• Herzenschein
    link
    fedilink
    arrow-up
    6
    ·
    9 months ago

    FYI for whoever is reading this: it wasn’t just a theme, but a Global Theme: it can include a Plasma Style, a color scheme, an icon theme, a panel layout template, an SDDM theme, wallpapers and widgets. Widgets are capable of running arbitrary code, just like GNOME extensions.

    Here’s the response article from one of our main developers: http://blog.davidedmundson.co.uk/blog/kde-store-content/

    In the short term we need to communicate clearly what security expectations Plasma users should have for extensions they download into their desktops.

    We need to improve the balance of accessing third party content that allows creators to share and have users to get this content easily, with enough speed-bumps and checks that everyone knows what risks are involved.

    Longer term we need to progress on two avenues. We need to make sure we separate the “safe” content, where it is just metadata and content, from the “unsafe” content with scriptable content.

    Then we can look at providing curation and auditing as part of the store process in combination with slowly improving sandbox support.

  • just_hiroshi
    link
    fedilink
    English
    arrow-up
    3
    ·
    9 months ago

    I was installing themes and I did see that one, but I didn’t like it. I dodged a bullet that day and I didn’t know it.

  • tblFlip
    link
    fedilink
    English
    arrow-up
    3
    ·
    9 months ago

    yup yup yup. didnt steam also have some “fun” rm -rf bug a few years ago? proper backups and sandboxing go a long way

    • Southern WolfOPMA
      link
      fedilink
      arrow-up
      1
      ·
      9 months ago

      Yeah, I remember that. Was it in the client or in an installed game?

      And yeah, backups are the most important from the users end to do. Sandboxing and proper permissions is something KDE needs to focus on.

    • Southern WolfOPMA
      link
      fedilink
      arrow-up
      1
      ·
      9 months ago

      Yeah, I remember that. Was it in the client or in an installed game?

      And yeah, backups are the most important from the users end to do. Sandboxing and proper permissions is something KDE needs to focus on.

    • Southern WolfOPMA
      link
      fedilink
      arrow-up
      1
      ·
      9 months ago

      Or at least not alert the user that it has those powers. This would suggest KDE needs some ranked permissions for their themes and add-ons to prevent this from happening willy-nilly.