You’d almost forget, but aside from the enterprise-focused variant of Solaris for which Oracle sells support contracts, the company has also nominally maintained and released a version of Solaris aimed at non-production use and enthusiasts. This version, called Solaris CBE or Common Build Environment, has always been free to download and use, but since it was last updated all the way back in early 2022, you’d be forgiven for having forgotten all about it. Today, though, Oracle has finally released a new version of Solaris CBE, after three years of silence.

The Common Build Environment (CBE) release for Oracle Solaris 11.4 SRU 81 is now available via “pkg update” from the release repository or by downloading the install images from the Oracle Solaris Downloads page. As with the first Oracle Solaris 11.4 CBE, this is licensed for free/open source developers and non-production personal use, and this is not the final, supported version of the 11.4.81 SRU, but the pre-release version on which the SRU was built. It contains all of the new features and interfaces, but not all of the final rounds of bug fixes, from the 11.4.81 SRU.

The previous version was the CBE for 11.4.42, so there’s more than 3 years worth of changes between these two releases. If you wanted to read about the changes in every intervening SRU, you can find the monthly SRU release announcements for every SRU, and the What’s New summaries for each quarterly feature release starting with SRU 63, on the Oracle Solaris blog. Some FOSS version updates are also listed in Oracle Solaris 11.4 Bundled Software Updates. You can also find posts about some of the new features from the SRUs on Joerg Moellenkamp’s blog and Marcel Hofstetter’s blog.

↫ Alan Coopersmith and Jan Pechanec

With three years of changes, updates, and fixes to talk about, it’s no surprise there’s a lot of things this new release covers, and credit to Oracle: the blog post announcing this new release is incredibly detailed, lists a ton of the changes in great detail, and is definitely required reading if you’re interested in trying this release out for yourself. I’m definitely tempted, even if it’s Oracle.

Solaris 11.4 SRU 81 CBE comes with much more recent versions of the free and open source tools and frameworks you’ve come to expect, like updated versions of GCC, LLVM/clang, tons of programming languages like Python, Perl, and Rust, as well as updates to all the related toolchain components. The CTF (Compact C Type Format) utilities (ctfconvert, ctfdump, and ctfmerge), used to build Solaris itself and crucial for tools like DTrace, have also been updated, and now reside in /usr/bin. These updates are joined by a massive number of other, related low-level changes.

For desktop users, GNOME has been updated from the veritably ancient GNOME 3.38 to GNOME 45 (current is 48.1), which is a big jump for Solaris desktop users. Firefox and Thunderbird jump from 91 ESR to 128 ESR, which should deliver a much-improved browsing and email experience. All of this graphical desktop use is powered by version 21.1 of the X server, Mesa 21.3.8, and version 470.182 of the NVIDIA driver. Grub has been updated to version 2.12, and thanks to a new secure boot shim, users no longer have to make any changes to secure boot settings, as Solaris will always default to installing the secure boot image.

This is just a small selection of all the changes, and it seems Oracle is planning on releasing these CBE versions more often from here on out, as they say this release contains a ton of preparatory work for changes in upcoming releases, “which should come more often than once every three years going forward”. Do note that while Solaris CBE releases are free for non-production use, they’re not open source.

I don’t know anything about hiring processes in Silicon Valley, or about hiring processes in general since I’ve always worked for myself (and still do, running OSNews, relying on your generous Patreon and Ko-Fi support), so when I ran into this horror story of applying for a position at a Silicon Valley startup, I was horrified. Apparently it’s not unheard of – it might even be common? – to ask applicants for a coding position to develop a complex application, for free, without much guidance beyond some vague, generic instructions?

In this case, the applicant, Jose Vargas, was applying for a position at Kagi, the search startup with the, shall we say, somewhat evangelical fanbase. After applying, he was asked to develop a complete e-mail client, either as a TUI/CLI or a web application that can view and send emails, using a fake or a real backend, which can display at least plaintext e-mails. None of this was going to be paid labour, of course.

Vargas started out by sending in a detailed proposal of what he was planning to create, ending with the obvious question what kind of response he’d get if he actually implemented the detailed proposal. He got a generic response in return, without an answer to that question, but he set out to work regardless. In the end, it took him about a week to complete the project and send it in. He eventually received a canned rejection notice in response, and after asking for clarification the hiring manager told him they wanted something “simpler and stronger”, so he didn’t make the cut.

I’m not interested in debating whether or not Vargas was suited for the position, or if the unpaid work he sent in was any good. What I do want to talk about, though, is the insane amount of unpaid labour applicants are apparently asked to do in Silicon Valley, the utter lack of clear and detailed instructions, and how the hiring manager didn’t answer the question Vargas sent in alongside his detailed proposal. After all, the hiring manager could’ve saved everyone a ton of time by letting Vargas know upfront the proposal wasn’t what Kagi was looking for.

Everything about this feels completely asinine to me. As a (former) translator, I’m no stranger to having to do some work to give a potential client an idea of what my work looks like, but more than half a page of text to translate was incredibly rare. Only on a few rare occasions did a prospective client want me to translate more than that, and in those cases it was always as paid labour, at the normal, regular rate. For context, half a page of text is less than half an hour of work – a far cry from a week’s worth of unpaid labour.

I’ve read a ton of online discourse about this particular story, and there’s no clear consensus on whether or not Vargas’ feelings are justified. Personally, I find the instructions given by Kagi overly broad and vague, the task of creating an email client to be overly demanding, and the canned (“AI”?) responses by the hiring manager insulting – after sending in such a detailed proposal, it should’ve been easy for a halfway decent hiring manager to realise Vargas might not be a good fit for the role, and tell him so before he started doing any work.

Kagi is fully within its right to determine who is and is not a good fit for the company, and who they hire is entirely up to them. If such stringent, demanding hiring practices are par for the course in Silicon Valley, I also can’t really fault them for toeing the industry line. The hiring manager’s behaviour seems problematic, but everyone makes mistakes and nobody’s perfect. In short, I’m not even really mad at Kagi specifically here.

However, if such hiring practices are indeed the norm, can I, as an outsider, just state the obvious?

What on earth are you people doing to each other over there in Silicon Valley?

Is this really how you want to treat potential applicants, and how you, yourself, want to be treated? Imagine if a someone applies to be a retail clerk at a local supermarket, and the supermarket’s hiring manager asks the applicant to work an entire week in the store, stocking shelves and helping shoppers, without paying the person any wages, only to deny their application after the week of free labour is over? You all realise how insane that sounds, right?

Why not look at a person’s previous work, hosted on GitHub or any of its alternatives? Why not contact their previous employers and ask about their performance there, as happens in so many other industries? Why, instead of asking someone to craft an entire email client, don’t you just give them a few interesting bugs to look at that won’t take an entire week of work? Why not, you know, pay for their labour if you demand a week’s worth of work? I’m so utterly baffled by all of this.

Y’all developers need a union.

At the start of this year, Microsoft announced that, alongside the end of support for Windows 10, it would also end support for Office 365 (it’s called Microsoft 365 now but that makes no sense to me) on Windows 10 around the same time. The various Office applications would continue to work on Windows 10, of course, but would no longer receive bug fixes, security plugs, and so on. Well, it seems Microsoft experienced some pushback on this one, because it just extended this end-of-support deadline for Office 365 on Windows 10 by an additional three years.

To help maintain security while you transition to Windows 11, Microsoft will continue providing security updates for Microsoft 365 Apps on Windows 10 for three years after Windows 10 reaches end of support. These updates will be delivered through the standard update channels, ending on October 10, 2028.

↫ Microsoft support article

The reality is that the vast majority of Windows users are still using Windows 10, and despite countless shady shenanigans and promises of “AI” bliss, there’s relatively little movement in the breakdown between Windows 10 and Windows 11 users. As such, the idea that Microsoft would just stop fixing security issues and bugs in Office on Windows 10 a few months from now seemed preposterous from the outset, and that seems to have penetrated the walls of Microsoft’s executives, too.

The real question now is: will Microsoft extend the same courtesy to Windows 10 itself? The clock is ticking, there’s only a few months left to go before support for Windows 10 ends, leaving 60-70% of Windows users without security fixes and updates. If they blinked with Office, why wouldn’t they blink with Windows 10, too? Who dares to place a bet?

Let’s dive into a peculiar bug in iOS. And by that I mean, let’s follow along as Guilherme Rambo dives into a peculiar bug in iOS.

The bug is that, if you try to send an audio message using the Messages app to someone who’s also using the Messages app, and that message happens to include the name “Dave and Buster’s”, the message will never be received.

↫ Guilherme Rambo

As I read this first description of the bug, I had no idea what could possibly be causing this. However, once Rambo explained that every audio message is transcribed by Apple into a text version, I immediately assumed what was going on: that “and” is throwing up problems because the actual name of the brand is stylised with an ampersand, isn’t it? It’s always DNS HTML, isn’t it?

Yes. Yes it is.

MessagesBlastDoorService uses MBDXMLParserContext (via MBDHTMLToSuperParserContext) to parse XHTML for the audio message. Ampersands have special meaning in XML/HTML and must be escaped, so the correct way to represent the transcription in HTML would have been "Dave & Buster's". Apple’s transcription system is not doing that, causing the parser to attempt to detect a special code after the ampersand, and since there’s no valid special code nor semicolon terminating what it thinks is an HTML entity, it detects an error and stops parsing the content.

↫ Guilherme Rambo

It must be somewhat of a relief to programmers and developers the world over that even a company as large and filled with talented people as Apple can run into bugs like this.

I had to dig through our extensive archive – OSNews was founded in 1997, after all – to see if we reported on it at the time, but it turns out we didn’t: in 2006, Intel announced that in 2007, it would cease production of a range of old chips, including the 386 and 486. In Product Change Notification 106013-01, Intel proclaimed these chips dead.

Intel Corporation has been manufacturing its MCS 51, MCS 251 and MCS 96 Microcontroller Product Lines for over 25 years now, and the Intel 186 Processor Families, the Intel 386 Processor Families and the Intel 486 Processor Families for over 15 years now. Additionally, we have been manufacturing the i960 32 Bit RISC Processor Families for over 15 years. However, at this time, the forecasted volumes for these product lines are now too low to continue production of these products beyond the year 2007. Therefore, Intel will cease manufacturing silicon wafers for our 6″ based processes in 2007. Affected products include Intel’s MCS 51, MCS 251, MCS 96, 80X18X, 80X38X, 80X486DXX, the i960 Family of Microcomputers, in addition to the 82371SB, 82439TX and the 82439HX Chipsets. Intel has no choice but to issue a Product Discontinuance Notice (PDN) effective 3/30/06. Last time orders will be accepted till 3/30/07 with last time ship dates of 9/28/07.

↫ Intel Product Change Notification 106013-01

Considering the 386, 486, and i960 families of processors were only used for niche embedded at very low volumes at that point in time, it made sense to call it quits. We’re 18 years down the line now, and I don’t think anyone really mourns the end of production for these processors. Windows ended support for these chips well before the 2007 end of production date, with Windows 2000 being the last Windows version that would run on a 486, albeit only barely, since it officially required a Pentium processor.

Linux, though, continued to support the 486, but that, too, is now coming to an end. In a patch submitted to the LKML, Ingo Molnár, support for a variety of “complicated hardware emulation facilities” for x86-32 will be removed, effectively ending support for 486 and very early 586 processors, by increasing the minimum kernel support features to include TSC and CX8 (CMPXCHG8B) hardware support. Linus Torvalds has expressed interest in removing support for the 486 back in 2022, so this move doesn’t come as a huge surprise.

While most tech news outlets leave it at that, as I was reading this news, I immediately thought of the Vortex86 line of processors and what this would mean for Linux support for those processors. In case you’re unaware, the Vortex86 is a line of x86-32-compatible processors, originating at SiS, but now developed and produced by DMP Electronics in Taiwain. The last two variants were the Vortex86DX3, a dual-core chip running at 1Ghz, and the Vortex86EX2, a chip with two asymmetrical cores that can run two operating systems at once.

Their platform support documents for Windows and Linux are from 2021, so we can’t rely on those for more information. Digging through some of the documentation from ICOP, who sell industrial PCs based on the latest Vortex86DX3, I think support in modern kernels is very much hit and miss even before this news. All Vortex86 processors are supposedly i586 (with later variants being i686, even), but some of the earlier versions were compatible with the 486SX. On top of that, Linux 4.14 seems to be the last kernel that supports any of these chips out-of-the-box based on the documentation by DMP – but then, if you go back to ICOP, you’ll find news items about Linux 5.16 adding better support for Vortex86, so I’m definitely confused.

My uneducated guess is that the DX3 and EX2 will probably work even after these changes to the Linux kernel, but earlier models might have more problems. Even on the LKML I can find messages from the kind of people who know their stuff who don’t know all the ins and outs of these Vortex86 processors, and which instructions they actually support.

It won’t matter much for people relying on Vortex86 processors in industrial and commercial settings, though, since they tend to use custom stacks built by the vendor, so they’re going to be just fine. What’s more interesting is the what I assume is a small enthusiast market using Vortex86 processors who might want to run modern Linux kernels on them. I have a feeling these code removals might lead to some issues on especially the earlier models, meaning you’ll have to use older kernels.

I’ve always been fascinated by the Vortex86 line of processors, and on numerous occasions I’ve hovered over the buy button on some industrial PC using the VortexDX3 (or earlier) processor. Let me know if you’re interested in seeing what this chip can do, and if there’s enough interest, I can see if I can set a Ko-Fi goal to buy one these and mess around with Windows Embedded/CE, Linux, and god knows what else these things can be made to run.

The title is a lie. This isn’t brief at all.

Picture the keypad of a telephone and calculator side by side. Can you see the subtle difference between the two without resorting to your smartphone? Don’t worry if you can’t recall the design. Most of us are so used to accepting the common interfaces that we tend to overlook the calculator’s inverted key sequence. A calculator has the 7–8–9 buttons at the top whereas a phone uses the 1–2–3 format.

Subtle, but puzzling since they serve the same functional goal — input numbers. There’s no logical reason for the inversion if a user operates the interface in the same way. Common sense suggests the reason should be technological constraints. Maybe it’s due to a patent battle between the inventors. Some people may theorize it’s ergonomics.

With no clear explanation, I knew history and the evolution of these devices would provide the answer. Which device was invented first? Which keypad influenced the other? Most importantly, who invented the keypad in the first place?

↫ Francesco Bertelli and Manoel do Amara

Sometimes, you come across articles that are one-of-a-kind, and this is one of them. Very few people would go to this length to document such a particular thing most people find utterly insignificant, but luckily for us, Francesco Bertelli and Manoel do Amara went all the way with this one. If you want to know anything about the history of the numerical pad and its possibly layouts, this is the place to go.

What I’ve always found fascinating about numerical pads is how effortless the brain can switch between the two most common layouts without really batting an eye. Both layouts seem so ingrained in my brain that it feels like there’s barely any context-switching involved, and my fingers just effortlessly flow to the correct numbers. Considering numbers tend to confuse me, I wouldn’t have been at all surprised to find myself having issues switching between the two layouts.

What makes this even more interesting is when I consider the number row on the keyboard – you know, 1 through 0 – because there I do tend to have a lot of issues finding the right numbers. I don’t mean it takes seconds or anything like that, but I definitely experience more hiccups working with the number row than with a numerical keypad of either layout.

I think one of the more controversial parts of Windows 11 – aside from its system requirements, privacy issues, crapware, and “AI” nonsense – is its Start menu. I’ve heard so many complaints about how it’s organised, its performance, the lack of customisation, and so on. Microsoft heard those complaints, and has unveiled the new Start menu that’ll be shipping to Windows 11 soon – and I have to say, there’s a ton of genuine improvements here that I think many of you will be happy with.

First and foremost, the “all applications” view, that until now has been hidden behind a button, will be at the top level, and you can choose between a category view, a grid view, and a list view. This alone makes the Windows 11 Start menu so much more usable, and will be more than enough to make a lot of users want to upgrade, I’m sure.

Second, customisation is taken a lot more seriously in this new incarnation of the Start menu. You can actually shrink or remove completely sections you’re not using. If you’re not interested in those recommendations, you can just remove that section. Don’t want to use the feature where you pin applications to the Start menu? Remove that section. This, too, seems to address common complaints, and I’m glad Microsoft is fixing this.

Then there’s the rest. Microsoft is promising this new Start menu will perform better, which better be true because I’ve seen some serious lag and delays on incredibly powerful hardware. The recommendations have been improved as well, in case you care about those, and there’s a new optional mobile panel that you can slide out, which contains everything related to your phone.

Personally, I’m a classic Start menu kind of person – on all my machines (which all run Fedora KDE), I use a classic, very traditional cascading menu that contains nothing but application categories and their respective applications, and nothing more. Still, were I forced to use Windows, these improvements are welcome, and they seem genuine.

Notifications in Chrome are a useful feature to keep up with updates from your favorite sites. However, we know that some notifications may be spammy or even deceptive. We’ve received reports of notifications diverting you to download suspicious software, tricking you into sharing personal information or asking you to make purchases on potentially fraudulent online store fronts.

To defend against these threats, Chrome is launching warnings of unwanted notifications on Android. This new feature uses on-device machine learning to detect and warn you about potentially deceptive or spammy notifications, giving you an extra level of control over the information displayed on your device.

↫ Hannah Buonomo and Sarah Krakowiak Criel on the Chromium Blog

So first web browser makers introduce notifications, a feature nobody asked for and everybody hates, and now they’re using “AI” to combat the spam they themselves enabled and forced onto everyone? Don’t we have a name for a business model where you purport to protect your clients from threats you yourself pose?

Turning off notifications is one of the first things I do after installing a browser. I do not ever want any website sending me a notification, nor do I want any of them to ask me for permission to do so. They’re such an obvious annoyance and massive security threat, and it’s absolutely mindboggling to me we just accept them as a feature we have to live with. I genuinely wish browsers like Firefox, which claim to protect your privacy, would just have the guts to be opinionated and rip shit features like this straight out of their browser.

Using “AI” to combat spam notifications instead of just turning notifications off is peak techbro.

We present the formal verification of Apple’s iMessage PQ3, a highly performant, device-to-device messaging protocol offering strong security guarantees even against an adversary with quantum computing capabilities. PQ3 leverages Apple’s identity services together with a custom, post-quantum secure initialization phase and afterwards it employs a double ratchet construction in the style of Signal, extended to provide post-quantum, post-compromise security.

We present a detailed formal model of PQ3, a precise specification of its fine-grained security properties, and machine-checked security proofs using the TAMARIN prover. Particularly novel is the integration of post-quantum secure key encapsulation into the relevant protocol phases and the detailed security claims along with their complete formal analysis. Our analysis covers both key ratchets, including unbounded loops, which was believed by some to be out of scope of symbolic provers like TAMARIN (it is not!).

↫ Felix Linker and Ralf Sasse

Weekend, light reading, you know how this works by now. Light some candles, make some tea, get comfy.

John Siracusa, one third of the excellent ATP podcast, developer of several niche Mac utilities, and author of some of the best operating system reviews of all time, has called for Apple’s CEO, Tim Cook, to step down. Now, countless people call for Tim Cook to stand down all the time, but when someone like Siracusa, an ardent Mac user since the release of the very first Macintosh and a staple of the Apple community, makes such a call, it carries a bit more weight.

His main argument is not particularly surprising to anyone who’s been keeping tabs on the Apple community, and the Apple developer community in particular: Apple seems to no longer focus on making great products, but on making money. Every decision made by Apple’s leadership team is focused solely on extracting as much money from consumers and developers, instead of on making the best possible products.

The best leaders can change their minds in response to new information. The best leaders can be persuaded. But we’ve had decades of strife, lawsuits, and regulations, and Apple has stubbornly dug in its heels even further at every turn. It seems clear that there’s only one way to get a different result.

In every healthy entity, whether it’s an organization, an institution, or an organism, the old is replaced by the new: CEOs, sovereigns, or cells. It’s time for new leadership at Apple. The road we’re on now does not lead anywhere good for Apple or its customers. It’s springtime, and I’m choosing to believe in new life. I swear it’s not too late.

↫ John Siracusa

I reached this same point with Apple a long, long time ago. I was an ardent Mac user during the PowerPC G4 and G5 days, lasting into the early Intel days. However, as the iPhone and related services took over as Apple’s primary source of income, I felt that Mac OS X, which I once loved and enjoyed so much, started to languish, and it’s been downhill for Apple’s desktop operating system ever since. Whenever I have to help my parents with their computers – modern M1 and M2 Macs – I am baffled and saddened by just how big of a convoluted, disjointed, and unintuitive mess macOS has become.

I long ago stopped caring about whatever products Apple releases or updates, because I feel like as a user who genuinely cares about his computing experience, Apple simply doesn’t make products for me. I’m not sure replacing Tim Cook with someone else will really change anything about Apple’s priorities; in the end, it’s a publicly traded corporation that thinks it needs to please shareholders, and a focus on great products instead of money isn’t going to help with that.

Apple long ago stopped being the beleaguered company many of its most ardent fans still seem convinced that it is, and it’s now one of those corporate monoliths that can make billions more overnight by squeezing just a bit more out of developers or users, regardless of what that squeezing does to the user experience. Apple is still selling more devices than ever, and it’s still raking in more gambling gains through digital slot machines for children, and as long as that’s the case, replacing Tim Cook won’t do a goddamn thing.

About a year ago, we talked about the fact that Android 15 became page size-agnostic, supporting both 4 KB and 16 KB page sizes. Google was already pushing developers to get their applications ready for 16 KB page sizes, which means recompiling for 16 KB alignment and testing on a 16 KB version of an Android device or simulator. Google is taking the next step now, requiring that every application targeting Android 15 or higher submitted to Google Play after 1 November 2025 must support a page size of 16 KB.

This is a key technical requirement to ensure your users can benefit from the performance enhancements on newer devices and prepares your apps for the platform’s future direction of improved performance on newer hardware. Without recompiling to support 16 KB pages, your app might not function correctly on these devices when they become more widely available in future Android releases.

↫ Dan Brown on the Android Developers Blog

This is mostly only relevant for developers instead of users, but in the extremely unlikely scenario that one of your favourite applications cannot be made to work with 16 KB page sizes for some weird reason, or the developer refuses to support it or some even weirder reason, you might have to say goodbye to that applications if you use Android 15 or higher. This is absurdly unlikely, but I wouldn’t be surprised if it happens to at least one application.

If that happens, I want to know which application that is, and ask the developer for their story.

I’ve “launched” the Mac Themes Garden! It is a website showcasing more than 3,000 (and counting) Kaleidoscope from the Classic Mac era, ready to be seen, downloaded and explored! Check it out! Oh, and there also is an RSS feed you can subscribe to see themes as they are added/updated!

↫ Damien Erambert

If you’ve spent any time on retrocomputing-related social media channels, you’ve definitely seen the old classic Mac OS themes in your timeline. They are exquisitely beautiful artifacts of a bygone era, and the work Damien Erambert has been doing to make these easily available and shareable, entirely in his free time, is awesome and a massive service to the retrocomputing community.

The process to get these themes loaded up onto the website is actually a lot more involved than you might imagine. It involves a classic Mac OS virtual machine, applying themes, taking screenshots, collecting creator information, and adding everything to a database. This process is mostly manual, and Erambart estimates he’s about halfway done.

If you have classic Mac OS running somewhere, on real hardware or in a virtual machine, you can now easily theme it at your heart’s content.

As the headline suggests, we’re going to be talking about some very dry Windows stuff that only affects a relatively small number of people, but for those people this is a big deal they need to address. If you’re working on pre-production drivers that need to be signed, this is important to you.

The Windows Hardware Program supports partners signing drivers for use in pre-production environments. The CA that is used to sign the binaries for use in pre-production environments on the Windows Hardware Program is set to expire in July 2025, following which a new CA will be used to sign the preproduction content starting June 9, 2025.

↫ Hardware Dev Center

Alongside the new CA come a bunch of changes to the rules. First and foremost, expiry of signed drivers will no longer be tied to the expiry of the underlying CA, so any driver signed with the new CA will not expire, regardless of what happens to the CA. In addition, on April 22, May 13, and June 10, 2025, Windows servicing releases (4D/5B/6B) will be shipped to Windows versions (down to Windows Server 2008) to replace the old CAs with the new ones. As such, if you’re working on pre-production drivers, you need to install those Latest Cumulative updates.

On a very much related note, Microsoft has announced it’s retiring device metadata and the Windows Metadata and Internet Services (WMIS). This is what allowed OEMs and device makers to include things like device names, custom device icons, and other information in the form of an XML file. While OEMs can no longer create new device metadata this way, existing metadata already installed on Windows clients will remain functional. As a replacement for this functionality, Microsoft points to the driver’s INF files, where such information and icons can also be included.

Riveting stuff.

The openSUSE team has decided to remove the Deepin Desktop Environment from openSUSE, after the project’s packager for openSUSE was found to have added workaround specifically to bypass various security requirements openSUSE has in place for RPM packages.

Recently we noticed a policy violation in the packaging of the Deepin desktop environment in openSUSE. To get around security review requirements, our Deepin community packager implemented a workaround which bypasses the regular RPM packaging mechanisms to install restricted assets.

As a result of this violation, and in the light of the difficult history we have with Deepin code reviews, we will be removing the Deepin Desktop packages from openSUSE distributions for the time being.

↫ Matthias Gerstner

Matthias Gerstner goes into great detail to lay out every single time the openSUSE team found massive, glaring security issues in Deepin, and the complete lack of adequate responses from the Deepin upstream team over the past 8 or so years. It’s absolutely shocking to see how utterly lax the Deepin developers have been regarding the security of their desktop environment and its dependencies, and the openSUSE team could really only come to one harsh conclusion: Deepin has no security culture whatsoever, and it’s extremely likely that every corner of the Deepin code is riddled with very serious security issues.

As such, despite the relatively large number of Deepin users on openSUSE, the team has decided to remove Deepin from openSUSE entirely, instead pointing users to a third-party repository if they desire to keep using Deepin. I think this is the best possible option in this situation, but it’s not exactly ideal. After reading this entire saga, however, I don’t think anyone who cares about security should be using Deepin.

Of course, I doubt this will be the end of the story. What about all the other Linux distributions out there? The security issues in Deepin itself are most likely also present in Debian, Fedora, and other distributions who have the Deepin Desktop Environment in their repositories, but what about the workaround to bypass packaging security practices? Does that exist elsewhere as well?

I think we’re about to find out.