1 |
On 10/27/17 02:22, Michał Górny wrote: |
2 |
> Yes. We can't technically distinguish intentional package removal by user from malicious third party stripping them. This is something that a package manager extension might handle but it doesn't belong in the spec. |
3 |
> |
4 |
"Implementations may provide mechanisms for verifying partial |
5 |
repositories or accepting repositories which could not be fully |
6 |
verified, such mechanisms are outside the scope of this document." |
7 |
|
8 |
Especially given: "The package manager may reject any package or even |
9 |
the whole repository if it may refer to files for which the verification |
10 |
failed." |