About FOSS Extensions Store

Why this exists

Centralised extension stores are opaque. You have no way to verify that the code you download matches the source repository you can read. This store fixes that: we build every extension directly from its Git source, scan it for security issues, and publish the result alongside a verifiable SHA-256 checksum.

What scanning does and doesn't catch

We check for:

• Overly broad host permissions (e.g. access to every website)
• Dangerous permission combinations that enable network interception
• Use of eval(), remote script loading, and similar patterns
• Known vulnerabilities in production npm dependencies

We cannot catch:

• Malicious behavior that only activates after install
• Logic bugs that introduce security vulnerabilities
• Sophisticated obfuscation (our checks are regex-based, not full AST analysis)

Trust model

Each artifact is built from a specific Git commit. The SHA-256 of the artifact is published alongside it — you can verify the download independently. Builds are reproducible: the same commit always produces the same artifact hash.

License and status

This project is licensed under AGPL-3.0-or-later. The source code is at codeberg.org/foss-extensions . This is an MVP — not yet ready for production use.