chesheer @chesheer@mastodon.bsd.cafe
Public

removes Deepin from and later due to numerous violations of packaging policy.
Sounds probably bad for Deepin users, but what surprised me is this:
"In January 2025, during routine reviews, we stumbled upon the deepin-feature-enable package, which was introduced on 2021-04-27 without consulting us or even informing us."
This package basically asked user permission and then injected D-Bus configs and Polkit policies from custom tarballs to circumvent openSUSE strict policy about new D-Bus and Polkit. Sounds shady, right?
But it has been happening for four years! It seems modern OSes and in particular are overbloated.
How can we expect normal user to know their system, if even maintainers have no idea what's happening behind the curtains?
It's good to see this resolved at last, but man, four years!
What's funny, this "shady" package description plainly states that it asks the user if they agree to openSUSE security circumvention to install D-Bus configs and PolKit policies.

security.opensuse.org/2025/05/

Removal of Deepin Desktop from openSUSE due to Packaging Policy Violation

At the beginning of this year we noticed that the Deepin Desktop as it is currently packaged in openSUSE relies on a packaging policy violation to bypass SUSE security team review restrictions. With a long history of code reviews for Deepin components dating back to 2017, this marks a turning point for us that leads to the removal of the Deepin Desktop from openSUSE for the time being.

security.opensuse.org · SUSE Security Team Blog

0
0
0

If you have a fediverse account, you can quote this note from your own instance. Search https://mastodon.bsd.cafe/users/chesheer/statuses/114478479320666769 on your instance and quote it. (Note that quoting is not supported in Mastodon.)