KDE has recommended refraining from installing unofficial global themes and widgets for KDE following an incident where a user’s personal files were inadvertently deleted. The incident occurred when a user applied the design theme Grey Layout from the KDE Store catalog, with approximately 4000 downloads. It is believed that the deletion was unintentional and resulted from improper use of the RM -RF command.
Global KDE design themes can utilize plasmaids that can execute arbitrary commands, including file deletion. When certain structures, such as “RM -RF $VAR/*”, are used in the code, a variable omission can lead to the execution of the destructive “RM -RF /*” command. Similar errors have been found in initialization scripts of Squid, Steam, and bumblebee.
The incident was linked to a plugin called Plasmaconfsaver, which includes a script Save.sh that accidentally deleted user configuration files. The script removes old configuration files without verifying the $configfolder variable, potentially leading to the deletion of all user data. Originally designed for KDE 5, changes in KDE 6 caused a logic error that resulted in the unintended deletion of files.