| 1 |
On 10/27/17 02:22, Michał Górny wrote: |
| 2 |
> Yes. We can't technically distinguish intentional package removal by user from malicious third party stripping them. This is something that a package manager extension might handle but it doesn't belong in the spec. |
| 3 |
> |
| 4 |
"Implementations may provide mechanisms for verifying partial |
| 5 |
repositories or accepting repositories which could not be fully |
| 6 |
verified, such mechanisms are outside the scope of this document." |
| 7 |
|
| 8 |
Especially given: "The package manager may reject any package or even |
| 9 |
the whole repository if it may refer to files for which the verification |
| 10 |
failed." |
Archives