The biggest issue with KDE Plasma is that global themes can, and will, run arbitrary code, and this has led to data loss in the past. This presents an attack vector that, at the time this incident happened, most people werenāt aware existed and even made KDE developers add a warning.
Theming may be optional, but these are flagship features of KDE and part of why itās used, and known. Since itās a main part of the DE, and GNOME has a more Apple-like model of customization, and so doesnāt have this attack vector, is probably one of the reasons why itās recommended over KDE.
I like KDE a lot, I use Plasma, and Iām aware of these flaws so exercise caution accordingly, but since we have to assume not all users are the same, GNOME is the safer option (in this regard, at least). This is just my 2 cents.
I hope that the newly announced Plasma Next and KDE Union projects will fix the theming in a secure way.
I suppose GNOME also has a big security problem with 3rd party extensions that act like a real time hack of the gnome-shell. I guess they are not audited because theyāre not official?
Other than what has already been mentioned about the display isolation, GNOME implements sandboxing for their thumbnailer and indexer, but at least the indexer has been exploited in the past, and although they have been hardened more, I would just disable them both anyway in GNOME or KDE. Otherwise, they are a bit similar, with GNOME implementing insecure extensions, and KDE implementing insecure global themes. Not sure about the āold schoolā stuff since KDE adapts newer technology (see Wayland and ARM maturity for example) faster than any other DE. Also donāt know about memory safety in GNOME vs KDE. But the aspect of Qt vs GTK is interesting: Qt is maintained by a huge corporation while GTK is maintained by a few open source volunteers, so Qt might seem more secure from this aspect, but issue is that Qt5 LTS updates are proprietary paid, so the apps that still use it are technically using an end of life version, although KDE has maintained open source updates for it, but no way to make sure they fix all the vulnerabilities and bugs.
The default keyring in GNOME appears to have some security issues.
But also true for KDE
Probably better to use KeePassXC? Being written in Qt is kinda an advantage of KDE imo because I donāt want to unleash a dependency hell.
Thereās the fact that KDE uses a Chromium webview, which might be more secure than the webkit based webview of GNOME, but not sure as it only has one release that only fixes bugs and vulnerabilities every 1-3 months in distros that keep up (e.g. Fedora, not in Debian though), and it only upgrades to the latest release every 6 months, so it might very well end up being less secure, idk.
If you use Fedora, KDE has the advantages of somewhat usable compatibility with selinux confined users and not getting frozen (although GNOME releases coincide with Fedora releases for the most part).
Ignoring all these technical details though, GNOME is a corp distro, so it might be more scrutinized? Plus having a lot less features, which could possibly translate to less attack surface? Not sure.
To be fair to KDE, I think itās mostly developed by volunteers and switching the foundational toolkits and languages theyāve been based on for so long sounds very impractical. Carbon might be the best bet for projects who canāt switch away from C++. Iām not sure how GNOME is much better in that regard as I believe they mostly use C.
It is logical that more eyes are watching the code because of itās corporate usage, but I actually think GNOME has plentiful of featuresā¦ they are just obfuscated and hidden by design. I suppose the code size of both DEās is pretty similar.
True. Both C and C++ are not memory safe languages so I suppose thereās not a lot of difference there.
KDE now uses QML for a lot of things while GNOME uses JS and TypeScript. Any difference meaningful difference there? I personally find it silly to write anything with JS but I suppose they have a reason for it
That thing about the actual size of codebases sounds reasonable. I remember reading that Mutter and Kwin had a similarly sized codebase (although I canāt remember where I read this).
The corp aspect is hopefully changing with SteamOS, and Fedora KDE now has the same status as the GNOME edition. Although I donāt see this happening for RHEL any time soon.
the one click file previewer? that should also be disabled.
Fedora with GNOME
The search feature in the GNOME overview directly runs dozens of programs such as calculator, weather, calendar, contacts, and many others each time you type a letter.
I guess a lot of GNOME advantages go away if a user āhas toā use a 3rd party extension. Iāve used default GNOME before but not many people can. I really wish COSMIC launches off as soon as possible.
How is it off-topic? Weāre discussing DE security, and Iād love to hear input from an expert
Maybe you misread me as asking about distros? No worries then
