Jump to content

Sad tale of death by theme install

sunrat

By sunrat
in Bruno's All Things Linux

 Share

Recommended Posts

sunrat

sunrat

Posted
Posted

A user has reported having their system destroyed by installing a KDE Global Theme from the user-contributed "Get New Themes" function available in System Settings. Whether it was malicious or just faulty code in the theme is unclear. The offending theme has been removed from KDE Store.

https://www.bleepingcomputer.com/news/linux/kde-advises-extreme-caution-after-theme-wipes-linux-users-files/

https://www.reddit.com/r/openSUSE/comments/1biunsl/hacked_installed_a_global_theme_it_erased_all_my/

 

Link to comment
Share on other sites
securitybreach

securitybreach

Posted
Posted

 Wow, that is surprising that they didn't vet things a bit better.

Link to comment
Share on other sites
sunrat

sunrat

Posted
  • Author
Posted
34 minutes ago, securitybreach said:

 Wow, that is surprising that they didn't vet things a bit better.

 

KDE Store (and Gnome Store) are user-contributed resources, not inherently secure. In the reddit article one of the KDE devs says they will be vetting more in future. Which is a shame they have to divert resources while Plasma 6 is currently in intensive development.

 

On a side note, I just installed OpenSUSE Tumbleweed on a separate partition. It currently features Plasma 6.0.2 and I am quite impressed. More an incremental change than a paradigm shift so it will seem familiar to Plasma 5 users.

I also installed KDE Neon which is supposed to be KDE's flagship demonstration distro but it crashed several times. It's based on Ubuntu so that figures! 🙄😆

  • Like 1
Link to comment
Share on other sites
Hedon James

Hedon James

Posted
Posted
3 hours ago, sunrat said:

 

KDE Store (and Gnome Store) are user-contributed resources, not inherently secure. In the reddit article one of the KDE devs says they will be vetting more in future. Which is a shame they have to divert resources while Plasma 6 is currently in intensive development.

 

On a side note, I just installed OpenSUSE Tumbleweed on a separate partition. It currently features Plasma 6.0.2 and I am quite impressed. More an incremental change than a paradigm shift so it will seem familiar to Plasma 5 users.

I also installed KDE Neon which is supposed to be KDE's flagship demonstration distro but it crashed several times. It's based on Ubuntu so that figures! 🙄😆

I think KaOS is a flagship KDE desktop with Arch base.

  • Like 1
Link to comment
Share on other sites
sunrat

sunrat

Posted
  • Author
Posted
1 hour ago, Hedon James said:

I think KaOS is a flagship KDE desktop with Arch base.

 

The sense I meant with "flagship" is the OS the KDE developers use to show off the latest releases.

KaOS does have Plasma 6 but I think it is developed and packaged independently from the KDE organisation.

 

Plasma 6 probably deserves a separate thread. I may do a quick writeup soon.

  • Like 1
Link to comment
Share on other sites
securitybreach

securitybreach

Posted
Posted
11 hours ago, sunrat said:

 

KDE Store (and Gnome Store) are user-contributed resources, not inherently secure. In the reddit article one of the KDE devs says they will be vetting more in future. Which is a shame they have to divert resources while Plasma 6 is currently in intensive development.

 

So sort of like the AUR, user contributed packages? Hopefully they at least show the diff and checksums.

Link to comment
Share on other sites
abarbarian

abarbarian

Posted
Posted

KDE Clarifies Risks on Installing Global Themes in Plasma 6 & What You Need to Do Instead

 

Quote

KDE's Move!

Fortunately, KDE is not going to sit idly by. David mentions that in the short term, they intend to properly communicate the security implications of extensions users download for their Plasma desktops.

In the long term, they plan to separate the “safe” content from the “unsafe” content, while also integrating curation and auditing into the store with improved sandbox support.

He also adds that:

If you install content from the store, I would advise checking it locally or looking for reviews from trusted sources.

 

Quote

KDE is not going to sit idly by.

 

How long has the KDE Store been open ?? 🙀

Link to comment
Share on other sites
Hedon James

Hedon James

Posted
Posted
8 hours ago, sunrat said:

 

The sense I meant with "flagship" is the OS the KDE developers use to show off the latest releases.

KaOS does have Plasma 6 but I think it is developed and packaged independently from the KDE organisation.

 

Plasma 6 probably deserves a separate thread. I may do a quick writeup soon.

Gotcha.  Yeah, Neon is the KDE Developer's distro. 

 

But in this case, I still think KaOS is worthy of mention, as it always has the latest version of KDE offerings, and ONLY KDE offerings.  There is no other version of KaOS....just KDE.  The biggest difference between KaOS and Neon, IMO, is the base OS they're built upon.  KaOS may not be the "official" KDE flagship, but there isn't much difference between KaOS and Neon when it comes to the KDE components.  FWIW...

  • Like 1
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...