this post was submitted on 19 Jul 2024
31 points (100.0% liked)
KDE
110 readers
6 users here now
KDE is an international technology team creating user-friendly free and open source software for desktop and portable computing. KDE’s software runs on GNU/Linux, BSD and other operating systems, including Windows.
Plasma 6 Bugs
If you encounter a bug, proceed to https://bugs.kde.org, check whether it has been reported.
If it hasn't, report it yourself.
PLEASE THINK CAREFULLY BEFORE POSTING HERE.
Developers do not look for reports on social media, so they will not see it and all it does is clutter up the feed.
founded 1 year ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
It's probably worth noting that Plasma's customization support is useful not only to people looking for a special look & feel, but also as a proving ground for new things (and new approaches to old things) that can eventually make their way into mainline Plasma. Making things harder to customize would mean fewer people experimenting, refining ideas, and solving problems. With that in mind, I think that removing customization in hopes of simplifying test cases would be a mistake.
However, it's my understanding that some of Plasma's customization hooks allow third-party theme components to run arbitrary code, without even a warning, sandbox, or reasonable way for the user to inspect it beforehand. (This was in the news a couple months back, IIRC.) That was more or less okay 20-25 years ago, when malware on Free operating systems was almost unheard of, but it's dangerous and irresponsible in today's world, where extensions/plugins have become common attack vectors. I wouldn't mind a little loss of customization to shut down that vulnerability, at least until safer extension APIs can be built.
Yes I agree. There is a switch you can use to block installing Addons.
But that is also not nice. Sandboxing them, having a manual review process, would help. But that is a TON of work.
I also change some things like UI buttons and find it to be a core requirement. At the same time, I could live without extreme theming, or just having widgets on the panel, or just having a bottom panel etc.
This is a difficult decision, so I thought it would be a good idea to just find out what some users want.
This is why it would make sense to have a restrictive and simple API that supports basic extensions with little oversight. Configuration only; no executable code.
For the small minority of add-ons that would require executable code, there could be a separate API with a more involved installation process, making it obvious to the user that the trust and risk levels are different from the above. A sandbox feature could perhaps be developed in the long run, but that is indeed a ton of work and hard to get right, and isn't really necessary for this approach to be effective. Just having a software-style installation process (e.g. through a distro's package manager) and different APIs would go a long way toward protecting users.
And KDE components could be migrated to use that API and be separatable.
Currently it may be a bit messy.