After downloading a plugin and having it fail (eg, due to the SElinux issue), codeina still redownloads the plugin the next time you try to do it even though it still has a copy of the tarball in ~/.local
We don't have any checksums in the available-plugins.xml file, so we don't know whether the download was successful or not.
Tarballs instead of rpms (so no real updating), no signatures, no checksums... should this be scaring me as much as it is?
There's updating support (although it requires an updated available-plugins.xml, which is sub-par). I've added sha1sum support in my local repo though. Feel free to file another bug about specific security concerns, and not pile on to this bug.