> If crates.io goes down [...] certainly some people will have vendored their deps and others will have a panamax mirror handy, but for most, Rust as we know it stops.
So, there are solutions already.
> There is no mediation of any kind between when a new library/version is published and when it is consumed.
No one is forcing you to stay automatically up-to-date. I personally on changes in critical libraries before updating.
> Any tampering with crates.io itself (espionage, disgruntlement, national security) could have an incredibly wide blast radius, or a incredibly wide set of targets from which to choose.
Repeat of point 1.
> Since crates.io is the source for crates, it is normal for both developers and CI machines to be hitting this web service all the time. Opportunities for mischief are exacerbated when clients are phoning home so frequently.
Again, point 1.
> So what’s the alternative?
Given there's only 2 problematic points in this list and you have pointed to solutions already, I don't see any need for an alternative.
So, there are solutions already.
> There is no mediation of any kind between when a new library/version is published and when it is consumed.
No one is forcing you to stay automatically up-to-date. I personally on changes in critical libraries before updating.
> Any tampering with crates.io itself (espionage, disgruntlement, national security) could have an incredibly wide blast radius, or a incredibly wide set of targets from which to choose.
Repeat of point 1.
> Since crates.io is the source for crates, it is normal for both developers and CI machines to be hitting this web service all the time. Opportunities for mischief are exacerbated when clients are phoning home so frequently.
Again, point 1.
> So what’s the alternative?
Given there's only 2 problematic points in this list and you have pointed to solutions already, I don't see any need for an alternative.