As a new KDE Plasma user (via Kubuntu 24.04), I really love the software and platform as a whole. But being a new user to KDE Plasma (and Linux in general), I am interested in learning more to make sure that I’m using the system safely while enjoying the fantastic functionalities that it has to offer. Recently, I have read both a blog post from March 2024 (link 1) and an announcement here on KDE Discuss (link 2) regarding an incident in which a user lost their data due to a problem with arbitrary code executed as part of a downloaded 3rd party global theme. I have read and understood that “global themes” can execute code by design and are NOT vetted by KDE and that users should make their own judgement when installing global themes.
My question is NOT about “themes”, but about applications available through the GUI Discover store for users to, well, “discover” and install. The question is, Can / should [[ end-users / non-technical people]] trust the software available through that GUI? (of course I mean assuming only the official / built-in / out-of-the-box official repos / sources are enabled, because that is what an average end-user will usually have on their system)
Are the software available there go through a different process to be listed there compared to global themes? i.e. I’m interested to know if they are vetted.
Link:
1: blog _ davidedmundson _ co _ uk/blog/kde-store-content/
2: discuss _ kde _ org/t/warning-global-themes-and-widgets-created-by-3rd-party-developers-for-plasma-can-and-will-run-arbitrary-code-you-are-encouraged-to-exercise-extreme-caution-when-using-these-products/12714
I’d say that the softwarae in Kubuntu repositories is safe - I’m no expert, but distribution respositories (for any distribution) never brought me any security issues and anything ‘dodgy’ is usually removed extremely quickly.
Hard to come up with any example - though I’m sure there has been at least one in the last ten years.
assuming you have not turned on any other repositories in discover, then you are just seeing a GUI version of what is available via the package manager from the official repositories.
in general a distro is maintained by a team of ppl who ensure that all the software in those official repositories is safe and will work with your distro.
3rd party themes and widgets are completely different matter and are not vetted by the team maintaining your distro.
Thanks for the information so far. It’s interesting, since I just learned about Muon and turns out it’s no longer supported anyway. But in the link above, the article referred to something called Muon Discover, I wonder if that is the same thing? I’m a bit confused (as there appears to be Muon, Discover and now Muon Discover…?)
Anyhow, I appreciate both responses and also appreciate the maintainers of the distro. But I’m curious if there is a page of official documentation someone can give me the link to that lays out the process of maintaining, securing the distro and curating the software repo that comes with the distro? (I did a quick search, by the way, with the keywords “kde package manager documentation” but nothing directly relevant to my question comes up)
It’d be a great source of information to read through.
muon is the older GUI front end to apt that came with kubuntu 22.04, but i’ve always used synaptic and on my current 24.04 install i don’t see muon, only synaptic.
can’t remember if i installed that or it came that way.
synaptic is quite good tho and very useful for adding command line utilities or other software not showcased in the discover app which focuses on GUI applications.
the Discover GUI in KDE Plasma essentially acts as a store front
by itself, the main responsibility of that “store front” (i.e. from a KDE perspective and their responsibility) is only to serve as a “display” location for the goods so that user can see them
the goods (software) are populated by the sources / repos configured by the distro (in this case, Ubuntu responsibility), the store only displays these goods for the users
assuming the user hasn’t set up any custom sources themselves, then what they see in the store are the curated goods, maintained by the distro team (in this case Ubuntu)
(so, similarly, if we are using KDE Plasma on a different distro - say Arch - then it’s the responsibility of the team maintaining that distro to ensure security of the software populated into Discover, isn’t it? - well, unless it’s KDE Neon, then it’s KDE’s responsibility, right?)
This is mostly correct, but with a huge caveat: Kubuntu, by default - and also other Ubuntu variants - sets up a Discover source for the Snap store. Snaps are software packages that are not distribution-specific and are packaged and maintained by various people - who aren’t your operating system’s maintainers. Normally you’d expect snap packages to be owned and maintained by the software maker: the Firefox snap is owned by the Mozilla team while the Android Studio snap is owned and maintained by Google. That being said, the Snap store is open and any one can submit software there and some of it definitely cannot be trusted - it is up to the user to figure out if the Snap package they are about to install are legitimate or not, to be trusted or not. This isn’t a great proposition, and the more popular (but not enabled by default on Ubuntu variants) Flathub store has more or less the same issue.
Discover will helpfully mark which store a package comes from using an icon near the install button:
A package from a distribution repository looks like this:
A package from the Snap store looks like this:
If you ever enable the Flathub backend, you might see this:
aren’t snaps all from canonical and aren’t they vetting them now?
flathub has both official and unofficial packages which goes to what you are saying tho and the unofficial ones are not vetted at all, similar to 3rd party themes and widgets.
[edit] to further add using these commands in a terminal will give you a list of which packages are installed by which source:
snap list
all the list items with a green check mark are verified by canonical
flatpak list
each item can be searched on the flathub store to see if it has been verified
