[marcus_holmes]

Not really, because malicious actors don't care about their reputations, accounts, etc.

A reputable developer has a reputation to maintain (by definition), which makes Google's threat to permaban them a threat indeed.

A disreputable developer doesn't care about their reputation (again, by definition). They can create a new throwaway account every day and apply using the same (or slightly, easily, altered) code with different permissions every hour until they get permabanned, and start again tomorrow.

So the "obscurity" can be discovered easily through experimentation by the bad guys, but is still obscure for the good guys. This is not a good outcome.

[adrianN]

The point is making it more expensive for malicious actors. You can't make it impossible to get malicious extensions in, but you can make it harder. It's the same as captchas. You can also defeat captchas, but adding them reduces abuse a lot. As with captchas you're making it harder for good actors too. The difficult part is finding a good balance.

Reputation can be bought too btw.

[nulbyte]

> The point is making it more expensive for malicious actors.

Malicious actors don't care about expenses nearly as much as benign ones do. So the point ought to be, if you want me to fix something, tell me what's broken.

[winkeltripel]

Except that in this case, it's misplaced, and causing benign actors far more pain than malicious actors. If they want to hurt malicious developers, they need to flag extensions as untrustworthy for:

1. age < 180 days

2. dau < 1000

3. some rule around user reports of malice on uninstall?

and this gets a bright warning banner on the top of the page, and it can't be discovered through the chrome store until crossing these thresholds.