This has nothing to do with Google's monopoly. MS Windows will also warn about unsigned executables downloaded from the Internet, at least until these have become well-known enough. Reproducible builds will definitely help with this, both by establishing social trust in your release and by having a single version of the binary that will eventually stop getting these warnings.
Apple has similar issues these days, with their weird "app notarization" requirements that may even require you to pay the platform vendor in order to be acknowledged as a "trusted" developer.
I think the author’s point is that Google’s standard for what constitutes a trustworthy download creates a barrier that may prevent the new app from gaining a userbase large enough to sustain itself and get onto Google’s safe browsing list. This is the definition of limiting market access.
Google’s standards are arbitrarily set and applied, with no evidence of community involvement in setting those standards.
This describes the precursor to monopolistic behavior.
Microsoft is very open about how it works: get an EV code signing certificate from any vendor to remove the warning entirely, or have enough users click through the warning (and getting a cheap "regular" code signing certificate leads to a less severe warning if I remember correctly).
Google is completely opaque, there is no documented path to get rid of the warning.
A code signing cert only removes the warning during actual installation, after you've already downloaded it. For new software, Microsoft still flags it as "uncommon", even if a code signing cert was used.
Not sure if an EV cert makes a difference as you say, but they are certainly prohibitively expensive.
SmartScreen is Microsoft's reputation system used both in IE (since IE9), Edge, and Windows 8 and 10. [1] is an introductory blog article about the system in general, revealing among other things that both the executable and the cert it's signed with gather reputation. [2] goes into some more detail on code signing, and [3] talks about EV certs (basically they are a massive reputation boost, both starting you higher (high enough to bypass the warning) and letting you gain reputation faster).
A regular code signing cert can be bought for about $6/month, and an EV cert for about $25/month (if you shop around or buy multi-year certs). Both are expensive in the context of open source, but I'm not sure I'd call the cost prohibitive.
I got a 4-year cert from K Software for $234 (which is < $5 month). Of course, I had to pay for 4 years up-front, but TBH I'd much prefer that, as the verification process is a series of time-consuming farcical hoops to jump through.
The reason I state that it does is because at least Chrome (and its derivatives, which make up 70% of the browser market) and Firefox rely on Google Safe Browsing to flag downloads, and Google controls 92.42% of US search users.
Having one's website and/or downloads flagged as harmful, and potentially being deindexed for hosting malware, is not something any software developer can ignore.
If Bing and Edge flagged my downloads, I would honestly not care as they control 2% of the market. The Windows "this file was downloaded from the internet" warning is something that, regrettably, is so common that users already ignore it, and it happens even for many commercial software programs. Although I do consider that an unfortunate hurdle for free software developers as well, the harm is substantially smaller.
> MS Windows will also warn about unsigned executables downloaded from the Internet
OK, sure, Windows adds an additional problem, but the Google problem still needs to be solved.
> Reproducible builds will definitely help with this, both by establishing social trust in your release
"social trust" is not (so far as anybody knows) a metric that Google uses to decide whether a particular download is malicious.
> and by having a single version of the binary that will eventually stop getting these warnings
Only a single version of the binary was uploaded, and "eventually people will stop getting these warnings" only solves the problem for the current release, not the next one or the one after that.
My larger fear is how opaque the process is: will it just continue to flag my downloads as being harmful? Or will it eventually escalate to blocking my entire page/website as I've seen happen to others? Will it result in search penalties if I continue to release new software? How can I make these warnings go away permanently? None of this is explained anywhere that I can locate. All I have to go by are the scary warnings asking me to "secure my website from future attacks" and that their review found I "no longer" host harmful downloads now that I've removed my own, safe software from my website.
Apple has similar issues these days, with their weird "app notarization" requirements that may even require you to pay the platform vendor in order to be acknowledged as a "trusted" developer.