Hi Daniel,
This MMF was driven by security concerns. You may be aware that in 2020 a number of SonarQube instances were found to be exposed on the internet with the default admin credentials still in place (reference). While that was purely user error, it caused us to step back and take a fresh look at the security of SonarQube instances.
One thing we realized is that while we can ensure the integrity of what we (SonarSource) provide, we can’t do that for community plugins. And, given the fact that (a “long” time ago) we used to provide our functionality through the Marketplace (nee Update Center) it’s possible that some users may not be aware of the distinction.
So our goal here was to provide a tiny wake up call to make sure that people are aware that they’re using non-SonarSource functionality, and they do so at their own risk. I understand your concern about a negative impact on plugin maintainers and users. But if we had delivered this tiny wake up call as a mere disclaimer in the interface… Well, surely you know how often such things are actually read.
At the same time I want to assure you that we are concerned with fairness in our handling of the plugin “community” (maintainers and users). Please know that the goal is not to inhibit this community. Merely to make sure the cards are on the table.
Ann