SUMMARY There should be a way (e.g. a toggle on the KCM page) to show all KWin scripts regardless of X-KWin-Exclude-Listing status for that script. I had an issue where all windows were set to "always on top" except for system related ones and debugging was prolonged because the script used X-KWin-Exclude-Listing to hide itself from the KWin Scripts listing. This could potentially be used by malware. "If the users don't control the program, the program controls the users. " STEPS TO REPRODUCE 1. Install a KWin script that uses X-KWin-Exclude-Listing such as Bismuth 2. Observe it is not listed in KWin Scripts KCM page OBSERVED RESULT The KCM for KWin Scripts shows only default scripts / those not using X-KWin-Exclude-Listing EXPECTED RESULT I should be able to press a button/toggle on that KCM page to show all scripts regardless of X-KWin-Exclude-Listing state. SOFTWARE/OS VERSIONS Arch Linux KDE Plasma Version: 5.25.4 KDE Frameworks Version: 5.96.0 Qt Version: 5.15.5 Wayland
I'd be in favor of just removing the functionality to hide scripts.
See https://invent.kde.org/plasma/kwin/-/commit/95ac5fa2cef607809189ca73cf05ef8903c19291 for the rationale. Also, please see https://github.com/Bismuth-Forge/bismuth/issues/191. >This could potentially be used by malware. If one were to have a malicious KWin script, one could just enable it by default and override another KWin script in ~/.local/share when executed and pretend to be that script. While hiding certain scripts is not ideal from a security POV, I do not think it is that big of an issue.
Maybe we can reconsider this for KF6. I have reached out to the Bismuth people with the suggestion of only hiding the KCM of the script and not the entire script. @Nate, then the "Desktop Change OSD" entry will show in the KCM (though it appears to do so now anyway?). Maybe we can interpret this as a "it is broken now, but nobody seemed to care, so we could keep it as it is".
For desktop effects, there's the ability to mark them as "internal" and then they get hidden by default, but adventurous people can show them with a simple UI in the KCM itself. Maybe it would make sense to do something like that here too.
I don't quite get the point, one KWin plugin uses the exclude listing flag (though it did not work), but nobody seemed bothered by it. If we offer the internal flag for effects, can't third parties just set the flag themselves?
A possibly relevant merge request was started @ https://invent.kde.org/plasma/kwin/-/merge_requests/4253
Git commit 33e32f293bc8c77fe06089e99ade6b0b20705de4 by Alexander Lohnau. Committed on 18/07/2023 at 08:51. Pushed by alex into branch 'master'. Remove X-KWin-Exclude-Listing metadata flag We only have one KWin script making use of this and that one is shown regardless. The issue with this flag is that it will hide scripts from the user without a possibility to see them. For effects, we have quite a few internal ones and a possibility to show even hidden ones. But we can not reuse this logic for the scripts. FIXED-IN: 6.0 M +1 -5 src/kcms/scripts/kwinscriptsdata.cpp M +0 -4 src/kcms/tabbox/main.cpp M +0 -1 src/plugins/desktopchangeosd/package/metadata.json https://invent.kde.org/plasma/kwin/-/commit/33e32f293bc8c77fe06089e99ade6b0b20705de4