The openSUSE team has decided to remove the Deepin Desktop Environment from openSUSE, after the project’s packager for openSUSE was found to have added workaround specifically to bypass various security requirements openSUSE has in place for RPM packages.
Recently we noticed a policy violation in the packaging of the Deepin desktop environment in openSUSE. To get around security review requirements, our Deepin community packager implemented a workaround which bypasses the regular RPM packaging mechanisms to install restricted assets.
As a result of this violation, and in the light of the difficult history we have with Deepin code reviews, we will be removing the Deepin Desktop packages from openSUSE distributions for the time being.
↫ Matthias Gerstner
Matthias Gerstner goes into great detail to lay out every single time the openSUSE team found massive, glaring security issues in Deepin, and the complete lack of adequate responses from the Deepin upstream team over the past 8 or so years. It’s absolutely shocking to see how utterly lax the Deepin developers have been regarding the security of their desktop environment and its dependencies, and the openSUSE team could really only come to one harsh conclusion: Deepin has no security culture whatsoever, and it’s extremely likely that every corner of the Deepin code is riddled with very serious security issues.
As such, despite the relatively large number of Deepin users on openSUSE, the team has decided to remove Deepin from openSUSE entirely, instead pointing users to a third-party repository if they desire to keep using Deepin. I think this is the best possible option in this situation, but it’s not exactly ideal. After reading this entire saga, however, I don’t think anyone who cares about security should be using Deepin.
Of course, I doubt this will be the end of the story. What about all the other Linux distributions out there? The security issues in Deepin itself are most likely also present in Debian, Fedora, and other distributions who have the Deepin Desktop Environment in their repositories, but what about the workaround to bypass packaging security practices? Does that exist elsewhere as well?
I think we’re about to find out.
After all of that craziness and they are still willing to host Deepin on an openSUSE Factory repo and point people toward it? Why exactly I wonder? Just give it the boot and be done with it.
If a maintainer is knowingly implementing security bypass mechanisms. That maintainer should be banned from this and every other project they have contributed to. And probably review every historic commit.
Open source builds itself on the basis of trust and this individual has broken that trust.
I really hope this isn’t the end of the story.
The maintainer of the OBS repo commented about bypassing review 4 years ago: https://build.opensuse.org/project/show/X11:Deepin:Factory#comment-1439069
But their previous comment linked to their own blog where they complain about the low quality and security malpractice of Deepin and said they were giving up on packaging it for openSuSE.