At the beginning of this year we noticed that the Deepin Desktop as it is currently packaged in openSUSE relies on a packaging policy violation to bypass SUSE security team review restrictions. With a long history of code reviews for Deepin components dating back to 2017, this marks a turning point for us that leads to the removal of the Deepin Desktop from openSUSE for the time being.
Has anyone else read this? It’s a highly concerning read. While I haven’t used any fork of SUSE in years, I still have respect for their rigor.
Deepin packages are in
extrain Arch, which is a fairly “official” repository. I wonder if anyone at Arch is tracking this, and what Arch’s position is.Anyone know? Since #archlinux:archlinux.org locked its doors, and is effectively impossible to join, I am unsure of how to informally find out if openSUSE’s findings has generated any discussion in Arch.