Because this requires the source to be honest about XXXXX. In other words, it requires trust. We are philosophically opposed to building systems which have an ongoing and realtime trust requirement both out of concern for the security of our users but also as a factor in our own personal safety.
Hmmm. If I understand you correctly here, when you say "ongoing and realtime trust requirement" you're specifically referring to an alert/notification system, and not any other part of the software, correct?
So the concern is that if you or any other developer with access to an alert system is compromised, that ongoing trust is also compromised?
I guess my response would be, doesn't that concern also apply to users simply downloading the software? i.e. if the download is compromised, users are compromised. So users currently have a high level of trust that the downloads they obtain are genuine, original, and without security issues (this argument applies to almost everything, there is always a baseline level of trust involved).
You could counter that by saying that users can check the source code, but the reality is apart from some very select people, users aren't reviewing source code, so they have a level of trust, either in the developers, or in their peers who are able to review the code. You could have simpler methods of verification that users can do, such as MD5 hashes which compare with historical MD5 hashes so that you know you can roll back to a previous secure version even if the current download sources are compromised, but again, this is generally beyond the average user.
I guess what I'm saying is, I don't see a great deal of difference between existing system which do have a trust component, and an idealised alert/notification system?
Keep in mind I'm not talking about the old alert system, I'm talking about an ideal alert/notification system, specifically created with the above concerns in mind.
It feels to me like the very concept of an alert system isn't even up for consideration, which I think is a grave mistake.
Without some kind of carefully crafted notification, there will always be users who never ever update. It feels like stagnation is built into this system and it will never be overcome.
An idealised alert/notification system could have multiple failsafes inbuilt such as multi-sig security to prevent malicious developers or compromised developers exerting control.