Ok. Rereading your comment, it still seems to me that my interpretation is by far the more natural one. But let's move on.
The simple answer to the question of how many times the question should be asked is simple: As long a no executable file is created, zero. If an executable file is created, the user should be prompted for confirmation once. The exception to this is with .desktop files, for which the prompt is shown when the file is first executed, and not when saved. Preferably, when a user is asked for confirmation and and gives it, the untrusted flag should be stripped; if the file is indeed evil, the damage is already done.
As for evil RPM:s, they are already handled by the package managers of today - packages that are not signed by a known key will not install without an extra override switch.