Okay, I will bite.
No, I don't think it would be useful to publish software hashes in the blockchain.
As you recognize, a hash of a software package is useless unless it is somehow authenticated. Currently, the most popular way to do this is to make the hash available on a "well-known" website which uses HTTPS, and provides an X.509 certificate signed by a recognized authority. This provides some level of confidence that the hash is claimed as authentic by the owners of the website, who are hopefully the same people as the authors of the software.
If you want to distribute the hash from any site that can't itself be authenticated, the hash will need to be self-authenticating; it should carry a signature that the user can have some confidence was made by the right people. One way to do that would be with X.509 certificates again, but packaged explicitly with the hash rather than being provided implicitly by an HTTPS server.
Your proposal to use a NXT alias would have a similar effect, though I think as things stand it would provide rather less confidence. As problematic as the current certificate authority system is, I think most people today would place more trust in a certificate for "Initech Corporation" signed by Verisign than in the owner of "nxt:initech".
Either way, the point is that if you're not going to distribute the hash from some "well-known" location, it has to have a self-contained signature, and at that point you can distribute it any way you want. You certainly could put it in the blockchain, but what's the point? It's of no use without the software package that it's supposed to authenticate. (And you can't put the software itself in the blockchain, it's too big.) Why not cut out the middleman and just distribute the signed hash together with the software? In fact, why not just distribute a single signed file?
In fact, in many ways, distributing the hash in the blockchain is less secure than just putting it on a website. Even if I just stick it on the plain old HTTP server for initech.com, an attacker still has to either compromise that server or intercept a user's traffic somehow, which is nontrivial to achieve. If I put it in the blockchain, anyone with BTC 0.0001 to spare can post another hash that looks similar (perhaps signed by "inittech" instead), making it fairly likely that some confused user will pick the wrong one by mistake.
2What is to stop a malicious attacker from distributing a fake hash in exactly the same way? – Nate Eldredge – 2014-04-11T13:18:34.127
Web site registration with NXT alias and publishing hash using account that owns that alias. – CoinsKillTheFed – 2014-04-12T01:43:32.047
Also publishing signed by that account message on website. – CoinsKillTheFed – 2014-04-12T01:52:12.043
1If you have all that, then what does the block chain add? – Nate Eldredge – 2014-04-12T02:28:55.407
Re: "what does the block chain add?" - it gives free permanent equivalent of SSL certificate. It allows to publish anything permanently without supervision of ICANN and other authorities. Tough part is to establish trust to NXT account. Trust can be built upon trust of existing popular website like I suggested above (by publishing signed message). – CoinsKillTheFed – 2014-04-14T05:28:17.730
Nate Elderege code certificates are outrageously expensive for what they basically are. There's collusion between Microsoft and certificate providers. to keep things this way.
Furthermore, the hoops we need to jump through to install and use those certificates get higher every year, adding lost productive time, money and energy. – Christophe Keller – 2017-04-14T09:52:44.470