I'm not "a user of ai1ec on a daily basis" but just installed for a friend. A while back I finally broke down and updated them to the current version mostly to stay current against any legacy vulnerabilities that might crop up for outdated versions. Anyway, I'm sure she's got the most recent version going and has experienced no problems.
Maybe we are missing what you are seeing so if you tell us, we will be happy to think of alternative solution.
Your explanations all make sense to me. I actually had edited the code so that the ai1ec theme folder could live in the wp-themes folder as a child them and it worked just fine. But I get your point that if it shows up in the themes list, some admin may just try to use it as a site theme. I tried that for curiosity and other than the site not displaying, there was no harm done, so at worst it would be a momentary experiment for any admin. But, as I say, I take your point.
My main concern about having an extra directory under the wp-content directory is that I go to a lot of trouble to secure and harden the wordpress installation. Having to worry about one more directory -- which is not at all common, despite your example -- is frustrating, particularly when that directory contains shell script files.
the default distribution one that is suited for developer types rather than web admin types.
- Why do you say that?
I said it because that is basically what you told me is the reason for having the LESS system and the accompanying shell script files included in the default distribution.
The very vast majority of WordPress admins will never use that functionality but they get it installed -- and cannot remove it -- because you told me you explicitly wish to create a development platform for others to customize. Which is a great purpose and a wonderful contribution to the community. But it does mean that web admins must receive -- and account for -- a system of files that they will never use, other than to try to prevent their misuse by malicious visitors.
I am not in any way suggesting that ai1ec is insecure or has vulnerabilities, anymore than any other plugin or theme. I am talking about the job of proactive hardening and vulnerability prevention.
My simple-minded thinking is that addressing all the variability of WP installs is complex enough without introducing yet more factors with novel directory structures being *required* by default, when I bet the default for more than 80% of users will be to use the package as is.
One alternative would be to not force the wp-themes/themes-ai1ec directory *unless* a web admin actually does create it. So the plugin could look to see if it exists and if it does, then use that for the plugin's theme, but if it does not, *don't create it* and just use the theme in the plugin directory.
Ideally I'd like to see the shell scripts and all that stuff require a separate download for the developers who want to do their own customization. If someone wants to add LESS, let them do it consciously.
But none of my harping takes away an iota from the really outstanding work that All-in-one-event-calender represents. It is a genuinely superior product with functionality exceeding what others are selling for some surprisingly high prices.
So good on you all at time.ly and I have nothing but positive wishes for the continued success of your project.