As an enthusiast (long time) user, I question myself about the use of plugin from the kde store. I usually avoid using too much 3rd party component but in the case of plasma configuration I use some (tentation to customize kde/plasma is high). I am no dev nor sys admin (apart from my own little environment) and I have difficulty evaluating the risk of those plugins but after the Global theme wipe out it’s seems necessary.
I encounter 2 caveats :
there are warnings for the risk that comme from the different plugin but it is not clear how are the different risk for each type, for exemple the Global theme are more sensible but is it the same for other component. Plasma style, Icons have a more simple warning so I suppose them to be safer, right ? I don’t really use Global theme but I have installed Splash screens (Kuro, Infinity-plasma-splash-6, Vivid,Qogir) are there sensible and Sddm theme they are not that important for me to take a risk but I like to have a better idea of what the different potential risk are.
the other problem is regarding kde store, in my case regarding custom widget. I don’t have add much but I wanted to have a diffent Menu/App launcher. Originally I use the included fullscreen Applications Dashboard (like its layout with keyboad and touchsceen) but it is going to be dropped as it seems difficult to maintain beside the search field is incompatible with virtual maliit-keyboard.
So I search for replacement and encounter some on kde store in particular the Launchpad for plasma6 and Ditto Menu but the code on the github is not on sync with what is provided by kde store. The code on the github is outdated (almost 1 yr comparing to the kde store file). I can download the file from kde store and look directly to the code but I don’t have the capacity to really verify it.
Usually to evaluate program I look on the github/gitlab etc and check if there are multiple contributor and issue, last commit etc. but here its not possible. I understand that the kde store is not manage buy kde and here it the responsability of the author of the plugin to have a coherent git/store but it is a little worrisome to see that and I wonder how to concider it and if it could be improve.
Sorry for the long post. I have difficulty making synthetic one in english which is not my main language
The silence here is a bit worrying Let me try formulating specific questions.
KDE Store allows to install software, like themes and widgets.
KDE shows a warning: “Use caution … may contain executable code that hasn’t been tested … for safety, stability, or quality”.
For simplicity let’s assume that authors of some software have shared its source code publicly and the user trusts that version of the code. Even in this case it seems there’s a risk of the KDE Store artifact not matching the trusted source code for various reasons (e.g. prepared & extended by a malicious third-party user as a “help” to authors, or authors themselves maliciously publishing only the “safe” part of the source code, etc.).
Questions:
What exactly is meant by the “executable code” in the KDE warning above? Can artifacts from KDE Store really contain compiled binary code (not just something interpreted, like JavaScript)?
What exact steps are meant under “use caution”, specifically against the risks above?
Are there any clearly described practices used by the KDE Store that address security & trust?
Thanks for the reply.
To be clear, the code of said script is accessible. You can download it directly and unpack and look at it review it yourself (so it comply with open source licence). I don’t know any restriction for executing some binary (but I don’t know much).
The problem I point out was that the code shared via github/gitlab/… didn’t match (outdated) the one shared via store.kde.org / pling so it is more like a social/organisational problem. As we (me) tend to go for the source hosting to review code (a lot more practical and all) and not necessary review the actual downloaded one.
Concidering a bad actor, you could have someone sharing a safe code on a git host but having a different one on the shop. A more comon problem could just be faulty code not reviewed, it is also a problem to help improving those or report bug and propose PR. The warning came after (if my chronology is correct) the update of a global theme (which can execute code) cause the lost of an entire home due to some mistake in the code.
this topic has been discussed in other threads which is why it may have been neglected.
i agree the warning sort of vague, and leaves the user with little direction… i believe this is intentional.
these 3rd party addons can execute code (any executable code) to manage their function and therefore can introduce system instability if not done correctly (or if done maliciously).
the “caution” a user should take is to always have a back up they can fall back to if things go wonky, or if it just doesn’t work as expected.
as pointed out elsewhere, things like global themes can leave bits behind even after they are uninstalled that will still trigger discover into thinking they are installed and in need of updating.
my advice is take a snapshot in timeshift before adding any 3rd party item to you plasma installation and then only test that addition for a time before doing any other config or productive work that would be lost if you have to roll back.
Let me try formulating specific questions.