They get fetched from your local cargo cache, unless you purged that too. You're also not back to case 1, you get a compilation error that tells you that the package doesn't exist and you'll need to audit a replacement. This is a lot better than trusting someone to drop a replacement in automatically. But if you want that, there's cargo update - and like you said, it has issues (because updating dependencies always has issues).
> The problem of securing the chain of production is not solved with a simple lock file.
I didn't say it was. I said the issues the author describes almost all are. Relying on distro maintainers doesn't solve them either.
> The problem of securing the chain of production is not solved with a simple lock file.
I didn't say it was. I said the issues the author describes almost all are. Relying on distro maintainers doesn't solve them either.