[acdha]

This is partially true – code-signing defeats it on modern operating systems – but don't forget that much of the problem isn't outright malware but rather ad-ware like the ask.com toolbar where the companies try to claim that users chose to enable it to avoid prosecution or lawsuits.

This is a relatively minor change but the automated checks prevent some of the more blatant abuse and, more importantly, the fact that you can't just anonymously upload code forces shady companies to leave more of a paper-trail.

[tokenizerrr]

My windows box will still happily run unsigned binaries, so I don't see how code-signing would help it there. Unless you were not referring to regular windows/linux as modern. I'm not sure if there's anything special with regards to replacing signed binaries with unsigned ones, but if so you could just put the binary elsewhere and replace the shortcuts.

With regard to the ad-ware like toolbars, is that really reason enough to lock everyone into a walled garden? I'd rather deal with the occasional toolbar than only being allowed run blessed extensions.

[acdha]

> My windows box will still happily run unsigned binaries, so I don't see how code-signing would help it there. Unless you were not referring to regular windows/linux as modern

Close: it's not the OS flavor so much as the security configuration. All of the major operating systems can be configured to restrict execution – whether that's mandatory code-signing, only running code from white-listed restricted directories, etc. this can be used by a security-aware admin to prevent whole classes of attacks or escalation for successful attacks.

That's the default on OS X but can also be enabled if you're willing to break with tradition on most other operating systems. That certainly has a compatibility cost but much of that cost is born by users who don't benefit from it.

> With regard to the ad-ware like toolbars, is that really reason enough to lock everyone into a walled garden?

First, the nakedesecurity writer used a click-bait headline to troll for clicks but that hinges on a redefinition for the accepted meaning of “walled garden”. It's highly misleading since Mozilla isn't charging for signatures or deciding which companies are allowed to publish add-ons.

Second, millions of people are affected by dishonest software. I'm not terribly enthusiastic about needing to sign things now but I'm not cavalier enough to dismiss the argument that a minor inconvenience for a few developers is worth more than improving the average user’s experience. Any time I look at my front-end JavaScript logs, I'm reminded of just how many people are browsing the web with untrustworthy code injected into every page.