Gatekeeper (in a wider sense) actually is two things:
Firstly, it is a user setting choosing what software to trust: only software downloaded from the Mac App Store, everything that’s signed, or ‘everything’.
The first two settings require applications to be signed. That doesn’t say anything about whether they are safe to run, but it does allow Apple to find out who developed malware, if it is discovered.
Secondly, applications that download executables can opt in on signaling to Gatekeeper “the first time the user runs this executable, ask for user confirmation”. They do that by setting an extended file attribute on the executable. Gatekeeper removes it if the user indicates the executable can be run.
Neither feature cares from where the executable is launched. External drives are very common (think USB drives), so they ‘had’ to be included. I would guess NFS shares slipped through the net, but possibly, there are companies that use NFS shares.
Of course, that “opt-in” is a weak point. They couldn’t do a lot better because, when Gatekeeper was introduced, users already had lots of executables, and they didn’t want users to pick the ‘everything’ option after being bombarded with Gatekeeper dialogs.
Gatekeeper (in a wider sense) actually is two things:
Firstly, it is a user setting choosing what software to trust: only software downloaded from the Mac App Store, everything that’s signed, or ‘everything’.
The first two settings require applications to be signed. That doesn’t say anything about whether they are safe to run, but it does allow Apple to find out who developed malware, if it is discovered.
Secondly, applications that download executables can opt in on signaling to Gatekeeper “the first time the user runs this executable, ask for user confirmation”. They do that by setting an extended file attribute on the executable. Gatekeeper removes it if the user indicates the executable can be run.
Neither feature cares from where the executable is launched. External drives are very common (think USB drives), so they ‘had’ to be included. I would guess NFS shares slipped through the net, but possibly, there are companies that use NFS shares.
Of course, that “opt-in” is a weak point. They couldn’t do a lot better because, when Gatekeeper was introduced, users already had lots of executables, and they didn’t want users to pick the ‘everything’ option after being bombarded with Gatekeeper dialogs.