That significantly complicates -- and to a degree undermines -- the ability for packages to utilize signing of installed components for verification of a system.
The files created by a package should not be modified for any reason. I should be able to do a package verification and check the checksums of the installed components.
It would be possible to update the package database with modified checksums of binaries that are "patched" by a fatelf system, but then that reduces the overall safety. Then I would only be able to check a potentially compromised system's filesystem using data that only exists in the potentially compromised system's filesystem. Without modifying binaries, I can grab the upstream original verified out-of-band package and compare its checksums directly to those on the system's filesystem image.
Yes, I realize that prelink already screws up most of this. I'm not sure if prelink is still commonly used (faster linkers like gold and strict symbol visibility control can reduce the need for prelinking, and address space randomization should be part of the dynamic loader, but maybe Linux distros haven't caught up yet).