cargo update && cargo vendor` job)\n\nAccording to my understanding `cargo vendor` suffers from the same problem as `cargo fetch` with regard to features (see above).\n\nIt also requires specific config and creates a separate `vendor/` tree, making it as far as I can see not fit as a building block for a two-phase `cargo build` replacement that otherwise behaves as the original.",
  "title": "Separating fetching from building for better security"
}