Deepin Desktop removed from openSUSE

The SUSE Security Team has announced the removal of the Deepin
Desktop from openSUSE due to violations of the project's packaging
policy.

The discovery of the bypass of the security whitelistings via the
deepin-feature-enable package marks a turning point in our assessment
of Deepin. We don't believe that the openSUSE Deepin packager acted
with bad intent when he implemented the 'license agreement' dialog to
bypass our whitelisting restrictions. The dialog itself makes the
security concerns we have transparent, so this does not happen in a
sneaky way, at least not towards users. It was not discussed with us,
however, and it violates openSUSE packaging policies. Beyond the
security aspect, this also affects general packaging quality
assurance: the D-Bus configuration files and Polkit policies installed
by the deepin-feature-enable package are unknown to the package
manager and won't be cleaned up upon package removal, for
example. Such bypasses are not deemed acceptable by us.

The combination of these factors led us to the decision to remove
the Deepin desktop completely from openSUSE Tumbleweed and from the
future Leap 16.0 release. In openSUSE Leap 15.6 we will remove the
offending deepin-feature-enable package only. It is a difficult
decision given that the Deepin desktop has a considerable number of
users. We firmly believe the Deepin packaging and security assessment
in openSUSE needs a reboot, however, ideally involving new people that
can help get the Deepin packages into shape, establish a relationship
with Deepin upstream and keep an eye on bugfixes, thus avoiding
fruitless follow-up reviews that just waste our time. In such a new
setup we would be willing to have a look at all the sensitive Deepin
components again one by one.

The announcement goes into detail about the bypass of
openSUSE packaging policy and the history of security reviews of
Deepin components. It also offers guidance on continuing
to use Deepin Desktop on openSUSE.