Sorry, but i did not ask if i should do that. I asked how to do that as these cases you said is exactly what i want to avoid. Mod downloading will be fully controlled by users through a manifest file (like forges mod list, but more advanced and supports multiple repos), and, in future, through a GUI.
Also dont mod developers essentially download random stuff from inet and then pack it into jars which are then executed by players?