A user has had a bad experience installing a global theme on Plasma and lost personal data.

Global themes do not only change the look of Plasma, but also the behavior. To do this they run code, and this code can be faulty, as in the case mentioned above. The same goes for widgets and plasmoids.

We are calling on the community to help us locate and quarantine defective software by using the “Report” buttons available on each item in the KDE Store.

Please see this linked image to locate them.

Meanwhile, KDE is taking measures to properly warn users before each download and we are also putting in place ways of auditing and curating what is uploaded to the KDE store.

Nevertheless, this will take time and resources. We recommend all users to be careful when installing and running software not provided directly by KDE or your distros.

And remember to report any faulty products you find!

  • Brickardo@feddit.nl
    link
    fedilink
    arrow-up
    14
    ·
    9 months ago

    I must ask, isn’t that explicitly mentioned on the top side of the “get new…” menu?

    • Semperverus@lemmy.world
      link
      fedilink
      English
      arrow-up
      11
      arrow-down
      2
      ·
      9 months ago

      Some people don’t read those popups.

      Its entirely their fault, but it happens, and we should account for that by doing things like making these posts where people come specifically to read.

      • deadcream@sopuli.xyz
        link
        fedilink
        arrow-up
        2
        ·
        9 months ago

        What exactly do you expect users to do when they see “WARNING: what you are doing is unsafe” message? Cause the only outcome I can think of is that they won’t install themes at all.

        • Semperverus@lemmy.world
          link
          fedilink
          English
          arrow-up
          2
          arrow-down
          1
          ·
          9 months ago

          As someone who works in infosec, that’d honestly be an ideal outcome. Because users don’t check their sources.

          What would be better is if countermeasures such as not allowing that kind of code to be run by the theming engine and also code scanning on the repository with automatic takedowns on detection were put in place.

  • forgotmylastusername@lemmy.ml
    link
    fedilink
    arrow-up
    13
    arrow-down
    1
    ·
    edit-2
    9 months ago

    Are we all forgetting rm -rf has the --no-preserve-root safeguard? The accidental engine DataSource culprit seems unlikely. You can experiment yourself with in VM. It’s only a couple lines of QML code. Nothing will happen without explicitly turning off safety.

    The pling account that posted the theme was registered on February 25 2024. And suddently it has 3800 downloads without anyone else saying anything?

    Things aren’t adding up. I think this had to be intentional malicious crafted code.

      • nexussapphire@lemm.ee
        link
        fedilink
        English
        arrow-up
        2
        ·
        9 months ago

        Unless you have your root dir mounted in your home directory! Thanks btrfs. It might be protect by permissions but I wiped a whole disk without --no_preserve_root. It hurts being too clever sometimes. dink meme

    • gfle
      link
      fedilink
      English
      arrow-up
      33
      ·
      9 months ago

      I don’t think that this is related to Wayland.

      • jaxil6@futurology.today
        link
        fedilink
        English
        arrow-up
        2
        arrow-down
        21
        ·
        9 months ago

        In that case the wayland project should be held accountable for false marketing and deceiving users

        • fallingcats@discuss.tchncs.de
          link
          fedilink
          arrow-up
          11
          ·
          9 months ago

          Clearly you don’t know the first thing about Wayland. If you run an application without a sandbox, of course it can execute commands. That’s just common sense. Qt themes are also kind of an application. Now that’s where the fault lies, not with the protocol applications use to interact with the compositor (Wayland).

          • krimson@feddit.nl
            link
            fedilink
            arrow-up
            9
            ·
            9 months ago

            Ignore him. You would think people have something better to do but apparently creating an account just to trashtalk wayland is a thing. I’ve seen it before, probably the same dude.

    • gomp@lemmy.ml
      link
      fedilink
      arrow-up
      2
      arrow-down
      25
      ·
      9 months ago

      The wayland project was originally started by George Soros… what did you expect?

        • Grangle1@lemm.ee
          link
          fedilink
          arrow-up
          3
          ·
          9 months ago

          I lean center-right myself (and yet somehow continue to use Lemmy) and still marvel at the complete lunacy of conspiracy theories about him that right-wingers can dream up.