If I may ask, why is this step necessary for using third-party plugins? The warning that is popped up when this box is checked makes it clear that it isn't to be checked lightly.
Apache projects are not allowed to ship non-Apache jars as part of a distribution, unless the license for those 3rd party jars is compatible with the ASL, in at least one case for some receiver stuff the license is not compatible. We are forced to ask you to download that yourself, and install it somewhere, in this case, the .plugins directory.
To throw a 2nd spanner in the works, Java Web Start classloading rules dictate that only classes loaded from the same classloader that loaded the Webstart app are valid (and need to be signed by the same certificate). The only way around this was to disable the built-in security manager. Since there is a slim possibility of 'rogue' code causing you problems if it was loaded we felt obligated to inform you of the potential problem. The warning is probably written more on the scary side than necessary, but I felt that it would be better to err on the side of caution. If you can suggest some better phrasing, we'll happily consider changing it.
You have some valid points about clarity of information (and quantity), which we will take on board. I didn't think the error mentioned about the .plugin directory not being found would be 'fatal' to you, Chainsaw should just keep on trucking (with the caveat that some of the Receiver types wouldn't be available).
cheers, Paul Smith
smime.p7s
Description: S/MIME cryptographic signature
