At the beginning of this year we noticed that the Deepin Desktop as it is currently packaged in openSUSE relies on a packaging policy violation to bypass SUSE security team review restrictions. With a long history of code reviews for Deepin components dating back to 2017, this marks a turning point for us that leads to the removal of the Deepin Desktop from openSUSE for the time being.
Damm
That is quite a while, lol. To be fair though, there are an insane amount of lines in most packages. Quietly adding a brief line in a seemingly innocent features package is like hiding a needle in a haystack.
Its easy to overlook things when you have a pile of packages to review during every routine. Its especially true if they missed it the first time, since its easier to review changes in a package rather than go through the whole thing again.
A needle in a tumbleweed, if you will. :p
Yeah, it’s crazy it was hiding this long but I see this as a win that they dealt with it so swiftly and show they take their package security seriously.
Yeah, it really speaks volumes about the devs. It means that no matter how innocent the package may be or how long its been there, they still pick through it all multiple times to make sure their users are safe and happy.
But RIP Deepin users. Tbh though, I’ve been hanging around Linux forums a while and still have yet to see someone who actually daily drives Deepin, lol.
Deepin looks nice in screenshots but feels terrible in use. Although it’s been a while since I’ve tried it, so it might be great for all I know.
Why wasn’t this catched by previous routine reviews?
It seems to me that the offending dialog would only be triggered if you did a full fresh install. During the previous iteration of the testing, they probably had a VM somewhere with it installed; since the underlying packages were already present, the dialog would never have popped up.