Just a few days back, an openSUSE user had a rude awakening after they installed a global theme on their KDE Plasma-equipped system from the KDE Store.
The theme called “Grey Layout” managed to erase all their data completely from the user-mounted drives on the system. It did so by executing the dreaded “rm -rf” command, which deleted anything that came in its path.
As you can see below, Reddit user, JeansenVaars posted their predicament on the openSUSE Subreddit, where many sympathized with the situation, and some calling for the KDE Store to be completely remade from scratch.
Another Reddit user also suggested them to make a post on the KDE Subreddit to gain some traction there; and that it did.
The post got the attention of the KDE Plasma developers, with Nate Graham stating that the theme in question had been removed from the store.
All that commotion begged the following question.
Global Themes on Plasma: A Double-Edged sword?
If the situation mentioned above is any indication, then yes, installing global themes from the KDE Store on Plasma can be a tricky situation if you were to install something malicious or inherently broken by nature.
Writing about this issue, David Edmundson from KDE pointed out that this was caused due to a mistake in “some shell parsing”, and not something that was done deliberately by the theme publisher.
However, the discussion around this got them thinking;
Allowing users to download and install stuff like themes, applets, scripts, etc. is a good thing to have, and that “nothing on the KDE store happens without explicit user interaction”.
As a result, they have now realized that using terms like “global themes” and “Plasma applets”, doesn't necessarily signal that a piece of software may be unsafe.
Even though the store has the following disclaimer 👇, I am not convinced that it is enough.
While this theme's code may not have had malicious intent to begin with, some other themes can have a malicious intent, and without review, it is indeed a dangerous situation to think of 😲
KDE's Move!
Fortunately, KDE is not going to sit idly by. David mentions that in the short term, they intend to properly communicate the security implications of extensions users download for their Plasma desktops.
In the long term, they plan to separate the “safe” content from the “unsafe” content, while also integrating curation and auditing into the store with improved sandbox support.
He also adds that:
If you install content from the store, I would advise checking it locally or looking for reviews from trusted sources.
I agree with David, users should always check reviews of anything they get from the KDE Store, or even from any other software store for that matter. They could check for reviews on the store itself, or from reliable sources such as Reddit.
You never know what kind of harm-causing software you may be adding to your Linux system if you are not careful.
On that note, if you are looking for Plasma themes, you could refer to our list of gorgeous KDE Plasma themes that we recommend. This time, be cautious about everything!
Suggested Read 📖
💬 Did this kind of situation ever happen to you? Do let me in the comments below!
More from It's FOSS...
- Support us by opting for It's FOSS Plus membership.
- Join our community forum.
- 📩 Stay updated with the latest on Linux and Open Source. Get our weekly Newsletter.