WARNING: Global themes and widgets created by 3rd party developers for Plasma can and will run arbitrary code. You are encouraged to exercise extreme caution when using these products.
A user has had a bad experience installing a global theme on Plasma and lost personal data.
Global themes change the look of Plasma, but also the behavior. To do this they run code, and this code can be faulty, as in the case mentioned above. The same goes for widgets and plasmoids.
We are calling on the community to help us locate and quarantine defective software by using the "Report" buttons available on each item in the KDE Store.
Meanwhile, KDE is taking measures to properly warn users before each download and we are also putting in place ways of auditing and curating what is uploaded to the KDE store.
Nevertheless, this will take time and resources. We recommend all users to be careful when installing and running software not provided directly by KDE or your distros.
And remember to report any faulty products you find!
@kde Thanks for the info. How do I report spam in Discover? A long time ago I found a website somewhere and clicked "Report", but this is still there. I see this in Discover when I open "Plasma Addons" and then scroll to the bottom.
I am not sure whether you are being sarcastic or not, but the fact there was a warning for users, and that the warning has been up there for several years, indicates that somebody at KDE did consider the possibility and developers considered it important enough to be worth advising about.
@Bro666@whimsy@kde Something they concluded was a possibility and kept on a website that the most vulnerable people to this issue would never see, since their only method of interaction is an install button in system settings.
@kde Why does something marked nothing more than a theme and qualified by a store as such even have arbitrary code as executable? I wouldn't think that themes need to be turing-complete to function...
@vintprox@kde Exactly. Allowing something called a theme to run any code makes that an "add-on"/"plugin" (whatever you're gonna call it), not a "theme". While I love KDE and I'm using it on almost every computer that I own, the theme app store is dangerous and only verified themes apps should be allowed there.
Global themes can include extra things (like Kvantum themes) that aren't a part of the default KDE Plasma experience and as such wouldn't be parsed and installed otherwise. It may also run commands to (for example) install things like KVantum if they aren't available already or to customize the way it's installed
It should ceize being marked as a "theme", then. User expects that only looks are at stake when they nilly-willy install/activate/deactivate themes. They are just that, themes, after all. More advanced themes that contain code to be executed with permissions better be considered full-blown add-ons.
Add comment