1) This is only relevant for rustup.rs, most Rust source code is coming from crates.io 2) Most projects have a Cargo.lock that contain sha256 checksums of the source code. You can still announce new versions of everything and hope people pull them in through `cargo update`, but you are not going to get anywhere close to "all Rust users".

How realistic is for a TLD “owner” to take over a domain like this?

Doesn't USA do that all the time with .com and such?

How would that get around the SSL certificate?

If you control the domain, LetsEncrypt will happily issue you a fresh certificate.