This is a huge potential win for software supply chain security. If it becomes widely deployed, and the standard for major Linux distros, I think it will really put pressure on all software ecosystems (from app stores to language-specific package managers) to close this trust gap.
Right now, with the prevalence of automatic updates, I think users and the software industry as a whole just accept that if you trust a developer once, you trust them to have effective control over your device (or at least the data accessible to their app) forever. That's not a sign of a healthy ecosystem, and it provides an attack surface that is only going to be targeted more and more by governments.
Right now, with the prevalence of automatic updates, I think users and the software industry as a whole just accept that if you trust a developer once, you trust them to have effective control over your device (or at least the data accessible to their app) forever. That's not a sign of a healthy ecosystem, and it provides an attack surface that is only going to be targeted more and more by governments.