We currently allow some users to manually upload packages (in case
they take too long for CI, or to bootstrap things).
In case of an account takeover this would allow an attacker to upload/replace
files in staging. To reduce the risk a bit ask for confirmation when downloading
the manually uploaded files.
Also add a "--noconfirm" option so we can avoid the questions in the staging
download script.
Ideally we would require users to sign their files, but this helps a bit at least.
