i vote for number 3.
on EVERY download page, there should be a link to jdgui (http://jd.benow.ca/) and a recomendation that people use jdgui to decompile ALL plugins that they download
EDIT:
sometimes the decompiled code is different to original code.
i suggest that you force developers to upload the source code, then the server compiles it.
server owners then get access to:
- an online source viewer (like github’s file preview)
- zip file download of the source
- compiled jar file
another thing:
devs get rep for good files,
Everyone gets rep for reliable reviews (flagging a file for review, then staff members agree with it)
@sk89q
if you use both flags and community reviews, some things that get past the flags might get caught by the community, then you can add a flag to prevent similar attacks, keep doing this, and eventually, almost all dangerous plugin will be eliminated.
of course, there will still be people who can get past everything, but i think currently, more damage is done by the people who write simple hacks, so if we get rid of them, we get rid of most of the problems.
also, i suggest that you get the downloads site finished and fully operational before you start letting people make mods / plugins,
if someone makes a plugin, but theres no official website to upload it to, they will find somewhere else to put it,
they usually wont bother reuploading it on the official website
ANOTHER IDEA @sk89q
(this idea was stolen from google 
)
you should add permissions groups for plugins,
before the server owner downloads the plugin they see something like this (but for plugins, not apps)
the server owner clicks accept, they download the plugin
for example, the server will NOT let the plugin use .setop(true) unless the developer has told the website that they will use it.