Do Cinnamon themes run arbritrary code like KDE themes?

[Positron]

The other day, I saw this article about a Linux user's files being wiped because of a faulty KDE theme.

This was able to happen because KDE themes run arbitrary code written in Bash in order to change the behavior of KDE.

After reading this article, I had a few questions about Cinnamon:

• Do Cinnamon themes run arbitrary code in a similar way to how KDE themes work, or not (at the cost of being less powerful)?
• If they do, is the code at least written in a safer language that is harder to screw up in (and has a smaller attack surface) rather than using shell scripts?
• To what extent are Cinnamon themes / spices monitored to make sure nobody uploads anything malicious on there?

I don't use any themes myself, but I'm just curious about this, because the fact that people on KDE could potentially run 3rd party shell scripts without even knowing, just by installing a theme and thinking it was safe because it was "just a theme and not an application" sounds very dangerous.

[billyswong]

Cinnamon theme, similar to GTK theme, is written in CSS. No, CSS as the stylesheet language of webpages, can't run arbitrary code.

For "spices", I think they are written in Javascript. So there should be some sort of sandbox as Javascript API by itself doesn't expose the whole computer to the script file, but I am not sure how watertight that is.

[Hoser Rob]

That's a risk with all desktop environments and it's why I haven't installed 3rd party themes for a long time. Even if it isn't a security issue it can still bung up things.

[JosephM]

The Cinnamon spices were moved to being hosted in a Mint controlled github repo quite some time ago. This was one of the main reasons why. It means that any spices added or code changes to them have to be approved by Mint devs before they make it to a user. It helps to eliminate the possibility of this happening. It actually angered some 3rd party devs at the time and they stopped developing the spices. But it was seen as the best move to make for the end users.

[Positron]

Cinnamon theme, similar to GTK theme, is written in CSS. No, CSS as the stylesheet language of webpages, can't run arbitrary code.

For "spices", I think they are written in Javascript. So there should be some sort of sandbox as Javascript API by itself doesn't expose the whole computer to the script file, but I am not sure how watertight that is.

The Cinnamon spices were moved to being hosted in a Mint controlled github repo quite some time ago. This was one of the main reasons why. It means that any spices added or code changes to them have to be approved by Mint devs before they make it to a user. It helps to eliminate the possibility of this happening. It actually angered some 3rd party devs at the time and they stopped developing the spices. But it was seen as the best move to make for the end users.

Glad to hear the Linux Mint / Cinnamon devs are prioritising security. While it's always nice to have more spices available for customisation, or have more powerful themes, imo it's important that security and stability come first. Especially for a beginner-friendly distro like Mint. And if that comes at the cost of themes being less powerful, or some spice developers being driven away, the tradeoff is worth it.