At some point we should understand and agree that PEBKAC is a real thing. Logic dictates not to blame Linux and hotdog, and instead understand the consequence of using unverified/unvetted software.
A: have a hotdog you buy, which you eat with your teeth and your gut and you know how to do it (and also that hotdog doesnt interfere with your body, its a theme not actual molecules that comparison still makes no sense)
B: have a hotdog that decides how it is eaten, and manipulates your body to eat it in any arbitrary way
@Pantherina
I’m sorry that this bug have happened.
But did you, or whoever faced this bug, “eat” it with your “teeth” though? No they didn’t. Why? Because like any proprietary software, OpenSource tools also come with certain terms and conditions that user is expected to read, digest, understand, accept, and then utilize the tool:
@Pantherina
I agree, although there are three things worth mentioning:
The conventional Android is not that opensource. It is bundled with tons of proprietary Google stuff. That’s why de-googled Android does not provide as smooth experience.
Android does not restrict you to “only OpenSource” components. WhatsApp for example is widely used and is not FLOSS.
Well, yes: the store does advise caution, as we have little control over themes and widgets uploaded by their parties. The same way we would advise caution about running random software downloaded from the internet. That said, it does say KDE Store, so we should have some degree of control over it for our users’ sake. That is what we are working on.
That said part II, we can’t do with it the wider communities support. There simply isn’t the human resources necessary. The 2 options we have are to close down the store completely (but then people will just go to random GitHub repos and download stuff from there), or try to leverage the community to help us locate and remove (or at least quarantine) dodgy products.
One obvious fact that I though would never need to be reiterated (but here we are):
Almost all OpenSource licenses approved by OSI and/or FSF have “Disclaimer of Warranty” clause in one way or another. This is from MIT:
THE SOFTWARE IS PROVIDED “AS IS”, WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
That is not possible. widgets and Global themes have to be able to execute code to work.
By the way: the code was not malicious, just badly written.
@Bro666 @Pantherina
Yes, but why this code have full axess and not running in a sandbox where the axess is limited, like with Flatpack packages?
I think that is one of the questions being debated by the Plasma developers. You may have more luck getting a complete answer here:
https://matrix.to/#/#plasma:kde.org
Why do global themes need to do that? Arent they just color and image files, maybe audio?
It doesnt really matter if the code was malicious or not, this should not be possible.
Another example of how damn insecure linux is. Just because its not the snap store, we dont have tons of malicious addons on pling.
@Pantherina @Bro666
That is regular themes.
_Global_ themes also modify the desktop’s behavior and hence contain code to do that.
@Pantherina
Yeah, by the same logic lets also call hotdogs dangerous because people have also choked on them!
https://nypost.com/2023/07/11/4-year-old-girl-dies-after-choking-on-costco-hot-dog-report/
At some point we should understand and agree that PEBKAC is a real thing. Logic dictates not to blame Linux and hotdog, and instead understand the consequence of using unverified/unvetted software.
@Bro666
This makes no sense.
The equivalent would be
A: have a hotdog you buy, which you eat with your teeth and your gut and you know how to do it (and also that hotdog doesnt interfere with your body, its a theme not actual molecules that comparison still makes no sense)
B: have a hotdog that decides how it is eaten, and manipulates your body to eat it in any arbitrary way
@Pantherina
I’m sorry that this bug have happened.
But did you, or whoever faced this bug, “eat” it with your “teeth” though? No they didn’t. Why? Because like any proprietary software, OpenSource tools also come with certain terms and conditions that user is expected to read, digest, understand, accept, and then utilize the tool:
https://fosstodon.org/@Mehrad/112128648273530651
User had all the possible chance in the world to read the code and make sure it doesn’t do what it’s not supposed to do.
🧵👇
Yes for sure, but Firefox, Android etc are also all opensource and allow to install only opensource components, still their model is way more secure.
But for sure, KDE will never become as restricted, as otherways these extensions would not exist.
@Pantherina
I agree, although there are three things worth mentioning:
The conventional Android is not that opensource. It is bundled with tons of proprietary Google stuff. That’s why de-googled Android does not provide as smooth experience.
Android does not restrict you to “only OpenSource” components. WhatsApp for example is widely used and is not FLOSS.
🧵 👇🏼
Well, yes: the store does advise caution, as we have little control over themes and widgets uploaded by their parties. The same way we would advise caution about running random software downloaded from the internet. That said, it does say KDE Store, so we should have some degree of control over it for our users’ sake. That is what we are working on.
That said part II, we can’t do with it the wider communities support. There simply isn’t the human resources necessary. The 2 options we have are to close down the store completely (but then people will just go to random GitHub repos and download stuff from there), or try to leverage the community to help us locate and remove (or at least quarantine) dodgy products.
@Bro666
One obvious fact that I though would never need to be reiterated (but here we are):
Almost all OpenSource licenses approved by OSI and/or FSF have “Disclaimer of Warranty” clause in one way or another. This is from MIT:
THE SOFTWARE IS PROVIDED “AS IS”, WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
https://opensource.org/license/mit
More examples:
https://opensource.org/license/gpl-3-0#section15