From 378caba43fffa1c1ef5c4a2b24b90ac4979d738f Mon Sep 17 00:00:00 2001
From: fiftydinar <65243233+fiftydinar@users.noreply.github.com>
Date: Fri, 9 Aug 2024 00:59:25 +0200
Subject: [PATCH] docs: clarify disablement of GNOME user extensions better
 (#364)

---
 FAQ.md                                                  | 6 +++---
 README.md                                               | 1 +
 files/gschema-overrides/zz1-secureblue.gschema.override | 2 +-
 3 files changed, 5 insertions(+), 4 deletions(-)

diff --git a/FAQ.md b/FAQ.md
index a952adc..5204762 100644
--- a/FAQ.md
+++ b/FAQ.md
@@ -67,10 +67,10 @@ If you still want to enable this functionality, run `ujust toggle-ghns`
 
 Xwayland is disabled by default on GNOME, KDE Plasma, and Sway. Use `ujust toggle-xwayland` if you need it
 
-#### Why I can't install any GNOME user extensions?
+#### Why I can't install nor use any GNOME user extensions?
 
-This is because support for installing them has been intentionally disabled in secureblue.
-Only system extensions are trusted, if they are installed.
+This is because support for installing & using them has been intentionally disabled by default in secureblue.
+Only GNOME system extensions are trusted, if they are installed.
 
 To enable support for installing GNOME user extensions, you can run ujust command:
 `ujust toggle-gnome-extensions`
diff --git a/README.md b/README.md
index e7eb440..32acc78 100644
--- a/README.md
+++ b/README.md
@@ -44,6 +44,7 @@ The following are not in scope:
 - Set opportunistic DNSSEC and DNSOverTLS for systemd-resolved
 - Configure chronyd to use Network Time Security (NTS) <sup>[using chrony config from GrapheneOS](https://github.com/GrapheneOS/infrastructure/blob/main/chrony.conf)</sup>
 - Disable KDE GHNS by default <sup>[why?](https://blog.davidedmundson.co.uk/blog/kde-store-content/)</sup>
+- Disable install & usage of GNOME user extensions by default
 - Use HTTPS for all rpm mirrors
 - Set all default container policies to `reject`, `signedBy`, or `sigstoreSigned`
 - Remove SUID-root from [numerous binaries](https://github.com/secureblue/secureblue/blob/live/files/scripts/removesuid.sh) and replace functionality [using capabilities](https://github.com/secureblue/secureblue/blob/live/files/system/usr/bin/setcapsforunsuidbinaries)
diff --git a/files/gschema-overrides/zz1-secureblue.gschema.override b/files/gschema-overrides/zz1-secureblue.gschema.override
index 7e0c58b..45d0889 100644
--- a/files/gschema-overrides/zz1-secureblue.gschema.override
+++ b/files/gschema-overrides/zz1-secureblue.gschema.override
@@ -1,4 +1,4 @@
-# Disable GNOME user extensions installation
+# Disable GNOME user extensions installation & usage
 # Only GNOME system extensions are trusted if installed
 
 [org.gnome.shell]