Trusting content on the KDE Store

A global theme on the KDE third party store had an issue where it executed a script that removed user’s data. It wasn’t intended as malicious, but a mistake in some shell parsing. It was promptly identified and removed, but not before doing some damage to that user.

This has started a lot of discourse around the concept of the store, security and upstream KDE. With the main question how can a theme have access to do this?
↫ David Edmundson

That ‘some damage’ was personal data loss, which is quite something to happen after installing a theme. KDE kind of shot itself in the foot here by having something called ‘global themes’, which is a combination of themes for various elements of the desktop, like the application style, icon theme, cursor theme, colour scheme, and so on, but also things like panel layout and even widgets, applets, and other things that can run code. Some of these global themes use shell scripts to implement the more advanced aspects of their themes, and all these things combined means that global themes installed through KDE’s own built-in theme installer can cause some serious damage.

The problem is getting some attention now, and I hope they can find a way to make this process more transparent for end users, so people know what they’re getting themselves into. I’m not advocating for dumbing all this stuff down – this isn’t iOS or whatever – but better communication, perhaps clearer labels and warnings are definitely needed.