I'm not following this argument. I think there's no real reliability difference between having SHA256-verified dependencies by lock file and vendoring the same dependencies into the codebase. If there's a concern with crates.io availability partial local mirroring is possible.