All very true, except you imply that this is a new situation in US politics. It's not. Until the 1883 Pendleton Act, political appointments were always brazenly partisan and there was no non-partisan civil service (except, maybe, the military). Firing appointees for petty vindictiveness was less common, but also happened. Trump isn't so much creating a new situation in American government as he is rolling the clock back 150 years, to a time when US politics was a lot meaner and more corrupt than what we've been accustomed to for most of the last 100 or so years.

Of course, the time when our Republic has had an apolitical civil service, strong norms around executive constraint and relatively low tolerance for corruption corresponds with the time when our nation has been vastly more successful, on every possible metric. That's not a coincidence.

Oh, I forgot to add: Stage 6 is the dumbest and most short-sighted one yet. It only works by ignoring the large regions of the world which will become unlivable, or nearly so, and the fact that those regions are home to billions of people. Those people won't just lay down and die, so the areas that are still livable -- and maybe even more comfortable! -- with warmer temperatures are going to have to deal with the resulting refugee flood, and the wars caused by this vast population upheaval and relocation.

But, yeah, if you ignore all the negative effects and focus only on the potentially good ones, you can convince yourself it'll be a good thing. SMDH.

I see from the comments that we've hit a new stage in climate change denialism.

Stage 1: Denial of warming: Denying that the climate is changing at all.
Stage 2: Denial of human influence: Admitting the climate is changing but denying that humans are causing it.
Stage 3: Denial of impact: Admitting human causation, but claiming the impact will be insignificant.
Stage 4: Denial of solutions: Admitting that it's real, we're causing it and that it will be significant, but denying that there is anything we can do about it.
Stage 5: Denial of timeliness: Admitting that we could have done something about it, but now it's too late.
And now, Stage 6: Denial of negative impacts: Admitting that it's real, and significant, and that maybe we could do something, but trying to spin it as beneficial.

What system component would enforce those restrictions? Unless Google modified Linux to add an entirely new access control scheme it wouldn't be the kernel, which would make the sandboxing much easier to break out of.

But that's not the biggest problem with your suggestion. The biggest problem is that users cannot be trusted to make complex security decisions, which your toggles definitely would be. That sounds condescending, I know, but it's backed up by a vast amount of experience and evidence. You have to keep in mind that approximately all of the three billion Android users know nothing about computing, nothing about security, and less than nothing about computer security.

Obviously. That's not the point I was addressing.

People have much higher expectations of mobile security. Also, most mobile phone users have never used any desktop/laptop, so they aren't even aware of the very low bar for security expectations set by desktop OSes.

Not saying this is a good idea, but I don't think the gig worker would know if you're paying $6.99 or $2.99 for the delivery, which is what would tell them if you have more than $100k in assets.

In general data owned by app A is not readable/writable by app B. This is a pretty important security feature. There are ways for apps to choose to share data, but by default every app's data is private to that app.

I can see how that might inconvenience you, but I think it's Really Good Idea.

Nah, their previous plan already provided the bare minimum, since it didn't restrict sideloading of unverified apps via ADB. This is just an attempt to calm the complaints by offering an even easier sideloading option. Unfortunately, it will probably make the whole scheme pointless, since malware authors will just train users to click through the scary warnings.

This is sadly true. They're going to attempt to throw up a lot of warning dialogs to dissuade users, but we know from long experience that users will click through anything to get to cat videos.

This is actually not a change, really, since they were already going to leave sideloading via ADB open, so their plan already included an "advanced user option" which users could be trained to do. This new thing must presumably be easier than ADB. My guess is that it will feature more scary warnings than enabling ADB, but will allow sideloading without using a USB cable to connect to another computer so that on balance it will be approximately as hard.

During another discussion of this I posted a story that an Android OEM related to me when I worked on Android security, when they asked me when we were going to "close the USB vulnerability", i.e. disable ADB.

How so? The developer verification does not require compliance with any of the Play store policies or anything at all other than the rule "don't distribute malware", since distributing malware would result in the developer account (and signing certificate) being revoked, which is the point of the whole thing, to enable Google to shut down malware authors. Or at least to slow them down, since they'd have to register for a new account, with a different government ID.

This does leave determination of "what is malware" up to Google, but they've been doing that for a long time and I've yet to see any case where people disagreed with their assessment. Note that I'm talking about designation of malware, not about removal from the Play store. Identified malware is removed from the Play store, but there are lots of other policy violations that can trigger Play store removal.

This is not correct. Per the information on Google's developer console sideloading of unverified apps via ADB was not going to be disallowed:

Q: If I want to modify an app and install it on my own device, or if I'm a power user, is there a way to turn this verification requirement off?

A: We understand that's an important use case for many developers and power users. While the verification requirement itself is a core OS feature to help protect the broader ecosystem from malware and can't be turned off, developers and power users can still use Android Debug Bridge (ADB) to continue to build, test, and install modified or unverified apps on their own devices.

(Emphasis mine)

This information has been up since shortly after the announcement.

For example?

It was always a Potemkin village.