Honest question, how would you actually detect this? I mean I understand using the package manager install (and that's easy for them to control) but building from source and doing a local install (i.e. no `sudo make install`)? Everything is a file. How would you differentiate without massive amounts of false positives?
