- cross-posted to:
- linux
You must log in or register to comment.
I’ll admit I have zero insight and haven’t looked into this, but at first glance, I don’t understand why a desktop environment theme engine is unable to provide enough functionality for theme creators to do their thing without resorting to arbitrary command execution…
I trust KDE devs to address this quickly, but this is a pretty major oversight IMO…
“Global Themes” in Plasma do more than just styling
To developers it’s not a surprise that third party plugins can do this sort of thing. It’s as intended. A global theme can ship custom lockscreens, custom applets, custom settings and all of these can run arbitrary bundled code. You can’t constrain this without limiting functionality.
https://blog.davidedmundson.co.uk/blog/kde-store-content/
Naturally this is not what an end user expects when browsing for themes, and the warnings don’t make up for the risks.
I hope devs can find a better way to ship this rich functionality, or at least introduce an automated “canary-release” process to the KDE Store that takes down themes that misbehave.
This sounds very amateurish from Plasmas part as allowing themes to run bash scripts sounds like a very bad idea no matter how you look at it.
Themes should probably have something like their own domain specific language (DSL) that can be fed to the “theme engine”(?) which will make the requested changes. If additional functionality is needed it should be provided through separate modules/plugins or something.
My thoughts were sandboxing, so run it in a container with only predefined hooks out. That way you know what parts of the system a theme is wanting to change or access (think flatpak).
I do like the use of subset languages to reduce attack surfaces (eBPF comes to mind as an example definitely not a solution to here those lol).
Original report, in English:
https://old.reddit.com/r/kde/comments/1bixmbx/do_not_install_global_themes_some_wipe_out_all/
It’s possible that this deletion was a shell script mistake rather than malice, but it really shouldn’t be allowed either way. It’s made even worse by the UI that encourages users to install themes that that could have been made by anyone, with practically no oversight, and with no warning that they can execute arbitrary code.
I like KDE for a lot of reasons, but I’m ashamed of them for this irresponsible blunder.
Let’s hope they respond by closing this hole and any others like it. If they have to break compatibility with existing themes, now seems like a good time for it, since Plasma 6 was only just released.
Uk this prolly is an unpopular opinion, but KDE just isn’t as stable as it should be. When I used KDE (even when my friend used it) something or the other ALWAYS broke. Like just like that! The wifi icon bar or whatever disappeared. Why? Cuz it wanted to… Uggh it just feels like using alpha software, uk…
If Lemmy has taught me anything this is a Linux user’s dream because now they can install Linux on the machine.
NixOS users be like : meh, just rolling back
I keep seeing comments about NixOS. As a relative newby just messing around for themselves, is there anything stopping me from/I should know about taking the plunge?
I’ve only dipped my toe in Ubuntu.
As someone who’s using it daily:
It’s pretty cool. But it’s not a “best” solution. It, like anything, has upsides and downsides.
So let me quickly summarize NixOS for you:
you will have to learn new how to configure your system. You can’t go into your Settings App anymore (well, you still can, but then you could just stay on Ubuntu, that’s the whole Point of NixOS) but instead you’ll have a file in /etc/nixos/configuration.nix everything System goes into that Config File. Then you can also use home-manager to customize your user. i.e. you want to use a special ssh setting. Home-Manager is (in my opinion) only useful if you have multiple Computers and sync your Config Files between them (in my case via Git) as any change made on one Computer will be synced to the other.
so you have a lot more effort upfront. You have to relearn how to do stuff and you have to use a complicated File instead of a simple GUI.
BUT:
Once you did that effort, it is done. forever. You can just copy that Config file anywhere and you’re back on the exactly same system. Have two Computers and want to sync them? NixOS is the absolute best Option for that imo.
Spinning up a lot of Servers/VMs that you want to be pre-configured and ready for use? NixOS. Servers you always want the same way? NixOS. you can also already declare public keys you use for SSH Authentications.
so, you see, NixOS isn’t for everyone. It certainly is for me, but if you only ever use one Computer and prefer GUIs, stay away.
This is a really good explanation! Thanks.
How is this any different than skeletons and using up ansible, salt or chef? Also hear a lot about Nix but don’t see the OS of NixOS
Ansible is more like a bash script, NixOS is a Config File
If i remove a line from Ansible, nothing happens.
If i remove a Line from my NixOS Config, it resets that Setting to its Default / uninstalls the Package / whatever.
-
You can always be sure that your NixOS is exactly like in the Config, since most of the OS is Read-Only. You can basically debug your entire OS in the Config Files.
-
some other Comfort Features. Better Readability of NixOS Configs, better integration, and obviously the nixpkgs package manager which is just chefs kiss
Edit: sorry, didn’t see the last part.
The difference between Nix and NixOS:
Nix refers to the Nix Packege Manager. Its Packages are called Nixpkgs
Nixpkgs are a new way to package packages without dependencies overwriting each other. Each package gets a uuid. So if one package needs dependency-x version 1.2 and another needs version 3.5, you can have both installed at the same time, since they’re installed in folders like “hansfhanazavdialavsislbajsknsvsjsksbhalvsja-dependency-x-1.2” instead of both trying to install into /etc/dependencyx (i know they don’t belong into /etc, this is for demonstration purposes)
This is pretty cool and solves the dependency-hells you otherwise deal with. Many tout this as the real alternative Solution to Snaps and Flatpaks, although i personally don’t see it that way since i think we need to move towards a sandboxed package-format and nixpkgs isn’t that. So i personally use nixpkgs for system-applications and install user-applications via flatpak.
Then there’s NixOS:
NixOS isn’t a Fork of any Distro. Those madlads decided to take the nixpkgs and the Linux Kernel and just create a new Distro from thin air. And it somehow worked.
NixOS uses the Nix-Daemon to read your configuration, install your packages, link them (from /nix/hwghaajvshkavahakaj-bash to /etc/bin/bash etc) and to configure your System (i.e. what ssh keys are allowed to connect)
This way NixOS has become a declarative Distro on top of the Nix Package Manager
-
And it shares a name with a Bad Dragon toy!
fascinating username to join the conversation at this particular moment in time
I keep wanting to dabble with nixOS as it almost seems like the docker compose of OS’s
But every now and then someone comments and acts like it’s really hard or something.
I so scared
If you can wrap your head around docker compose, you can handle nix.
That is to say, I’d sounds like you aren’t afraid of tinkering and looking at other people’s solutions until you get your setup right. That’s what NixOS is all about.
Solve that problem once, you’ve solved it forever. You don’t need to remember how you did it next time.
Now, THATS something I can get behind.
I daily drive it on 2 machines. Overall, it is super simple, if you know how to ready json or yml, you will understand the config file instantly. However, it is a unique OS, and works different than most other distros. As a result, any guide made for other Linux distros needs to be thrown out the window. It also doesn’t natively support most self executing packages like app image. All that said, it is fun and easy, just make sure when you look for support, you are looking for NixOS support.
nixos is like the hyper power user OS i think. Think of it like unixporn, if you like spending hundreds of hours perfecting your rice, you will love nixos (probably) if not, and you dont really care (like me) go use debian or arch or something else instead.
Neon explained it better than I ever could! I hope their answer satisfies you
It did! Thank you for sparking the conversation.
But the script only deleted files in /home
Imagine not having a backup of your files 😳
I don’t actually. All stuff I care about is on code hosting platforms
I know this story is more-so about a trojan in a trusted place, and not general security, but I have an anecdote to share.
So, time to fess up here. I previously complained about Google trapping me in captcha-hell for enabling Ublock Origin.
I was wrong.
Turns out that I had visited a movie streaming site a while before to watch a season of some show, I forget which. Without any downloads or noticeable input on my part. My Linux box apparently got hacked/malware. All I did was click the occasional “I am a human” box on the website, and sit back with popcorn.
I found out when my ISP starting blocking IP addresses some time later. I checked my modem’s logs, and they showed some unexplained traffic to impossible “unassigned” IP addresses afterward. I didn’t notice for a while.
I was stupid. Even worse, my phone also started behaving badly after that. I think I watched the last few episodes in bed, so must have infected that too.
Don’t assume any system is automatically safe.
I really doubt anything escaped the browser, but websites can make nefarious connections, sure.
I hope so. It’s more likely something infected Firefox itself, and didn’t get into the OS. But when I checked the modem logs, it happened up to a couple of months after the fact. That’s worrying.
What’s even more worrying is that a couple of websites told me I had an IP address that didn’t match my home IP, but would provide the correct one if I refreshed the page a couple of times. So some kind of covert proxy or VPN type of thing was happening.
I ended up just wiping everything, to be safe. Still a bit paranoid though.
deleted by creator
As a KDE user and a very new Linux user, this is a little disappointing. I’m glad it didn’t happen to me.
Use Firefox Translate please ;D
Trick: use Firefox translate, export website using singlefile, share the website as html.
Oops. This is why you install themes from sources you trust.
This came from the KDE theme store. Most Plasma users trust KDE.
Yes, but KDE store does not suggest checking them at all. Unless you are curious you won’t know that themes can run scripts.
Would this be possible to fix on btrfs, or would you have to create a snapshot first?
The “fix” would be to not allow themes to execute code in the first place.
I mean once files are deleted maliciously or accidentally
you would need to have created a snapshot beforehand.
Then you could restore to the last snapshot. But you would need a live system to do that, if your installation is broken
