Sure, my point was companies do do that checking and Debian doesn't do that checking, so from the perspective of this risk, it would be harder for an attacker to do this to a large corporate like Microsoft than it would to do it to an open source project like debian.