Hi GNOME users & developers!
Based on my own experience with Extensions, I find the UX with them pretty messy…
Their discoverability is low (the Extensions app is generally not installed by default), the website welcomes us with a dispensable browser extension (not required for installing and using extensions), and everyihing is mixed in the same place.
From a security and stability standpoint, any installed extension have an access to all the files in the system, and can control every aspect of the shell, so only experiencing with multiple extensions can answer to the question “could these extensions live together without messing up the shell?”
What I suggest here is a basic permissions implementation, which would affect the allowed imports an extension would use.
For example, an extension with the QuickSettings permission would be allowed to import the following resources:
import * as Main from 'resource:///org/gnome/shell/ui/main.js';
import * as PanelMenu from 'resource:///org/gnome/shell/ui/panelMenu.js';
import * as PopupMenu from 'resource:///org/gnome/shell/ui/popupMenu.js';
import * as QuickSettings from 'resource:///org/gnome/shell/ui/quickSettings.js';
And if an unauthorized import occurs, the extension would be disabled with a explanation about the problem that occurred.
This would bring a LOT of advantages, and among them:
- Extension categorization : this would benefit for the end user to have the entire extension catalog segmented in categories based on what he is looking for
- A better view of which extensions can live together : For example, we can easily deduce that an extension that targets the Panel and another that targets the Homescreen can belong to each other without having to experiment it before
- A more comprehensive view of which extension need to be upgraded across major versions: When an update of the GNOME Shell is released, a reasonable amount of changes are brought to the extensions API, but you still consider every extension to be incompatible. On the other hand, with this permissions system, if you only have changed the QuickSettings scope of the Extension API, an extension that uses the Homescreen permission would stay compatible (there is no change in the API scope it is using)
This permissions system would also have an effect on the controls the Extension app has to offer to the user:
There could be toggles for only certain permissions, and a well designed extension that uses multiplev scope could adapt its behavior.
For example, an extension that uses both the Compositor and QuickSettings API could still work if the Compositor switch is toggled off: it would only offer its QuickSettings services
What do you think of this proposal? I know its a pretty big change in the backend, but I really think it would benefit for everyone. Maybe something for GNOME 60 or 70?