• fruitycoder@sh.itjust.works
    link
    fedilink
    English
    arrow-up
    2
    ·
    7 months ago

    My thoughts were sandboxing, so run it in a container with only predefined hooks out. That way you know what parts of the system a theme is wanting to change or access (think flatpak).

    I do like the use of subset languages to reduce attack surfaces (eBPF comes to mind as an example definitely not a solution to here those lol).