[burntsushi]

> Project owners update projects and don't bump the version. New bugs / security problems could be injected even though we haven't changed a thing internally.

You can't update a crate on crates.io without bumping the version. Once a version is published, it cannot be removed. (It can be "yanked," but even yanking it does not make it completely inaccessible.)

> These ensure all projects are built from known sources. We _know_ we can get consistent builds.

Cargo isn't coupled to crates.io. You can run your own registry index. (Note the `[registry]` config section: http://doc.crates.io/config.html) --- All of the code that powers crates.io is open source. On top of that, crate dependencies can be specified via git URLs or locations on disk. Repeatable builds are well supported IMO.