I don’t think the default setting as being “off” was ever in question, guys.
Nor do I think either of these gentlemen (or the others involved in these efforts) would override an explicit user preference / instruction.
And, for the record, I agree that I want to have the final choice as to what happens, or does not happen, on sites I control. Obviously others should have that same right.
So, as much as a preference for control over your site is perfectly valid, it does not address the core problem in this particular thread.
Which comes down to:
- What can and what should the repository do in the case that plugin vulnerabilities are reported, but left un-patched?
We have all seen what .org does, or rather does not do, and I think we would agree that such a solution leaves something to be desired. - If the user is given the option of disabling these plugins (which some users may choose to do and one should respect their preferences and autonomy as well), how can this be done safely?
Edit: Also, how is it possible to make sure that plugins with SUCH serious vulnerabilities that they require urgent heroic measures do not make it into the directory in the first place?