@neil Actually, here's another (related) question. In the case of an open code signing arrangement, where you are able to install your own code signing certificate authorities instead of only being able to trust the one(s) that the operating system vendor provides, how do you prevent malicious actors from installing code signing CAs that you didn't want installed, and therefore able to run untrusted (by you) code?

It strikes me that neither scheme is without its problems.