Deepin Desktop Removed from openSUSE over Security Concerns
openSUSE is not happy with Deepin Desktop and they their reasons for that.
openSUSE is not happy with Deepin Desktop and they their reasons for that.
openSUSE is one of the preferred choices for people who don't like using Ubuntu or Fedora. It is a community-driven Linux distribution backed by SUSE, the German multinational that specializes in open source software.
By leveraging the community repositories, openSUSE users have the option to install Deepin Desktop Environment (DDE), a modern-looking desktop environment that offers some novel features, catering to a sizable user base.
Though, that is no longer the case.
What's Happening: Announced two days ago, the openSUSE developers have decided to drop Deepin Desktop from their community repos, citing lack of package maintenance consistency and security concerns.
You see, there have been serious security issues in Deepin Desktop's D-Bus and Polkit (PolicyKit) components, which were compounded by repeated violations of openSUSE's security review and packaging policies.
The last straw was drawn when it was discovered earlier this year that one of the Deepin Desktop maintainers effectively "smuggled" a package called "deepin-feature-enable" into openSUSE back in 2021.
This package implements a license agreement dialog that, when accepted by the user, would automatically extract and install unverified D-Bus configuration files and Polkit policies directly into the system, completely bypassing openSUSE's security review and whitelisting process.
This is not the first time openSUSE had issues with Deepin Desktop. In 2017, the file manager’s D-Bus service could be impersonated by any user. In 2019, any user could register the D-Bus service without restrictions. In 2023, there were security flaws that allowed the loading of unsafe config files.
What to Expect: For users of openSUSE Leap 15.6, the deepin-feature-enable package will be removed, but the other packages will be left intact. On the other hand, for new openSUSE Tumbleweed releases and the upcoming openSUSE Leap 16.0 release, they won't include any Deepin Desktop packages.
Despite the issues, the developers have left the door open for people who wish to use Deepin Desktop regardless of these glaring problems, but they do not recommend it and include a disclaimer that users are fully responsible for trusting any Deepin Desktop packages they install.
If you ask me, this looks like a leaky ship blown to smithereens, with every bit of damage caused by its own cannon fire. In this case, it’s the Deepin Desktop maintainers dealing the final blow to their openSUSE implementation by failing to carry out their maintenance obligations.
Suggested Read 📖
Stay updated with relevant Linux news, discover new open source apps, follow distro releases and read opinions