Also, where would the information be stored? If it was in the repo itself (as metadata) then the malicious maintainer could just not update it ...