https://bugs.kde.org/show_bug.cgi?id=484275
Bug ID: 484275
Summary: Discover does not warn and confirm installation of
Flatpaks with potentially dangerous permissions and
when permissions change
Classification: Applications
Product: Discover
Version: 6.0.2
Platform: Fedora RPMs
OS: Linux
Status: REPORTED
Severity: major
Priority: NOR
Component: Flatpak Backend
Assignee: plasma-b...@kde.org
Reporter: ngomp...@gmail.com
CC: aleix...@kde.org, jgrul...@redhat.com,
trav...@redhat.com
Target Milestone: ---
SUMMARY
I've noticed over time that when installing and updating Flatpaks, Discover
does not appear to warn when installing Flatpaks that have potentially
dangerous permissions (e.g. general filesystem access, session bus access,
etc.) or when permissions change on update.
This can lead to situations where the user is not fully aware of the
consequences of the action, potentially around hijacks or malware
installations.
STEPS TO REPRODUCE
1. Open Discover
2. Enable Flathub
3. Install "Podman Desktop" or "TeXstudio"
OBSERVED RESULT
Discover just installs the app.
EXPECTED RESULT
Discover prompts with a confirmation dialog warning about some permissions that
can allow outsized impact with malicious applications.
SOFTWARE/OS VERSIONS
Linux/KDE Plasma: Fedora Linux 40 (KDE Plasma)
(available in About System)
KDE Plasma Version: 6.0.2
KDE Frameworks Version: 6.0.0
Qt Version: 6.6.2
ADDITIONAL INFORMATION
The idea here is to harden the installation process a little around Flatpaks in
response to what happened recently with Snaps[1][2].
[1]: https://www.youtube.com/watch?v=kzB6fHL_2Pg
[2]: https://popey.com/blog/2024/03/exodus-wallet-part-three/
--
You are receiving this mail because:
You are watching all bug changes.
