[Linux] How confident are we in the security and privacy of Gnome Extensions?

Gnome is possibly the most popular desktop environment used on Linux. It’s smooth, simple, and stable but that comes at the cost of reducing the amount of customization options you have out of the box. To give people more options while not tying themselves to KDE levels of support, the Gnome project provides the ability to create and add extensions.

My question: are Gnome Extensions secure and private enough on average to be able to recommend them in general, or should they be kept to a minimum like with browser extensions?

Below is what Gnome has to say about safety of Gnome Extensions (source):

Are GNOME Shell Extensions safe?

The code in a GNOME Shell extension becomes part of the core operating system. For this reason, the potential exists for an extension to cause system misbehavior, crashes, or even to have malicious behavior like spying on the user or displaying unwanted advertisements. All extensions uploaded to this site are carefully reviewed for malicious behavior before they are made available for download. This process of code review is similar to the process for Firefox add-ons submitted to addons.mozilla.org.

So we’re talking about very integrated pieces of software that are not directly maintained by the DE provider but which do go through a review process similar to that of Firefox browser extensions.

I know that a part of this discussion will involve threat models. The more advanced your threat model is, the less you want to be installing more software than you actually need. However, what I’m looking for is a general take. Just like Linux and macOS are good in general for privacy, are Gnome Extensions generally secure enough for the average person?

Also, do you have a different opinion depending on where the package is located? For example, Fedora has some extensions in their own repos that presumably are more reviewed than what’s on the Gnome Extensions page. Does that tip the scales in a meaningful way?

Just looking for opinions on this.

1 Like

I would equate the security of GNOME Shell Extensions to the security of any other software package on Linux. Generally, they are going to be as secure as packages you install via your distro’s package manager, because they are reviewed for malicious behavior as Gnome says, but they are not going to be as secure as even browser extensions, because there is nothing technically preventing them from accessing system resources, like any sort of sandboxing.

Basically, yes they are secure enough for most people, but you still want to follow the general advice of installing as little as possible, and doing your due diligence with the extensions you do install.