Comment by MereInterest

> Instead they go on calling it "completely unacceptable " repeatedly, using language that implies that the devs have caused grave offense.

Downloading and executing untrusted code is a security vulnerability. If a library does so accidentally, avoiding such an accident should be the primary focus of the report. If a library does so intentionally due to an accidental error in design of a feature, then the report can focus on how to provide the same functionality without introducing a security vulnerability.

This is neither of those cases. This is a feature whose core functionality, automatic download and execution of arbitrary code, cannot be introduced without causing a security vulnerability. This trade-off, in which marginal functionality is introduced by sacrificing any and all security, was a decision made at some point.

> but would it have killed the person reporting it to have formulated it something like "I appreciate the convenience of automatic downloads but I'd prefer to be able to opt-out because of [...]".

This phrasing is not equivalent. Stating "I appreciate the convenience of automatic downloads" does not seem accurate at all. Nowhere does the convenience show up as something that the reporter appreciates. Stating "I'd prefer to be able to opt-out" implies that an opt-out is sufficient. Avoiding a security vulnerability based on a per-user opt-out is something that should only be done for a hotfix until a better solution can be implemented.

I could see the report being updated with a minimum list of design changes that would be necessary for the feature to be implemented in a safe manner: "While locating and recommending a package to be downloaded is convenient, the download must only be performed when the user explicitly approves it, with the user informed of the recommended package, its version and checksum, and the download URL prior to any download. Anything less than that is a security vulnerability." However, I don't fault the report for not doing so, as a reporter may not be familiar with a project's design roadmap. Describing an existing feature's design as "completely unacceptable" is sufficient.