Current versions of Jenkins 2.0 bundle the list of plugins with them. As the setup dialog does not work without access to the update site, the list of plugins should provided by the update site.
This facilitates changes over time as e.g. Plugins determined to be broken/unsafe/otherwise not suitable for initial setup, replacing plugins that have been removed from the update site, etc.
As many Jenkins users may deliberate install older Jenkins versions (including LTS releases which are between 2-6 months old), just updating the bundled data is insufficient.
The URL to this file would be resolved relative to the existing URL to the update center (I think the tool installers work like this as well).
Server-side, this could be as simple as a static JSON file placed next to the others in the update site.
If no file is found, plugin setup should be skipped, and Jenkins should continue with security configuration (once PR 2042 is merged).