Is it possible currently to disable KDE's integration with kde-look and other opendesktop.org sites?

The question has been on my mind a while, but came up again today when I saw this thread on ubuntuforums: http://ubuntuforums.org/showthread.php?t=1349801

Basically, some script kiddie uploaded a screensaver .deb with malicious code in it (nothing awful, but that's not the point).

I've released things on kde-look.org as well, and I happen to think that the integration with the desktop is a cool feature. But I don't like the security implications now.

I'm not saying it should be removed completely, just something a root/admin user can disable globally.

Thoughts?

KDE's Get Hot New Stuff support which provides the kde-look.org integration is not able to install any form of executable or packaged content, and only extracts the files contents to the directory requested to by the application. The application usually handles it from there.

First, it is not possible, apart from just not using the "Get Hot New Stuff" dialog.

But i don't think it should be at all. The problem is somewhere else. KGHNS only downloads and places content into a certain dir, without executing anything.
And running the "newly installed screensaver" as.. well... screensaver results in nothing at all. You'd need to run the .deb with the appropriate app. And then again, you would need to enter your pw/root pw to even be able to install it.

So that is basically an educational question. Or there could be something like "report abuse" button being added to the dialog.

Surely this incident should be a wake up call in a way, though; can you imagine no attack vector here?

I guess, since packages aren't involved, root privileges aren't required so the threat is mitigated somewhat. But having written some python plasmoids (which you can get through the "install new widgets" dialog), I know that the possibilities are pretty open as far as what the code can do.

I'm not trying to be alarmist or reactionary here, but this is worth chewing on a bit I think. People kept saying in the ubuntuforums thread that it's the user's fault for downloading from an untrusted website; so I put the question out -- is opendesktop.org an untrusted site? If so, what are the ramifications for kde to be so seamlessly integrated with it?

The site's copyright notice clearly mentions:

All rights reserved. KDE-Look.org has no liability for any content or goods on this site.

I don't know how or if at all the uploads are screened. What I can suggest is to avoid installing blindly. Find a content on the website itself and read the response before you fire up the installer using KGHNS.

sayakb wrote:The site's copyright notice clearly mentions:

All rights reserved. KDE-Look.org has no liability for any content or goods on this site.

I don't know how or if at all the uploads are screened. What I can suggest is to avoid installing blindly. Find a content on the website itself and read the response before you fire up the installer using KGHNS.

I think the point is that "normal users" don't know about that. For example, package managers usually have approved repositories enabled by default, but you have to enable third-party repos yourself.

Most of the content (wallpapers, themes) should be relatively safe, but I agree that plasmoids could be potentially harmful.

Hans wrote:I think the point is that "normal users" don't know about that

No, I agree as well. Ofcourse, a trusted source is more acceptable. But afterall, third party stuff cant always be trusted, right?
From my end, I just quickly review the user comments before I try a new package from any source, not only kde-*.org websites. I cant speak of any review mechanisms they should have or related, but it might be a good idea to have a validation system. But ofcourse, depends on the sites upload policies in the end.

KGNS should support signing at some point, unsure about when, though. Also, KGNS does not allow you to install stuff system wide (this trojan was a .deb file).

Can kiosk be used to control this? I am under the impression this is exactly the sort of thing kiosk was designed for.

This is most certainly in Kiosk's realm of what to control, although I do not know if it is possible at this time.

This is the impression I get regarding plasmoids: it's not sufficient to install them - they also have to be placed somewhere in Plasma before they execute whatever command they do, and they can't execute the command again after being removed (unless using .kde/Autostart or similar). Moreover, it actually seems that Plasmoids have access to the user's directories, whether base plasmoids or scripted plasmoids from kde-look.org (or anywhere else for that matter).

Have I got all that right?

Basically, yes.

The very, very last point is what is kinda worrying (scripted plasmoids accessing the directory), though I guess it's also kinda necessary for some functionalities.
One idea: OpenDesktop could use a, "Under Review" button on new stuff in certain catagories (applications, plasmoids etc.), similar to Firefox's, "Experimental Add-ons" button. Stuff in this section will need you to agree that, "Only do this if you want to test it" and, "might be dangerous" bla bla bla kinda stuff. When, "enough" people agree that it's not dangerous ("enough" to be defined), then it can come out of review status and be available to get without the annoying message and, consequently, through GHNS.

This also begs the question, though: should a similar system be placed for stuff marked, "experimental" or, "unstable" by the developers? Though it would help the end user by only exposing them to stuff that's tried and true, will it possibly slow down the development process for individual developers?

The problem is, who's going to review all of them?

Actually, does Mozilla review the Firefox extensions? If I remember correctly, there was a malware toolbar on the Addons site which was promptly removed. Some Firefox extensions sometimes bundle binaries (windows-only extensions) so they pose an equally big threat.

The (bleeding-edge, might-hurt-your-children, separate-test-machine type) community, I supposed. The same that test development releases. You know, require a log-in, register if the user downloads the widget, then provide an, "All clear, cap'n!"-type button that the person can click. I think this would be more reliable then simply relying on the current comments system, though slightly more tedious for all parties as well...