- For those not in the know: aussie man explains. A KDE Plasma 6 global theme deleted a user’s files. Global themes may contain arbitrary Javascript code, and a bug (using a library written for Plasma 5) caused it to essentially run - rm -rf /*, Steam-style. KDE have since removed the theme and are considering next steps to warn the user that the “official” KDE store contains user-submitted content, and that some addons may contain potentially dangerous code.- I still remember that video I watched where a line in the Steam code back in the day was titled SCARY!!! and it was rm -rf $STEAMROOT. This nuked a guy’s computer because short answer $STEAMROOT was actually / root, long answer here’s the video. This nuked both his PC and his external drive that is some pretty bad code but this JavaScript code is up there - That’s the issue I linked. The problem was that at some point a script executed - rm -rf "$STEAMROOT/*", but did not make sure that- $STEAMROOTwas set. If for some reason it was empty, the path became- /*after substitution.- So would it be funny if I made a meme like this except it was with the trojan horse meme template? I kinda want to 
 
- Removed by mod 
 
- Removed by mod 
- Is this affecting both plasma 5&6 then? - This particular issue was caused by a breaking change in Plasma 6 and bad handling in a specific global theme. - The general security concerns that were being brought to light however apply to all versions. 
- It should only affect Plasma 6 because of some breaking change to how a Javascript function returns a path. 
 
 
 - It’s only 3 layers deep, shame on you and your laziness - I will await the 100 recursive layers SVG version later today, do not disappoint me (please). - I’m afraid I didn’t make it and just stole it 
 
 
- Gottem - Seriously though we need to work on improving security. A theme probably shouldn’t be running code and if it is it needs to be sandboxed with its only access being an API - It’s kind of horrifying nobody thought that through. What else did they fail to think about? - I know I’m late with this but it’s not just a theme. It’s a global theme. Those need to run code, so they really can’t be sandboxed the same way a regular theme can be 
 
 
- Why do themes need to run code? - They shouldnt. At least use some kind of super locked down API if you’re gonna let people use javascript of all things in your theming system god damn - Actually I’m pretty sure C would be much worse - Well, you can literally create a C program in bash using themes, compile and execute it. 
 
 
- Real “What does God need with a starship?” energy. 
- Setting themes do mant things and they are not like adding a colorscheme or so. Like there are tweaks that comes wuth themes which needs shell access to heavily modify the desktop 
- People in one of the other threads were speculating that it is widgets, or one theme that is able to do multiple configurations. Really should be containerized or something, tho. 
- So they can include cool features like auto debloating /home/ 
 
- Theme applied successfully! - Yeah, shouldn’t it say something like “ha ha get fucked”? 
 
- is this the reason Bleeping Computer made that article about malicious KDE themes? i saw it in my feed but didn’t think much of it 
- Fucking CJS. Please use ESM to delete all my files 🙏 
- Make this go away. Malicious “jokes” like this one do not deserve any clout. - rm -f sense_of_humor.bin- rm: sense_of_humor.bin: No such file or directory- Changelog: Hi, guys. So you probably noticed that I pulled the humour repo. Short answer is it was conflicting with everything, and I don’t have the time or energy to fix it. My advice is to remove humour from your dependancies and purge it from the system. - Sorry, I know how important humour is to some of you. If anyone wants to take up maintenance of the repo, I can mail you the terabytes of error logs you need to sort through. 
 
- rm -rf $SENSE_OF_HUMOR/*
 
- On the contrary, in my opinion if they are clearly labelled as a joke, they are a great way for people who don’t understand them to ask why and, in the process, being a little more informed on what not to do and what it’s dangerous. - Especially because there’s really no risk of emulation in this case. 
- I wasn’t originally going to up vote this post because of laziness, but your comment inspired me to lmao 
- Oh, you’re going to love my fork bomb jokes. I try to slip them in everywhere. 
 












