First and foremost โ there is no need for unnecessary panic! If diving into the settings to download and install an external global theme isnโt your first move after getting the impressive Plasma 6 desktop environment set up, youโre in the clear. Secondly, itโs important to note that the KDE team is on top of the issue. Hereโs the scoop.
ะ Reddit user alerted (for reference here and here) about a significant issue with Plasma 6. Installing a specific external global theme triggers the execution of โrm -rf /โ in the background. This command, known for its simplicity yet potential for extensive damage, wipes all data on the drive, including any additional mounted drives.
If you haven’t set up a dependable backup solution, you might justifiably consider this one of the darkest days you’ve experienced. In other words, there’s a risk that all your valuable content, cherished digital memories, and work-related data could be lost forever. Okay, how is that possible?
Firstly, letโs reiterate that weโre talking about an external global theme – a comprehensive package that includes things like window decorations, plugins, icons, colors, etc. According to the information available, the issue does not stem from malicious code intentionally inserted into the theme.
Instead, it arises from a flaw between the combination of the Plasma 6 codebase concerning the desktop environmentโs handling of global theme implementation and the specific theme itself.
Still, the Plasma theme at the center of these discussions, โGrey Layout,โ has nearly four thousand downloads and was previously used in Plasma 5 without any issues. Anyway, the theme has been removed from the KDE Store.
This leads to one primary concern โ the efficiency with which the KDE team curates and audits the quality of external resources complementing and expanding its features. It might be time to reconsider how third-party themes are offered for download on Plasma.
David Edmundson, KDE Software Engineer & Project Lead, has just released a statement on this matter, which you can view here.
A global theme on the kde third party store had an issue where it executed a script that removed user’s data. It wasn’t intended as malicious, but a mistake in some shell parsing. It was promptly identified and removed, but not before doing some damage to that user.
This has started a lot of discourse around the concept of the store, secuirty and upstream KDE.
The explanation is straightforward if you need clarification about how a theme could run system commands and erase your disk. When discussing Plasma 6 global themes, we’re not referring to the typical theme composed of a handful of CSS files, images, and some JavaScript that most would consider.
Instead, imagine the Plasma 6 theme as an application in its own right. It encompasses plugins with access to various system resources necessary for their functionality, including the capacity to execute system commands.
Essentially, anyone with the requisite tech skills can design a theme and share it on the KDE Store, triggering user issues whether by design or accident. It’s evident that significant improvements are necessary in how the KDE Store manages the quality and verification of third-party software, a moveย Flathub has already made.
Finally, we highly recommend that you hold off installing any global themes on your Plasma 6 desktop environment. There is no way to know at the moment whether another one will appear and cause a problem. Unfortunately, the only way to know is after it has already happened.
