KDE Devs Warn Of the Danger Of Installing Third-Party Themes

KDE developers are warning users of the danger of installing third-party themes after one user's home directory and files were deleted....
KDE Devs Warn Of the Danger Of Installing Third-Party Themes
Written by Matt Milano
  • KDE developers are warning users of the danger of installing third-party themes after one user’s home directory and files were deleted.

    KDE Plasma is easily the most powerful and customizable desktop environment on any platform, giving the user extensive theming options. Plasma even includes the ability to download user-created themes from within the desktop. Despite warnings that there is no guarantee regarding the safety of said themes, the fact they are available from the Plasma desktop can create a false sense of security.

    One user learned this the hard way when a theme completely erased their home directory and files. The user, going by the name ‘JeansenVaars,’ posted about it on the openSUSE and KDE Reddit communities:

    Dear Community and KDE,

    I just installed this Global Theme, innocently (Global Themes -> Add New…):

    It DELETES all your USER mounted drives data. It executes ‘rm -rf’ on your behalf, deletes all personal data immediately. No questions asked.

    I’d appreciate it if anyone could escalate this, I find it totally mind blowing that installing skins allow script execution so easily. I canceled this when it asked for my root password, but it was too late for my personal data. All drives mounted under my user were gone, down to 0 bytes, games, configurations, browser data, home folder, all gone.

    KDE developers were quick to respond, removing the offending theme from the KDE Store. It seems there was nothing intentionally malicious about the theme, but an errant command that was responsible for the deletions.

    Nonetheless, KDE’s devs authored a number of posts warning of the dangers of downloading third-party themes, explaining just how much a theme can change.

    KDE contributor Bro666 wrote one such post:

    A user has had a bad experience installing a global theme on Plasma and lost personal data.

    Global themes do not only change the look of Plasma, but also the behavior. To do this they run code, and this code can be faulty, as in the case mentioned above. The same goes for widgets and plasmoids.

    We are calling on the community to help us locate and quarantine defective software by using the “Report” buttons available on each item in the KDE Store.

    Please see this image to locate them.

    Meanwhile, KDE is taking steps to properly warn users before each download and we are also putting in place ways of auditing and curating what is uploaded to the KDE store.

    Nevertheless, this will take time and resources. We recommend all users to be careful when installing and running software not provided directly by KDE or your distros.

    And remember to report any faulty products you find!

    Well-known KDE developer David Edmundson discussed the issue as well, noting that KDE’s core functionality hasn’t changed, but user expectations have:

    A problem is there’s an expectation that because it’s programs that it’s inherently unsafe and a user needs to trust the source. Our issue is phrases like “global themes” or “Plasma applets” don’t always carry this message.

    The tech world has changed a lot over the past decade and whilst our code hasn’t changed, users expectations have. More and more places provide well kept walled gardens where most actions accessible via the UI are safe-by-default – or at least claim to be!

    I’ve also seen confusion that because a lot of our UI is written in a higher-level language (QML) that’s enriched with javascript all browser sandboxing automatically applies. Even though that’s not what we claim.

    Edmundson goes on to say that KDE devs need to more clearly communicate the risks involved with downloading third-party themes, applets, exentions, etc, with the goal of balancing easy access to third-party content with “enough speed-bumps and checks that everyone knows what risks are involved.”

    Edmundson also outlines long-term goals:

    Longer term we need to progress on two avenues. We need to make sure we separate the “safe” content, where it is just metadata and content, from the “unsafe” content with scriptable content.

    Then we can look at providing curation and auditing as part of the store process in combination with slowly improving sandbox support.

    The KDE devs have earned a lot of respect from users for their quick handling of the situation and their willingness to make changes moving forward. In the meantime, users should do exactly as they say and be very careful when downloading and installing third-party themes and other desktop modifications.

    Get the WebProNews newsletter delivered to your inbox

    Get the free daily newsletter read by decision makers

    Advertise with Us

    Ready to get started?

    Get our media kit