hi,
I would say you should add allowplugins if and only if the following three conditions hold:
this is a helpful -- but very subjective -- approach.
1) You trust the channel provider is not malicious
well, as in the case if the Project itself, and DOS, y'all _are_ 'nice folks', 'n all. but, beyond that? how to know ... ... ?
2) You trust that the channel is not going to be compromised by an outside agent (the GPG check is supposed to prevent that, but it's always possible to compromise a GPG key)
well, if compromise is possible, then it's always possible ... and, per your arguments, that trust is never valid. well, there _are_ shades of trust ...
3) The channel is known to distribute plugins, and you want to use these plugins by default without checking them first
is there an check -- with sa-update itself, or other -- to determine what, if any, plugins are going to be distributed by/at a channel subscription? sure, one can subscribe, then dig around in the distro files, but, imho, that's not the user-friendliest approach. would be nice to have a check, e.g., "sa-update --channelfile 'blah' --check-plugins", or something like ... as, honestly, as i write here, without 1st checking, or perhaps thinking on it a bit, i could NOT tell you whether or not the SARE channels(s) i'm sa-update'ing do, or do not, install/include plugins. i just don't know.
Anyways, that's my opinion, though I'm not nearly as familiar with the update process as Theo is.
appreciated. again, it's pretty clear that there _are_ options/choices to be had/made, but the "i'm just a user, so what do i do now?" sort of guidance is still -- as already pointed out, apprently just for me ;-) -- a bit soft. thanks.