https://bugs.kde.org/show_bug.cgi?id=484275

            Bug ID: 484275
           Summary: Discover does not warn and confirm installation of
                    Flatpaks with potentially dangerous permissions and
                    when permissions change
    Classification: Applications
           Product: Discover
           Version: 6.0.2
          Platform: Fedora RPMs
                OS: Linux
            Status: REPORTED
          Severity: major
          Priority: NOR
         Component: Flatpak Backend
          Assignee: plasma-b...@kde.org
          Reporter: ngomp...@gmail.com
                CC: aleix...@kde.org, jgrul...@redhat.com,
                    trav...@redhat.com
  Target Milestone: ---

SUMMARY
I've noticed over time that when installing and updating Flatpaks, Discover
does not appear to warn when installing Flatpaks that have potentially
dangerous permissions (e.g. general filesystem access, session bus access,
etc.) or when permissions change on update.

This can lead to situations where the user is not fully aware of the
consequences of the action, potentially around hijacks or malware
installations.


STEPS TO REPRODUCE
1. Open Discover
2. Enable Flathub
3. Install "Podman Desktop" or "TeXstudio"

OBSERVED RESULT
Discover just installs the app.

EXPECTED RESULT
Discover prompts with a confirmation dialog warning about some permissions that
can allow outsized impact with malicious applications.

SOFTWARE/OS VERSIONS
Linux/KDE Plasma: Fedora Linux 40 (KDE Plasma)
(available in About System)
KDE Plasma Version: 6.0.2
KDE Frameworks Version: 6.0.0
Qt Version: 6.6.2

ADDITIONAL INFORMATION
The idea here is to harden the installation process a little around Flatpaks in
response to what happened recently with Snaps[1][2].

[1]: https://www.youtube.com/watch?v=kzB6fHL_2Pg
[2]: https://popey.com/blog/2024/03/exodus-wallet-part-three/

-- 
You are receiving this mail because:
You are watching all bug changes.

Reply via email to