At the beginning of this year we noticed that the Deepin Desktop as it is currently packaged in openSUSE relies on a packaging policy violation to bypass SUSE security team review restrictions. With a long history of code reviews for Deepin components dating back to 2017, this marks a turning point for us that leads to the removal of the Deepin Desktop from openSUSE for the time being.
Damm
That is quite a while, lol. To be fair though, there are an insane amount of lines in most packages. Quietly adding a brief line in a seemingly innocent features package is like hiding a needle in a haystack.
Its easy to overlook things when you have a pile of packages to review during every routine. Its especially true if they missed it the first time, since its easier to review changes in a package rather than go through the whole thing again.
Why wasn’t this catched by previous routine reviews?
It seems to me that the offending dialog would only be triggered if you did a full fresh install. During the previous iteration of the testing, they probably had a VM somewhere with it installed; since the underlying packages were already present, the dialog would never have popped up.