Removal of Deepin Desktop from OpenSUSE Due to Packaging Policy Violation (opens in new tab)

(security.opensuse.org)

44 pointsmilliams1y ago10 comments

10 comments

10 comments · 3 top-level

I'm a little surprised that they covered a work-around to install Deepin - I wouldn't expect a team with such a strong opinion to make a judgement call on whether or not to distribute the software but then go out of their way to document platform-specific steps to use it, rather than leaving that responsibility to Deepin.

personalcompute1y ago

I was impressed at this. By sharing side-load instructions and by the the overall restrained language of the post, they're emphasizing that this is not a personal attack on Deepin or an attempt to hurt Deepin and also emphasizing that OpenSUSE leadership understands the value of their community and have no power fantasy aspirations about trying to exert undue control over the users of the distribution. Really, OpenSUSE had more than enough ammunition to make a scathing takedown on the behavior of the Deepin maintainer and all of Deepin upstream, and many other OSS leaders would have done so ("Fuck Nvidia" anyone?), but they did not. They chose restraint and statements encouraging reconciliation. Cheers to the author for keeping it together in this obviously quite disappointing situation.

GuinansEyebrows1y ago

opensuse continuously impresses me on a community level but for some reason it's one of the only major distros i've never actually tried running. not sure why!

parag0ne1y ago

That surprised me too. It's strange to see one of the most well-known Linux names to suggest adding an unreviewed repo that contains known security flaws in official documentation.

catkitcourt1y ago

Nobody suggests anyone adding a repo. It has already been stated very clearly in the article:

> 5) How to Continue Using Deepin on openSUSE

> Given ..., we don’t recommend to use the Deepin desktop at this time. If you still ... then you can add the Deepin devel project repositories to your system...

remram1y ago· 2 in thread

This is really concerning, how many other packages are distributed by OpenSUSE which do not match their policies and are not reviewed?

A Linux distribution is supposed to be more coherent and vetted than an app store. This... does not inspire confidence.

catkitcourt1y ago

A Linux distribution is free to define its own security policy, which serves as a common understanding between developers and users.

And not all packages require auditing. The primary concern here lies with D-Bus services. Many D-Bus services need to run as root while allowing non-root users to access them. This enables users to perform tasks such as mounting or unmounting block devices without relying on SUID or sudo.

Such services are often referred to as "security boundaries", because they help isolate different privilege levels. Thus, security of those service is vital, especially in enterprise-oriented distributions.

remram1y ago

The package showed a big license agreement and implemented circumvention steps! We're a bit beyond the D-Bus auditing issues.

znpy1y ago· 1 in thread

> The history of Deepin code reviews clearly shows that upstream is lacking security culture

As somebody that doesn't write code for a living (i manage infrastructure)... besides common sense, where would one start looking in order to learn "security culture" ?

pjmlp1y ago

Since you mention infrastructure,

https://www.fortinet.com/resources/cyberglossary/shift-left-...

Follow up reading CIS and related reasonings.

https://www.cisecurity.org/cis-benchmarks

There are also some Linux Plumers, NDC and Devvoxx talks on security.

j / k navigate · click thread line to collapse

10 comments

10 comments · 3 top-level

GuinansEyebrows1y ago· 4 in thread

personalcompute1y ago

GuinansEyebrows1y ago

opensuse continuously impresses me on a community level but for some reason it's one of the only major distros i've never actually tried running. not sure why!

parag0ne1y ago

That surprised me too. It's strange to see one of the most well-known Linux names to suggest adding an unreviewed repo that contains known security flaws in official documentation.

catkitcourt1y ago

Nobody suggests anyone adding a repo. It has already been stated very clearly in the article:

> 5) How to Continue Using Deepin on openSUSE

> Given ..., we don’t recommend to use the Deepin desktop at this time. If you still ... then you can add the Deepin devel project repositories to your system...

remram1y ago· 2 in thread

This is really concerning, how many other packages are distributed by OpenSUSE which do not match their policies and are not reviewed?

A Linux distribution is supposed to be more coherent and vetted than an app store. This... does not inspire confidence.

catkitcourt1y ago

A Linux distribution is free to define its own security policy, which serves as a common understanding between developers and users.

remram1y ago

The package showed a big license agreement and implemented circumvention steps! We're a bit beyond the D-Bus auditing issues.

znpy1y ago· 1 in thread

> The history of Deepin code reviews clearly shows that upstream is lacking security culture

As somebody that doesn't write code for a living (i manage infrastructure)... besides common sense, where would one start looking in order to learn "security culture" ?

pjmlp1y ago

Since you mention infrastructure,

https://www.fortinet.com/resources/cyberglossary/shift-left-...

Follow up reading CIS and related reasonings.

https://www.cisecurity.org/cis-benchmarks

There are also some Linux Plumers, NDC and Devvoxx talks on security.

j / k navigate · click thread line to collapse