General information on packaging:
(Sorry, these may be out of date and/or not very clear -
https://wiki.debian.org/DebianAcademy are working on better ones.
Non-trust warning: wiki.debian.org is an anyone-can-edit site.)
https://wiki.debian.org/UpstreamGuide
https://wiki.debian.org/Packaging/Intro
https://www.debian.org/doc/manuals/maint-guide/
https://www.debian.org/devel/
Plugins and security:
Thank you for thinking about this question.
grep -rhi -e "Package:.*plugins" /var/lib/apt/lists/*_Packages finds
many existing plugin collection packages, but they may have non-security
reasons for being separate (e.g. package/dependencies size).
An alternative way to reduce the exploitability of bugs in obscure
formats would be to make the library's autodetect functionality default
to only considering common formats (and/or to rejecting files with
misleading filename extensions). Users who do want to use such a format
would then have to request it at run time; this has the advantage
(compared to installing a plugin package) of being one-off rather than
default-permanent, but the disadvantage that it might be too easy to
click yes without thinking.
