[suryajena]

What if we implement them but hide them deep in the settings or as experimental feature inside the hidden developer menu, behind multiple warning messages and password prompts? Only the very determined developers and advanced users would be able to unlock them. Then it's safe enough?

[lxgr]

Users will unfortunately click on absolutely anything that a trusted (deservedly or otherwise) source tells them to, and you won’t be able to reliable convince them otherwise with UX alone. This includes all “developers only”, “click 5 times” etc. UX interventions.

You have to decide whether the feature warrants the remaining risk after all mitigations, or at least exceeds other, simpler attack vectors.

I think in this case it does, but it’s not an easy decision and I can understand most opposing positions as well.

[skybrian]

I suppose if it’s being actively exploited, the next step would be to make users wait a day, like the plan to change how Android side loading works.

[lxgr]

I'd be absolutely livid if my browser asked me to wait for a day before letting me firmware flash whatever new USB gadget just arrived in the mail.