news
Removal of Deepin Desktop from openSUSE due to Packaging Policy Violation
Quoting: Removal of Deepin Desktop from openSUSE due to Packaging Policy Violation | SUSE Security Team Blog —
The Deepin desktop environment (DDE) is part of the Deepin Linux distribution. It focuses on usability, a polished graphical presentation and support for the Chinese language. It is also available on a number of other Linux distributions, openSUSE among them.
Recently we noticed a policy violation in the packaging of the Deepin desktop environment in openSUSE. To get around security review requirements, our Deepin community packager implemented a workaround which bypasses the regular RPM packaging mechanisms to install restricted assets.
As a result of this violation, and in the light of the difficult history we have with Deepin code reviews, we will be removing the Deepin Desktop packages from openSUSE distributions for the time being.
In this blog post we will look at the exact nature of the policy violation, the review history of Deepin components in openSUSE and the conclusions we draw from all of this. Finally, we will give an outlook on how this situation could be resolved, and how users of openSUSE can continue to opt-in to use Deepin in the future.
Update
Also in LWN now:
-
Deepin Desktop removed from openSUSE
The SUSE Security Team has announced the removal of the Deepin Desktop from openSUSE due to violations of the project's packaging policy.
The discovery of the bypass of the security whitelistings via the deepin-feature-enable package marks a turning point in our assessment of Deepin. We don't believe that the openSUSE Deepin packager acted with bad intent when he implemented the "license agreement" dialog to bypass our whitelisting restrictions. The dialog itself makes the security concerns we have transparent, so this does not happen in a sneaky way, at least not towards users. It was not discussed with us, however, and it violates openSUSE packaging policies. Beyond the security aspect, this also affects general packaging quality assurance: the D-Bus configuration files and Polkit policies installed by the deepin-feature-enable package are unknown to the package manager and won't be cleaned up upon package removal, for example. Such bypasses are not deemed acceptable by us.
Linuxiac:
-
openSUSE Removes Deepin Desktop Over Security Policy Violations
In recent development, the openSUSE project has decided to remove the Deepin Desktop Environment (DDE), well-known for its polished visuals and user-friendly experience, from its repositories, citing substantial packaging policy violations.
According to disclosures from the openSUSE security team, a troubling workaround was discovered in the DDE packaging. Specifically, the Deepin community packager introduced a “license agreement” dialog within the deepin-feature-enable package, effectively circumventing standard security review processes required by openSUSE.
Ordinarily, components such as D-Bus system service configurations and Polkit policies must undergo stringent review by the SUSE security team before being whitelisted for inclusion in openSUSE distributions.
The Register:
-
openSUSE deep sixes Deepin desktop over security stink
SUSE has kicked the Deepin Desktop Environment (DDE) out of its community-driven Linux distro, openSUSE, and the reasons it gives for doing so are revealing.
SUSE's security team published a blog post – Removal of Deepin Desktop from openSUSE due to Packaging Policy Violation – that makes for eye-opening reading. The news comes just a week after openSUSE Leap 16 entered beta, a release which contains some interesting wrinkles of its own.
Deepin is the desktop of Chinese vendor Uniontech's OS, Linux Deepin, which we last looked at in August 2024. In terms of appearance, the Deepin desktop is gorgeous. It's colorful, fluid, and friendly. It has a strong Windows 11 influence on its layout, but it's not a direct clone like the strange Wubuntu distro. It is also found on a few other distros, such as Ubuntu DDE, which we last looked at when the 22.04 version appeared.
Linux Magazine:
-
openSUSE Joins End of 10 » Linux Magazine
If you've not heard of it yet, End of 10 is a collective of developers and others who are trying to help Windows 10 transition to Linux. With the Windows 10 end-of-life (EOL) on the horizon, it was only matter of time before something like this arrived onto the scene. From the End of 10 site, comes this gem: "If you bought your computer after 2010, there's most likely no reason to throw it out. By just installing an up-to-date Linux operating system you can keep using it for years to come."
Recently, it was announced that openSUSE would be joining the initiative. In fact, openSUSE has decided to transition its Upgrade to Freedom campaign to the End of 10 movement. Douglas DeMaio says, "A new initiative called End of 10 has launched that shares the purposes and origin of openSUSE’s Upgrade to Freedom efforts. As the #endof10 initiative also intends to help people extend the life of devices that would otherwise become e-waste, rather than dilute the messaging and narrative, members of openSUSE marketing have decided to transition the Upgrade to Freedom campaign to joining the End of 10 initiative."