Ghostboard pixel

Deepin Desktop Removed from openSUSE over Security Concerns

openSUSE is not happy with Deepin Desktop and they their reasons for that.

deepin desktop opensuse removal illustration with a crack in the middle

openSUSE is one of the preferred choices for people who don't like using Ubuntu or Fedora. It is a community-driven Linux distribution backed by SUSE, the German multinational that specializes in open source software.

By leveraging the community repositories, openSUSE users have the option to install Deepin Desktop Environment (DDE), a modern-looking desktop environment that offers some novel features, catering to a sizable user base.

Though, that is no longer the case.

What's Happening: Announced two days ago, the openSUSE developers have decided to drop Deepin Desktop from their community repos, citing lack of package maintenance consistency and security concerns.

You see, there have been serious security issues in Deepin Desktop's D-Bus and Polkit (PolicyKit) components, which were compounded by repeated violations of openSUSE's security review and packaging policies.

The last straw was drawn when it was discovered earlier this year that one of the Deepin Desktop maintainers effectively "smuggled" a package called "deepin-feature-enable" into openSUSE back in 2021.

This package implements a license agreement dialog that, when accepted by the user, would automatically extract and install unverified D-Bus configuration files and Polkit policies directly into the system, completely bypassing openSUSE's security review and whitelisting process.

a screenshot of the license agreement for the deepin-feature-enable package on opensuse
The license agreement in question. (Source: openSUSE)

This is not the first time openSUSE had issues with Deepin Desktop. In 2017, the file manager’s D-Bus service could be impersonated by any user. In 2019, any user could register the D-Bus service without restrictions. In 2023, there were security flaws that allowed the loading of unsafe config files.

What to Expect: For users of openSUSE Leap 15.6, the deepin-feature-enable package will be removed, but the other packages will be left intact. On the other hand, for new openSUSE Tumbleweed releases and the upcoming openSUSE Leap 16.0 release, they won't include any Deepin Desktop packages.

Despite the issues, the developers have left the door open for people who wish to use Deepin Desktop regardless of these glaring problems, but they do not recommend it and include a disclaimer that users are fully responsible for trusting any Deepin Desktop packages they install.

If you ask me, this looks like a leaky ship blown to smithereens, with every bit of damage caused by its own cannon fire. In this case, it’s the Deepin Desktop maintainers dealing the final blow to their openSUSE implementation by failing to carry out their maintenance obligations.

Suggested Read 📖

Curl is Done With AI Slop
The curl project is cracking down on low-quality AI-generated bug reports.
🎗️
Here's why you should opt for It's FOSS Plus Membership:

- Even the biggest players in the Linux world don't care about desktop Linux users. We do.
- We don't put informational content behind paywall. Your support keeps it open for everyone. Think of it like 'pay it forward'.
- Don't like ads? With the Plus membership, you get an ad-free reading experience.
- When millions of AI-generated content is being published daily, you read and learn from real human Linux users.
- It costs just $2 a month, less than the cost of your favorite burger.

Become a Plus Member today and join over 300 people in supporting our work.

Great! You’ve successfully signed up.

Welcome back! You've successfully signed in.

You've successfully subscribed to It's FOSS News.

Success! Check your email for magic link to sign-in.

Success! Your billing info has been updated.

Your billing was not updated.