It's not a reasonable assumption to make that themes on the KDE store are official or tested when we explicitly say they aren't whenever you open the store...

oopsie deleted your home folder 😋

If anything, Canonical's flubs and now this are showing how shockingly lax most Linux software distributors are on user security. The assumption is that "just audit the code lol" but come on, no one's doing that. It's been an honor system for forever, but as the marketshare grows, it painfully shows Linux's weak points due to things like this just never being considered. If we ever get attacked at the same scale Windows does, we're super screwed with our current systems lol.

The home folder is bloat

every time I saw KDE's plug-in store, I was CERTAIN, since it is a user-submitted page, that downloading anything there is a security risk. I could tell instantly that it was not an official repo.

Imagine having your NAS mounted in your home directory and of course you have full permissions to delete anything on your NAS .. then you download this tripe and suddenly your home directory and everything you have permissions to delete ... is deleted before you realize it, including all the data on your NAS. This isn't a small problem. And snapshots won't save you.

The whiteboard is such a good co-host

Closing the KDE store is a terrible idea. But I think that the warning about global issues should include a mention of the security risks. When I first began using Plasma, I installed multiple global themes assuming they would be unstable at worst. I didn't knew I was playing Russian roulette with my files.

This is the reason my computer finished its automatic scheduled backup 15 minutes ago. One day something stupid like this will happen or the hard drive will have a catastrophic failure or a cryptovirus will say hello or...........who knows what. Backup your data folks.

To be fair, 5/10 is a pretty good rating for a theme that erases all your data.

Reminds me of Emacs themes. Calling M-x load-theme in Emacs will warn you "Loading a theme can run Lisp code. Really load?" The first time I saw this definitely weirded me out, I thought themes were just static data. Can't take assumptions like that for granted.

Just as I was building a new backup server, fortuitous timing. Well sort of, I don't use KDE beyond my Steam Deck.

I had really assumed plasmoids and the like were sandboxed. The idea that a global theme has direct write access to my home directory is terrifying.

honestly if i was KDE i wouldnt even have this functionallity for just about same reason as to why traditional package managers make me puke these days

"It can run any arbitrary code" one of the best recipes for major disasters and how is this allowed...out of pure good faith?

Even the steam client accidentally rm -rf-ed a person's drive once. Bad scripting with unchecked variables can have really bad side effects. Scripts that don't stop on failure, especially, tend to misbehave a lot.

We need to start using languages built around capabilities. edit: Rust solved resource-safety with a type system. We can solve "permissions" with a type system.

I made a theme, oh baby, baby Global style, so fancy, so trendy But now my system's gone, oops I did it again I included rm -rf /*, my mistake, oh baby, baby I thought my theme was cool But now my files are all erased I should've checked the script But now it's too late, oh baby, baby Oops, I did it again Deleted my system, got no defense Oh baby, baby Oops, you think I'm careless But I'm just a KDE enthusiast I played with fire, oh baby, baby Now my system's a disaster, so crazy I should've been more careful, oops I did it again Included rm -rf /*, my mistake, oh baby, baby I thought I was a pro But now I'm starting from scratch I should've backed up my data But now it's all gone, oh baby, baby Oops, I did it again Deleted my system, got no defense Oh baby, baby Oops, you think I'm careless But I'm just a KDE enthusiast Oops, I did it again Deleted my system, got no defense Oh baby, baby Oops, you think I'm careless But I'm just a KDE enthusiast I'm gonna reinstall, oh baby, baby Learn from my mistake, never be lazy I'll be more cautious next time, never do it again No more rm -rf /*, my lesson learned, oh baby, baby - via some free GPT service from the following prompt: ''' a new original song about KDE global themes deleting your system via included rm -rf /* in the script, but to the tune of "oops I did it again" by britney spears

Theme, yeah, I'm not expecting it to run scripts that could potentially nuke my data. Maybe they need a new name for that sort of thing to get away from typical user expectations that a theme is inherently safe? Having all these extra scripts that can do potentially anything, I could see that as being useful, but calling it a theme would imply to most users that it is safe. Maybe your desktop would be messed up in the worst case, but data loss? Not what comes to mind with the name "theme". No idea on a better name that gets to the core of what it does without the implication of safety though.

Instead of a slightly vague warning (or actually additionally), there could be a very simple and easy checking mechanism implemented which would check the content of any related script and if it found a number of commands of such nature such as the rm -rf, regardless of how it was coded in a script, it should pop up a message and warn the user about it's potential harm, with a review of the code button to let you see the code by yourself and judge (not an entirely bulletproof method as it relies on the users knowledge level but still than nothing) and then if you still want to accept and continue with the installation, sure have an accept button and go ahead. The mechanism would not, by default allow anyone to install a theme automatically and it should even check any downloaded themes before they were attempted to be applied, while not the best solution, it's fairly a very easy and fast which would help prevent most of such incidents before a better solution was made to replace it.

Thank you for explaining this, I don't know why this isn't made more apparent.

I am pretty sure that in the official KDE store you can download KDE 3 things... KDE sucks when it comes to documenting changes in the official documentation.

I think that they should rethink the name "Global Themes", "Global" in no way conveys that it is anything more then just a theme, that is just applied to everything, I think it would be better to call them something like "Advanced Themes" and have the KDE store give you a warning like "Advanced Themes may contain additional scripts or programs that could break your system".

The ending of this video 😭😭😭

I really enjoy themes. However I've been waiting for more bugs to be fixed. Running KDE 6 just using custom theme sections like icons and cursors. Been editing my own colors, but that system is confusing and convoluted. KDE 6 is cool. UI Organization overall is a bit better. The panel system is getting there. We need more control over theming in plasma section of appearance settings. Or the panel could use it's own theming control.

honestly this isnt surprising to me, but at the same time ive been a KDE user for almost 10 years now (holy crap, already?) and have experienced some of these issues for myself. fortunately, nothing quite so bad as having my data erased, but i have had my desktop break in weird ways, or even entirely as a result of some themes

5/10 rating usually means no ratings. i think it has something to do with a 0:0 ratio and stuff like that but still, it's pretty dumb to make "no ratings" show up as "5/10".

I now want my user files to be protected somehow. And in such a way that a random "rm -rf /*" won't be able to delete it or a malicious program won't be able to steal my user data. And Linux systems should be better hardened against these kinds of things in my opinion.

I just use Breeze Dark that I modified my self, actually.

thanks for the heads up about plasma config saver, im gonna double check that before i update to plasma 6 lest it does what happened

Wow it really is the year of the linux desktop

I do have a very selective list of Community trusted PPAs I use. Like the Zabbly stable Linux kernels for Ubuntu 22.04. Or the OBS repo. And my own compiled applications' PPA so I don't have to rebuild a lot of stuff every time I format my PC. Blindly trusting software sources is quite dangerous.

Will you cover the recent merge of the explicit sync protocol in Wayland? As an unfortunately long standing nvidia user this news finally gave me hope in usable games even for us team greens 😫

Can I install steam using KDE global themes?

this is why you make a typed DSL with a comiler in Haskell like Nix did.

There is no need to make static analyzer that checks how dangerous scripts are. Can just triage those based on types of scripts and knowledge of what sandboxing those kinds of scripts getting. E.g. shell scripts to be most dangerous, QML scripts might have some sandboxing and require less review.

The ability for a theme to execute random code seems like a bit of a security hole, I wonder if it would work if home was mounted as noexec? I guess the theme probably wouldn't apply.

It's not the first time it happens. Not even the second. Honestly rm --no-preserve-root should have similar option --no-preserve-dirs-at-root and without it it should scan for removing /bin /etc/ /usr/ and fai if it sees them. The fact that --no-preserve-root can be circumvented by using glob is an oversight.

While the name "global theme" is a major part of the problem, the way it can also completely overwrite the desktop layout if this checkmark is set makes obvious that a global theme does a lot more than just change some CSS and colours. Perhaps another checkmark with "allow executing code" can be added to this popup before enabling the theme, blocking the added plasmoids and arbitrary code if not enabled. Along with a rebrand, like how Minecraft renamed it's Texture Packs to Resource Packs as they added model and sound support, to reflect their actual abilities. This has made me aware to that I should be careful with them, having stuck to my distro's included global theme and using the separate Style configurations to tweak/rice it to my liking. Which has let me achieve what I want fully in Plasma 5, though currently changing these settings have been broken for me in Plasma 6, so I've been sticking to my mostly functional but lightly borked old Plasma 5 themes. Plasmoids executing arbitrary code was obvious to me, especially with how Windows supposedly removed them over concerns over malicious RCE using them. I am okay with them executing arbitrary code as this is needed for their level of functionality, but do limit my use of extensions to a minimal set of ones I trust, similarly to how I treat my browser. Of course this is not how everyone treats their software, that said, KDE Plasma is designed expecting users to tweak it more, whereas GNOME's over-reliance on extensions for basic features makes it as if not more concerning.

Is there a pissibility of having fine-grain permission system like on Android? So that apps can't execute arbitrary system calls, like calling the internet or interact with the filesystem?

I am starting to think bwrap everything that can access unreviewed third party code. Obviously not too practical for a desktop environment but certainly things like game launchers. I think desktop environments probably need to do better sandboxing. They have adopted browser like extensions but without the associated permission framework. My expectation is that a Gnome tiling extension be able to access window and screen dimensions and names, not read/write to my home dir.

would it be possible for global themes to run as a union file system or overlayfs or something like that so that it only affects what it needs to? So it won't touch the system its self.

We just need badges for apps that have been reviewed and not reviewed and give preference to reviewed apps and huge warnings that act as hurdles to get to non reviewed apps.

0:44 while I agree that 5/10 rating is not a good one, but sorting by highest rated for Global Themes will show you that the themes in the KDE Store barely go beyond 6/10 on average. As of writing this comment, if I go to Settings > Colours & Themes > Global Themes > Get New, the highest rated theme is Otto with 18,781 downloads and 8.2/10 rating, and the most downloaded theme is Se7en Aero with 52,184 downloads and (ironically) 6.9/10 rating. The second highest rated theme is rated 7.9 (Edna), and the second most downloaded theme is rated 5.8 (Curved Volatile Style), so ratings seems to not be a reasonable measure of quality here.

I just read about that on Mastodon, lol

# Scary! Breeze and fluffy bunny are the only themes endorsed by KDE.

YYYY is the years of Linux desktop. It does not matter in which year you read it. (4% and up. I never imagined I'd say 'thank you, micro$haft!)

I dont if this still applies to plasma 6 bit in plasma 5 Kwin Decoration themes are written in C++.

Only one thing I take issue with, breeze dark. Breeze light is where it's at! Banish the darkness, embrace the light! Also shell scripts are scary, especially in the hands of people who don't realise how unsafe their scripts are.

Handling this 1000x better than canonical is the most canonical statement of all time. 😆

I've installed a few global themes myself as well. I didn't know they can run arbitrary code. Scary! This news blowing up will probably lead to malicious actors uploading fake themes and stealing crypto wallet keys and/or passwords.

The KDE theme system always felt really janky to me, so I never used it

This doesn't even require a "global theme". Qt style-engines are just C++. They are arbitrary programs. Unfortunately, Qt chose CSS as the non-code style technology. CSS is so awful that people were willing to accept style-engines. I wish there was something in the middle. It would be better if you could specify the C++-specific data for each type of widget, in json. Then there would only need to be one theme engine. But no theme-engine works this way. (Kvantum is somewhat configurable, but it chose SVG as the configuration technology, and it's very awkward to use.) I'm currently trying to write a theme in Qt6 that looks vaguely like QtCurve. Perhaps, I will eventually add that functionality to it.

As a user, I'm quite shocked to learn that a "Global Theme" can execute arbitrary code on my machine without knowing it. For me, this should simply be impossible or KDE should impose the use of an API provided by the KDE environment. This API would offer a number of useful and necessary functions for themes, but in a perfectly secure way.

And keep offline backups! I personally still use a blu-ray burner because it's write-once... but multi-write is better than nothing.

Why is there a KDE malware store

As much as I'd always like to defend the KDE project... thats bad.

What's wrong with breeze dark? :P

My le themes le killed home folders Noooooooo

From engineering point of view, there is something really wrong with a platform if theming it needs executable code. This approach to theming is just a big can of worms.

sudo rm -rf ~ 😳

yeet part of your beard lmao

Bah, you're theaming it wrong. Wait, this is KDE not apple... meh, QT, close enough.

well they already disabled global themes now lol

oopsie woopsie deweted wour howe fowder uwu

When you go to the KDE themes (global or other stuff) and select 'get new', the pop up comes up and the VERY FIRST THING YOU SEE IS THIS: ------- "The content available here has been uploaded by users like you, and has not been reviewed by your distributor for functionality or stability." ------ At that point, mucking about further is ON YOU if it blows up. Common sense does have a part in all of this. I completely disagree with you regarding closing the entire store. Having some validation in the user uploaded content would be good going forward, but closing the store is like throwing out the baby with the dirty bathwater.

I am surprised that there are scripts in random languages and no sandboxing... Especially in themes... What kind of logic needs to be written for smth that should just look?

the install/uninstall scripts on gnome-look 👀

It's a theme. Why is it executing scripts?

What a mess.🤣🤣🤣🤣

KDE is the best desktop for linux unless someone can help me throw a config in my nix os and use sway ill do that i cant figure out the nix configs for sway too lazy since kde works

Linux desperately needs a permission system like android has. If a "global theme" asked you for access to all files, you would undoubtedly realize there's a risk

IMO, you should be expecting this when using KDE. That's just how it is. Want stability? Use GNOME instead.

I'm a technical guy who has used Linux for a VERY long time (though not a lot of time in KDE), and even with that warning about "functionality and stability", I admit I probably would not have known a "global theme" could run arbitrary code. I think this is a rare case where the user bears almost no responsibility at all. Or very little at least. The warning shouldn't be PR-speak or vague. "These downloads have the ability to execute code on your system. Treat 'global themes' the same way you'd treat a program you found on the internet" I mean, maybe that's a bit wordy but you know what I mean.

I feel bad here because the phrase "Global Theme" is my fault. Years ago I proposed it as a replacement for the prior term "Look And Feel" which I didn't think had any real meaning to anyone. But clearly using the word "Theme" was also a mistake because this *isn't* really a theme, it's a collection of stuff, some of which may be themes, and some of which may run arbitrary code. We probably need a term that involves the word "package" or "plugin" or something. This is aside from the hardening work which is being undertaken right now.

5/10 seems to be the default rating on stuff that hasn't been rated. Not ideal, I'd want that to be a separately tracked state like (--/10) or (unrated). Though the KDE team certainly has bigger things to focus on at the moment

Having sciptable themes is like downloading music from lime wire with .exe extension

I honestly didn't think global themes could run random scripts without like any limitations whatsoever. So in theory global themes could send stuff like your ssh keys, your browsing history, saved passwords and basically anything from your home directory to some random API and collect lots of data while users would probably not know about it? I mean yeah, any software I install from the aur (or even the snap store) could do the same, but it's somewhat expected that I grant an application access to my file system while with a theme it's not really that clear imo

Honestly surprised something like this hasn't happened before, but I've always found the integrations like downloading Global Themes difficult to operate so I never bothered. Definitely was news to me that there was actually scrips involved for anything other than applets which I would expect to be executable.

Funny how we’re basically recreating what used to get Microsoft tons of flak some decades ago…

I opened the video and said “this sounds like a classic ‘rm -rf’ moment”, sucks to be right though :/

In my opinion, KDE should include a curated list of global themes by different developers, with an optional checkbox to enable the KDE global theme store. Sure, this may feel like an attempt at GNOME-ifying KDE, but if things that are incompatible with your current version of KDE lead to things like important directories being deleted, and these global things including mishmash of things that are and aren't fully compatible, it's best to only include the highest quality global themes by default, and not just a light and dark theme like what we have now. There are so many different flaws with the store right now. No curated "Featured" section, newest themes by default, no eays way to filter out incompatible themes, GNOME-only icons appearing in the icon store, a flawed screenshot system, connection issues and instability - it's basically a mess, and overall a very bad and outdated user experience that needs to be changed and improved. Hopefully this is a wake-up call for the KDE team.

This is why I WISH THEY WOULD REMOVE the "GET MORE THEMES" buttons from the settings and MOVE IT TO DISCOVER... It's such a UX FOOT GUN... The idea of the settings downloading things from the web directly FEELS wrong, KDE's DISCOVER should be the place you download it And settings is where you apply the themes.

It's so cool that a thing like themes is running arbitrary code by anonymous individuals.

rm -rf /* # Isn't that also the command in your outro? XD

This really is "a year of the linux desktop"

I used to randomly download themes and test them out. NOW I'm just sticking with Breeze Dark.

Ron Swanson just walked by carrying a CRT somewhere...

Reminds me of how I deleted my /usr/bin directory because of a damn space 😅

Short term? All addons with active code should come with a warning even after we get past this, and for now should be disabled (not deleted or even removed, we want this to be visible), pending review by both the author and store auditors. This can be done automatically, the audit cannot but will just be a slowdown rather than a halt.

It has been 30 years since autostart macros in Office documents caused issues and it looks like we haven't learned from it at all. 1995: "It is a office document, full of text, what could go wrong opening it?" 2024: "It is a theme, changing three annoying colors, what could go wrong using it?" "Themes" should be data, not code. And if there is code, why isn't it sandboxed ( with chroot ) into some subfolder only?

Cinnamon desktop deserves to be less ignored. It’s stable and has a balance of settings between gnome and kde. And actual supported themes and extensions.

That's why I always include a path for any variable used with rm, where I know it is safe. Also never ever do rm rf without path and without making 100% sure that this is secure to delete. Add guard rails checking if the path variable does not point to empty string, home directory or root. Better yet, cd into the specific directory, exit script if folder does not exist and delete only those specific filenames and folders with rm without or least globs as possible. Then delete the empty directory with rmdir. Maybe add a question if the folder should be deleted. When I write scripts or programs that deals with deleting files, I am always in panic mode and do my best I can to avoid deleting anything else.

Yes I have heard about this.This is very worrying. When I was on Windows 7 a few years ago we had this same problem. There were found to be security holes in the Windows Sidebar and Gadgets. Microsoft rolled out an update to disable all Gadgets including the sidebar. KDE should do the same thing. and issue an update to remove any themes that did not come with the Kubuntu or KDE desktop. I only had one global theme which I have now removed just in case. Other users should do this and the option to ad third party themes should be disabled by KDE until this problem is sorted out.

Fucking embaracing for Linux. Solaris and co have solved this years and years and years ago. You simply should never be able to run rm -rf / unless you explicitly ask for it with special parameter.

Whereas I knew it was provided by third parties after more than a decade of using KDE I only know now that global themes allow running arbitrary scripts. Guess I am never using themes again.

On one hand, I was always aware of the dangert, but have not a single time verified if an AUR package does what it says it does. I would probably also not verify any global theme I download. Not smart of me, I admit. On the other hand, this shit is terrifying. I should change my ways. But IDK how long will the energy last before I slip back to how I do things now.

I didn't even know that the JS in widgets etc. had system access… I thought it was like a runtime in a web browser with access to a limited API of some sort.

"check everything on the KDE store" dude there's, like, 6000 plugins there, being added frequently... Even a surface level check would take 45m / item on average (most items are applets, which contain a lot of code, and global themes are super big too)... That's 4500 hours of work. To give you an idea, even if we put 5 KDE devs full time (and we wouldn't be able to) that would still take 3 months, and that's very optimistic, given our current resources the expected timeline is: never! Goodbye KDE store. And that's assuming volunteers would actually want to do that, if we had to pay someone it would take ~150.000€ to do it, which is... crazy out of budget. And keep in mind that in all of the years and thousand of themes, we only have *1* reported case of this happening (and this is the sort of thing you do report immediately). I don't think it's fair to ask to shutdown the store quite literally for years

Yeah the little blue text could be red and tell you to inspect 'this' folder and have a link there. There could be more details like what kind of scripts. : java, shell or what not.