I don't think the fear is entirely unjustified. I always wonder, in the back of my mind, if the thing I'm downloading from a developer's site is the real thing or some kind of trojan impostor that's been shunted into place.
We depend on the "take one for the herd" principle where the first few people to get stung by the trojan will alert others and the app can be taken down. Usually this is quick enough to make the viability of this kind of attack limited, but can we truly depend on that?
Code signing not for DRM purposes but for identifying the vendor is a big deal. Most Linux distributions make a point of validating the MD5 or SHA1 hash of the contents, yet on OS X most just download and open without really thinking.
The "liberty" you complain about sacrificing is only one click away.
We depend on the "take one for the herd" principle where the first few people to get stung by the trojan will alert others and the app can be taken down. Usually this is quick enough to make the viability of this kind of attack limited, but can we truly depend on that?
Code signing not for DRM purposes but for identifying the vendor is a big deal. Most Linux distributions make a point of validating the MD5 or SHA1 hash of the contents, yet on OS X most just download and open without really thinking.
The "liberty" you complain about sacrificing is only one click away.