Another idea I have been ruminating upon is something like:

1. Create a package set like rustCrates, but do not populate it with anything initially
2. Create builders similar to the above idea (add the source, add a symlink builder for cargo-vendor)
3. When someone wants to add a Rust package, a new process is used:
   1. Use a tool that processes lock files, and checks if the required crates are in the package set
   2. If not, it emits the latest semver-compatible to a by-name-like directory tree using the crates.to name
4. Each ~week a program similar to the one I made is ran:
   1. For each crate in the package set, update each semver to the latest-compatible one, should be relatively fast since no downloading is required, the version is in the index, and the required hash is in the index
   2. Write the latest semver-compatible-version and hash in the files
   3. Check the rustsec db as well, and if crates are yanked.
5. For program dependencies in which the semver that is required is already in the pkgset, they do not touch the package set. If they need to wait a ~week for the next version to the bumped to that is fine.