It has recently come to my attention that GitHub may be blocking access to their public services from countries under US sanctions. Since the crates.io registry is (partially?) hosted on GitHub, this will basically prevent a lot of people from accessing the Rust ecosystem. What can be done to change this situation?
Likely these people are also prevented from contributing to many projects in the Rust ecosystem. Here I don't really see an easy way out though. 
Do you have a source? (It sounds somewhat plausible, but "trust but verify" etc.)
This is something we're looking into. There's no details that I can give at this time, other than to say that we're discussing this with legal counsel.
One other note: To my knowledge affected folks are still able to access public repositories, and there's no plans to change that -- meaning that at least to the extent that crates.io uses GitHub folks should not be affected.
IPFS has package management on its "top priorities for 2019" list. It seems like a natural solution to the problem: immutable, replicable filesystem that allows packages to be content-addressable (guaranteeing package integrity):
An update for this has been posted. Update on Rust, crates.io, and US economic sanctions
The crates.io index is the main thing at issue here, and is presently implemented as a git repository, which is a poor fit for IPFS
I've suggested changing how index is fetched (clone of the whole index is problematic no matter what protocol you use), which would make it more friendly to IPFS and others.