I searched but did not find anybody asking this question - links requested if there is one - but I’m a total noob to Linux and therefore to KDE, and the looming question:
Whenever I want to install a program from the Discover repository and look at the details, the Permissions list will always have anything from “System Folder” to “Access Bus” all the way up to “Full Access - Can access everything on your system.”
Given that installing, even from the User account, requires granting these kinds of access via Admin password, how do I know that any given app on the Discover list, under any category, is safe to install and use?
Given the open-source nature of everything in Linux, it seems like it would be child’s play for someone to write an app with malware coded right into it, or take an existing title and add malware to it.
Every single time I think about installing something I come up against this question - with the end result being that I don’t have a whole lot of software installed at all. (As Jodi Taylor put it “Always listen to your paranoia. It’s keeping you alive and almost certainly has more sense than you.” ) Any definitive answer would be great - or should I assume there is never a guarantee of a clean program install?
How do you ever know that any piece of software on any platform is safe to install and use? At least partially it will always come down to trust.
Given any install there are at least 2-3 things to consider:
The software itself. i.e. If you are installing “kate”, do you trust that the kate isn’t malicious? Do you trust the KDE project and it’s developers?
Next you need to consider the source of the package. Is the source of the package your distros repositories, a 3rd party repo, a publisher/developer provided repo or something else.(flathub, snap store, some random appimage you found in google, etc). Now ask yourself if you trust that source.
If the source is not your distro, you need to decide if you trust the packager. For example, if you are getting a flatpak from flathub, those can be packaged by anyone. So take a look first and ensure the package is provided by a “Verified” source or someone you trust.
I think to manage risk, there are good general rules to follow:
If something feels sketchy, it probably is. Trust your gut or ask at a reputable location.
If you don’t trust your distro, you probably shouldn’t be using it so packages provided by your distro will usually be packaged in a way that doesn’t add anything malicious.
When installing flatpaks, make sure they are “Verified”
If your distro supports adding 3rd party repositories, be very careful when doing so. Make sure you understand the source of all your software.
Don’t download software from random sources. Be sure you are getting it from an official location of your distro or the software developer.
When you use Discover, there are a couple of things you should validate in addition to the permissions:
The arrow in the top right tells you the source, in this case, the package is coming from Flathub, the primary 3rd party repository for flatpaks. The arrow on the top left tells you that is was packaged by Mozilla and the tells you it is verified. So if you trust Mozilla to not package malware, that is probably a reasonable thing to install. If you don’t, then you definitely shouldn’t install it because they make the software.
Of course, if the software itself has something malicious in it, it doesn’t matter who packages it.
Here you can see that this package can be installed from 3 different locations. The checkbox has different meaning in each case and if you hover it it you will get information about what it means.
Thank you for the detailed response, dalto! I’ve been worrying about this since I got this machine (mid-’24.) I’ve always assumed that everything in Discover has been vetted as safe, but… I put the “ya” in paranoia.
Anyway, I’ve never installed anything except what shows up in the KDE Discover repository. There are some programs I wish I could get installed on Linux (like my fave audio editor and that kind of thing,) but when I come up against tar, deb, tgz etc., I don’t dare touch them - and wouldn’t know how to work with them anyway - but that’s a different issue.
by default discover will show you the official repositories of your distro and you should feel comfortable installing any of these native apps†… they will all request an elevated privilege to install, that is normal.
if you have added the discover flatpak or snap backend then discover will also show you packages from those repositories.
snap packages are compiled by canonical (if you trust them) and required elevated privileges, just like native packages.
flatpaks can be compiled either by the developer (trusted) or by a 3rd party, so that is worth looking into in the description… the good news is flatpaks generally allow you to only add permissions that you are comfortable with in order to gain functionality, so you have control
† assuming you trust your distro’s team of maintainers to keep any malware off their repositories.
One small addition regarding “Full Access - Can access everything on your system“.
Not all kinds of apps can currently be sandboxed. Apps that come right from your operating system vendor (distribution repositories) are usually not sandboxed. So this permission does not mean that the developer of the app decided to request this permission, rather that the system for technical reasons couldn’t stop it if it tried to access something.
However, the idea is somewhat that distributions make sure to only distribute software that is not dangerous.
Regarding the open-source nature: Luckily open-source does not mean everyone can change whatever they like. There are people responsible for all kinds of projects, and they review changes before accepting them, to make sure they are safe and useful. That means you only need to trust the main app developer, and not every random person on the planet
Krake, but if you’re required to type in the Admin password just to get the program installed at all, doesn’t that grant the program access to everything the Admin has access to? Or does that password only function for the specific purpose of installing the program, and nothing beyond that? I’m confused as to how that Admin password requirement for installing works.
Also, in reply to dalto’s screengrabs: I had a look at some of the apps I want to install, and none of them has the check mark beside the source entity name, so does that mean they’re not verified? I’m assuming so.
No, in most case it gives the installer permission to install the files. That usually happens because you are installing files from the repos of your distro and the binaries get installed to places like /usr/bin which are protected.
If you were installing a containerized format like a flatpak or a snap, you wouldn’t be asked for your password.
Can you share a screenshot of one of the packages you are trying to install?
As @dalto said the password for Admin privileges is needed to authorize the installer for things like putting files into shared/system locations.
There are, however, some differences in what different installers do.
When a Flatpak or Snap is installed system wide (and thus needing Admin privileges), the respective installer will extract program file and put them into appropriated places.
It will not run any sort of program that came with the installation download.
Traditional Linux packages, on the other hand, like .deb (on Debian/Ubuntu) or .rpm (on Redhat, Fedora, Suse, etc) can provide installation helper as part of the downloaded package.
Usually scripts that do things like register the program as responsible for a certain file types.
These helpers/scripts are also executed with Admin privileges.
Coming back to Flatpak/Snap, these type of packages can also be installed for the current user only and their installer won’t need any elevated privileges for that.
Audacity is a non-verified flatpak on flathub. There is no check because it isn’t verified. That being said, it looks like you can install that package from another source. Did you click that dropdown in the top right and see what other sources are available?
The other two aren’t in flathub so they must be coming from a different source.
) Any definitive answer would be great - or should I assume there is never a guarantee of a clean program install?
tells you it is verified. So if you trust Mozilla to not package malware, that is probably a reasonable thing to install. If you don’t, then you definitely shouldn’t install it because they make the software.
