@marcan It's interesting how people will bash any security decision they consider to be vulnerable, completely ignoring the idea of security being a cost-benefit calculation.
If your project does not solve problems in a high-security domain, chances are you don't need to worry about secret services doing DNS spoofing on your client's PC during installation (also even that example would be the client's (or client's network admin's) fault).
Security is an optimization problem and if you have the millions of dollars and minutes in budget to optimize it, that's awesome and literally optimal, but living in reality also means doing pragmatic solutions.
If your project does not solve problems in a high-security domain, chances are you don't need to worry about secret services doing DNS spoofing on your client's PC during installation (also even that example would be the client's (or client's network admin's) fault).
Security is an optimization problem and if you have the millions of dollars and minutes in budget to optimize it, that's awesome and literally optimal, but living in reality also means doing pragmatic solutions.