Separating fetching from building for better security

grothesque:

• A first phase that roughly runs cargo fetch in a sandbox with network enabled.

• A second phase that runs cargo build --locked in a sandbox with network disabled.

What about doing all process in a sandbox that has only access to index.crates.io?