@Eyeux - yep, I pretty much agree with what you are saying. Many of the arguments the article states don’t make a lot of sense.
I will concede that I think the warden process does have legitimate purposes for securing applications. But I think there are ways it could be done without requiring client machines to “phone in” every time an application is launched to check if it’s security certificate has been revoked.
Other application repositories have combatted the issue of stale certificates differently. For instance, many of the core APT repositories on Linux simply update a list of rejected certificates that clients can download periodically. There’s a small chance that an application could be decertified, but still allowed to run on an individual machine because the client hasn’t been notified, but the risk is low and well worth the trade-off of not having to contact a central server every time an application is ran.