RustSec integration into DevOps workflow

[Shnatsel]

We need to make discovering that you need to apply security updates and applying them it as easy and obvious as possible.

Production deployments have higher security requirements than development environments. Therefore auditing and fixing deployed binaries is higher priority than auditing source code.

Hard questions:

1. If you run Rust code in production, how do you get notified that you need to apply a security update? That's assuming version info for the production binary even exists, see Make production binaries auditable for known vulnerabilities #14
2. How do you set up a pipeline to apply these updates automatically?
3. How should fixes in compiler or standard library bugs be applied? Currently there is no "rebuild everything that was ever installed" command in Cargo. Also, how do we notify people that they need to rebuild everything?
4. How should security updates to statically linked C libraries be handled? What if the build is for Windows where the only reasonable way to build against C libraries is to bundle them with the -sys crate? Should the maintainer of Rust -sys crate be responsible for security updates to the C code, and if so, how do we make that manageable for the maintainer?

[Shnatsel]

Discussion on internals forum: https://internals.rust-lang.org/t/pre-rfc-reviving-security-advisories-in-crates-io-rfc-pr-1752/9017