sunrat Posted March 27, 2024 Posted March 27, 2024 A user has reported having their system destroyed by installing a KDE Global Theme from the user-contributed "Get New Themes" function available in System Settings. Whether it was malicious or just faulty code in the theme is unclear. The offending theme has been removed from KDE Store. https://www.bleepingcomputer.com/news/linux/kde-advises-extreme-caution-after-theme-wipes-linux-users-files/ https://www.reddit.com/r/openSUSE/comments/1biunsl/hacked_installed_a_global_theme_it_erased_all_my/ Quote
securitybreach Posted March 27, 2024 Posted March 27, 2024 Wow, that is surprising that they didn't vet things a bit better. Quote
sunrat Posted March 27, 2024 Author Posted March 27, 2024 34 minutes ago, securitybreach said: Wow, that is surprising that they didn't vet things a bit better. KDE Store (and Gnome Store) are user-contributed resources, not inherently secure. In the reddit article one of the KDE devs says they will be vetting more in future. Which is a shame they have to divert resources while Plasma 6 is currently in intensive development. On a side note, I just installed OpenSUSE Tumbleweed on a separate partition. It currently features Plasma 6.0.2 and I am quite impressed. More an incremental change than a paradigm shift so it will seem familiar to Plasma 5 users. I also installed KDE Neon which is supposed to be KDE's flagship demonstration distro but it crashed several times. It's based on Ubuntu so that figures! 1 Quote
Hedon James Posted March 28, 2024 Posted March 28, 2024 3 hours ago, sunrat said: KDE Store (and Gnome Store) are user-contributed resources, not inherently secure. In the reddit article one of the KDE devs says they will be vetting more in future. Which is a shame they have to divert resources while Plasma 6 is currently in intensive development. On a side note, I just installed OpenSUSE Tumbleweed on a separate partition. It currently features Plasma 6.0.2 and I am quite impressed. More an incremental change than a paradigm shift so it will seem familiar to Plasma 5 users. I also installed KDE Neon which is supposed to be KDE's flagship demonstration distro but it crashed several times. It's based on Ubuntu so that figures! I think KaOS is a flagship KDE desktop with Arch base. 1 Quote
sunrat Posted March 28, 2024 Author Posted March 28, 2024 1 hour ago, Hedon James said: I think KaOS is a flagship KDE desktop with Arch base. The sense I meant with "flagship" is the OS the KDE developers use to show off the latest releases. KaOS does have Plasma 6 but I think it is developed and packaged independently from the KDE organisation. Plasma 6 probably deserves a separate thread. I may do a quick writeup soon. 1 Quote
securitybreach Posted March 28, 2024 Posted March 28, 2024 11 hours ago, sunrat said: KDE Store (and Gnome Store) are user-contributed resources, not inherently secure. In the reddit article one of the KDE devs says they will be vetting more in future. Which is a shame they have to divert resources while Plasma 6 is currently in intensive development. So sort of like the AUR, user contributed packages? Hopefully they at least show the diff and checksums. Quote
abarbarian Posted March 28, 2024 Posted March 28, 2024 KDE Clarifies Risks on Installing Global Themes in Plasma 6 & What You Need to Do Instead Quote KDE's Move! Fortunately, KDE is not going to sit idly by. David mentions that in the short term, they intend to properly communicate the security implications of extensions users download for their Plasma desktops. In the long term, they plan to separate the “safe” content from the “unsafe” content, while also integrating curation and auditing into the store with improved sandbox support. He also adds that: If you install content from the store, I would advise checking it locally or looking for reviews from trusted sources. Quote KDE is not going to sit idly by. How long has the KDE Store been open ?? Quote
securitybreach Posted March 28, 2024 Posted March 28, 2024 12 minutes ago, abarbarian said: How long has the KDE Store been open ?? September 2016 https://dot.kde.org/2016/09/03/kde-software-store Quote
Hedon James Posted March 28, 2024 Posted March 28, 2024 8 hours ago, sunrat said: The sense I meant with "flagship" is the OS the KDE developers use to show off the latest releases. KaOS does have Plasma 6 but I think it is developed and packaged independently from the KDE organisation. Plasma 6 probably deserves a separate thread. I may do a quick writeup soon. Gotcha. Yeah, Neon is the KDE Developer's distro. But in this case, I still think KaOS is worthy of mention, as it always has the latest version of KDE offerings, and ONLY KDE offerings. There is no other version of KaOS....just KDE. The biggest difference between KaOS and Neon, IMO, is the base OS they're built upon. KaOS may not be the "official" KDE flagship, but there isn't much difference between KaOS and Neon when it comes to the KDE components. FWIW... 1 Quote
abarbarian Posted March 28, 2024 Posted March 28, 2024 45 minutes ago, securitybreach said: September 2016 https://dot.kde.org/2016/09/03/kde-software-store Quote KDE is not going to sit idly by. Taken them 8 years to wake up to security issues then Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.