On 10/27/17 02:22, Michał Górny wrote: > Yes. We can't technically distinguish intentional package removal by user > from malicious third party stripping them. This is something that a package > manager extension might handle but it doesn't belong in the spec. > "Implementations may provide mechanisms for verifying partial repositories or accepting repositories which could not be fully verified, such mechanisms are outside the scope of this document."
Especially given: "The package manager may reject any package or even the whole repository if it may refer to files for which the verification failed."
