So I’ve been told (by @jrahmatzadeh if I’m not mistaken) that GResource bundles are allowed to be included in extension packages. Just register it in enable(), and unregister in disable().
But isn’t it possible to override something in, for example, /org/gnome/shell/, by registering such bundle, with malicious code? And since it’s a binary file - it won’t be visible during review.
Sure, GResource trees can be used by an overlay, but you’d have to replace a file that has not been loaded as a module, but will after the extension is. Seems not possible?
It’s probably possible to have to website use GLib-powered Python code to extract them for review, or the gresource CLI tool can be used by reviewers, they’d just have to download the extension.
In any case, I’m not sure we have specific rules for/against GResource in extensions.
This topic was automatically closed 45 days after the last reply. New replies are no longer allowed.