Patroncast S04E13 - Plasma add-ons need to lose their permissions
Added 2024-03-26 11:49:09 +0000 UTCHey everyone!
In this one, I talk about:
01:42 Plasma themes and add-ons having the right to run arbitrary code, and why anything else than preventing them to do so isn't an acceptable solution
15:30 Sticking to KDE, or discussing the reasons why, for once, I don't feel the need to tweak / customize and finally leave KDE for GNOME
Let me know what you think!
Comments
Hey Nick, I don't think you're an extremist when it comes to that KDE flaw. It's really baffling that theming for some reason has the permission to launch bash scripts and whatnot maybe even with root privileges if the theme includes a SDDM theme. What scares me even more, is that the first mitigation that KDE devs decided for, is to warn users that they're downloading unreviewed packages that might have security risks... This is not okay at all and I think that global theme downloads should be disabled until a proper mitigation like sandboxing is in place, because now that the news are out, I wouldn't be surprised that some people would start experimenting distributing malware through this loophole, what a nightmare! If such a situation was happening on Windows you can be sure that the Linux community would be pointing fingers and laughing their way at Microsoft. It's pretty bad buzz for the plasma 6 release, what a shame π. I've been playing around with kinoite lately but issues kept adding up with KDE and Wayland on Fedora and this security hole might just push me back to something else, maybe xfce or cinnamon on Fedora or Debian, I don't know π.
UsernamesAreHard
2024-03-26 22:25:24 +0000 UTCI like how Gnome and KDE cover a different scope -> If you want a DE that provides (and kind of forces) workflows on you, you can use Gnome. This fits the idea that most users 'use programs, not operating systems and desktop environments'. If you want your 'options on top of options next to other options with options inside options' -> KDE can be your desktop (my desktop for sure :-p). The incident with the plasma themes looks to me as an example of 'not everyone in the world has good intentions'. In cybersecurity, it is a rule of thumb: if you want more security, you have to put more limits on yourself. Limiting the possibilities when applying plasma themes looks like a logical remediation.
Edoardo Regni
2024-03-26 20:14:59 +0000 UTC
