The developers of the Opensuse have announced the removal of the deepin package from the repository due to violations of project rules regarding safety verification of packages. It was discovered that the deepin project attempted to bypass the safety review rules set by Opensuse and did not notify the security team. As a result, the package “deepin-feature-enable” was placed in the repository in April 2021, containing unstable security issues.
The package required users to agree to license terms which stated that certain components necessary for Deepin were excluded from the official repository due to safety concerns. If users agreed to decrease security and accepted the license, the installation included additional components bypassing the standard mechanisms of the packet manager RPM.
Users were also instructed to manually install the packages Deepin-File-Manager-Dbus and Deepin-File-Manager-Polkit, and then run a script to download additional configuration files required for the Deepin File Manager service. D-Bus.
Opensuse guidelines dictate that D-Bus Services and Polkit policies must only be accompanied by installation files after security checks by the SUSE SECURITY TEAM and approval for inclusion. Some Deepin components passed the security check and were included in standard packages, while others were sent back for refinement. However, instead of addressing the safety issues properly, the deepin project chose to bypass the problems.
