I didn't say DEBs can't work that way, but they sure aren't assumed to work that way. Whereas the act of installing a CRX is assumed to configure an update source.

That's the real point here. For the average user, disabling off-store installs by default is much safer, and it will dramatically reduce the number of compromises. For developers, it's a simple matter of passing a command-line switch.

Let's be honest: The average user doesn't expect anything at all to do with CRX files or extension updates. They just expect an extension to install when they click install, and to work from then on.

That's not really true. the average user has no clue what a file format even is, much less what a CRX is. And to be entirely honest, it's not fair to expect them to know what files are safe to just download and run. So, we made the decision to protect the average user at the cost of an extra command-line flag or a drag-and-drop operation for developers. I think that was a good trade-off, but you're certainly welcome to suggest something better.

The problem is that you're thinking of extensions as files, which most users don't understand. They want an extension; they don't care how it's delivered and they have no idea what an auto-update source is.

I have a button on my website that says "Install extension." I don't tell them it's a link to a .CRX file; that's an implementation detail. If you asked any of my users whether they had downloaded a file (let alone what its extension is), most couldn't tell you. Similarly, the Chrome Web Store has buttons that say "Add to Chrome," not "Download Trusted .CRX File."

Yeah, same with the Google Talk plugin, which I just installed.