Security of JupyterLab Extension Manager

Hello all!

We are working to make JupyterLab’s built in extension manager GUI enabled by default. One of the current blockers if figuring out how to make it more “safe” for users. Since we are making it easier to download and run untrusted code, we have been thinking about having some public blacklist of extensions on Github that we can maintain as a community.

I know you all have had a lot of experience dealing with monitoring and preventing unwanted behavior, so I wanted to see if you had any feedback on our specific approach or any broad leassons learned that could be applied.

@echarles has opened an issue to discuss the design.