At the beginning of this year we noticed that the Deepin Desktop as it is currently packaged in openSUSE relies on a packaging policy violation to bypass SUSE security team review restrictions. With a long history of code reviews for Deepin components dating back to 2017, this marks a turning point for us that leads to the removal of the Deepin Desktop from openSUSE for the time being.
  • Leaflet@lemmy.world
    26·
    19 hours ago

    Short version

    We don’t believe that the openSUSE Deepin packager acted with bad intent when he implemented the “license agreement” dialog to bypass our whitelisting restrictions. The dialog itself makes the security concerns we have transparent, so this does not happen in a sneaky way, at least not towards users. It was not discussed with us, however, and it violates openSUSE packaging policies.

    The experience with Deepin software and its upstream during the code reviews that we performed has not been the best. More than once, security issues we reported have been replaced by new security issues. Other times, upstream did not invest the effort to fully analyze the issues we reported and fixed them insufficiently. Generally the communication with upstream proved difficult, maybe also due to the language barrier. While upstream stated at times that they don’t have enough resources to deal with security reports, which is worrying enough, the design and implementation of Deepin D-Bus components often changed radically in unrelated ways. This makes the security assessment of Deepin components a moving target. Building trust towards Deepin components has thus been extremely difficult over the years.

    The history of Deepin code reviews clearly shows that upstream is lacking security culture, and the same classes of security issues keep appearing…

    • sugar_in_your_tea@sh.itjust.works
      1·
      4 hours ago

      The history of Deepin code reviews clearly shows that upstream is lacking security culture, and the same classes of security issues keep appearing…

      Ouch.

      • Leaflet@lemmy.world
        1·
        4 hours ago

        Security is hard and not the fun part of programming (for most people anyway).

        KDE and Gnome have problems too.

        Rationale for Accepting kio-admin into openSUSE

        We have dealt with these types of APIs in KDE since 2017 without achieving any notable improvements. As we are responsible for product security we tried to protect our users from potentially harmful components. At this point, though, we don’t believe that this situation will change anytime soon. Meanwhile users still want to use features like the one found in Dolphin, and don’t understand why openSUSE does not include them.

        https://security.opensuse.org/2025/02/21/kio-admin-admittance.html

        • sugar_in_your_tea@sh.itjust.works
          1·
          3 hours ago

          Oh certainly. What I was pointing out is the repeated failure and lack of acknowledgement of security issues. KDE and GNOME take it seriously, it seems Deepin does not.