Linked by Thom Holwerda on Wed 16th Dec 2009 21:38 UTC, submitted by whorider
Privacy, Security, Encryption This news is already a week old, but it only got submitted to us today, and I didn't notice it all. As it turns out, two malicious software packages had been uploaded to GNOME-Look.org, masquerading as valid .deb packages (a GNOME screensaver and theme, respectively).
Permalink for comment 400108
To read all comments associated with this story, please click here.
RE[2]: Bottom Line - KDE4 does this well
by jabbotts on Thu 17th Dec 2009 15:16 UTC in reply to "RE: Bottom Line"
jabbotts
Member since:
2007-09-06

For general package install, I shudder to consider a system that allows users accounts to toss anything they want on there. I already have that with Windows allowing things like Skype to install without admin privileges. Reducing the required privileged to install software is just not good thinking.

Now, for things like DE themes, KDE4 actually does just that. In the desktop properties one can select from the provided backgrounds or click "get more" resulting in a a list of themes and such available for download. Select them background or theme and down it comes into the user's ~/.kde without admin privileged. This sort of thing is less of a concern because it's not executable code user's can easily be fooled into downloading (wow.. another naked-britney.exe.. I must have it). The security issue returns to the vulnerability in the chair-keyboard interface rather than that and the design flaw of promoting user installed executables.

Reply Parent Score: 2