I'm in a bit of a bind here myself. I'm just starting development on an embedded project that will go out to tinkerers. However, due to the support nightmare that is customized service&hardware model in question, I'd love to be able to sign off at least the supported binaries.
That means, they would be allowed (and okay) to run other software, as long as the "core functionality" can be verified as unmanipulated, simply so we say "you changed it, keep all the pieces" in support.
So yes, we are partially in that same boat, but for a business reason I cannot argue with. Supporting modified binaries would cause a pain. So would it if they were to add too much software and the oom-killer would hit the core software (which can't normally go oom due to careful vetting)
So, what should I do in a situation like this? Soak a support cost, trust customers honesty, or try and prevent my headache?