Due to security policy violations and a packaging bypass, #openSUSE is removing the #Deepin #Desktop from Tumbleweed and Leap 16.0. Read the full story: https://linuxiac.com/opensuse-removes-deepin-desktop-over-security-policy-violations/
For me reading this post took about 10 minutes since I not only read but I also processed and checked references and I tooted about it immediately
It is quite sobering to read something this horrific happening in an Open Source project of this magnitude of volume
This is something you would expect in closed source not open source; it's like a shower with 0° degrees Celsius of water flowing over you 0° in the depth of the coldest Siberian winter
#openSUSE #Linux #POSIX #OpenSource #programming
#Deepin #frightmare #Infosec #nightmare #elmStreet
This is where the depth of the deception became clear
>>
The review of this component was also what led us to the discovery of the deepin-feature-enable whitelisting bypass, since we installed the full Deepin desktop environment for the first time in a long time, which triggered the “license agreement” dialog described above. After finding out about this, we decided that it was time to reassess the overall topic of Deepin in openSUSE based on our long-standing experiences.
<<
#openSUSE #Linux #POSIX #OpenSource #programming
#Deepin #WTF #frightmare #Infosec #nightmare #elmStreet
This part I screen capped for accentuation
>>
2024-08-29: deepin-api-proxy: D-Bus Service
After a longer time of standstill regarding Deepin reviews, a request for the addition of deepin-api-proxy arrived. This package greeted us with over two dozen D-Bus configuration files. Again, upstream’s description of what the component is supposed to do was very terse. From looking at the implementation we deduced that the proxy component seems to be related to the renaming of interfaces described in the previous section.
We found a design flaw in the proxy’s design which allowed a local root exploit. You can find the details in a dedicated blog post we published about this not too long ago.
It is noteworthy that the communication with upstream proved very difficult during the coordinated disclosure process we started for this finding. We did not get timely responses, which nearly led us to a one-sided publication of the report, until upstream finally expressed their wish to follow coordinated disclosure at the very last moment.
<<
I now have really seen it all The Good the Bad and the Ugly in Open Source programming
#openSUSE #Linux #POSIX #OpenSource #programming
#Deepin #WTF #frightmare #Infosec #nightmare #elmStreet
More excerpts
>>
Sadly the review of deepin-app-services was another chaotic case, one that is actually still unfinished. Even understanding the purpose of this D-Bus service was difficult, because there wasn’t really any design documentation or purpose description of the component. From looking at the D-Bus service implementation, we judged that it is a kind of system wide configuration store for Deepin. Contrary to most other Deepin D-Bus services, this one is not running as root but as a dedicated unprivileged service user.
<<
This reads like a horror novel but it's actually happening! Unbelievable how this has harmed a distro with many dedicated users!
https://security.opensuse.org/2025/05/07/deepin-desktop-removal.html
#openSUSE #Linux #POSIX #OpenSource #programming
#Deepin #wtf #frightmare #Infosec #nightmare #elmStreet
The Deepin frightmare
Excerpt from linked site
>>
After reviewing the main D-Bus service, we could not help ourselves but call it a security nightmare. The service methods were not only unauthenticated and thus accessible to all users in the system, but the D-Bus configuration file also allowed anybody to own the D-Bus service path on the system bus, which could lead to impersonation of the daemon. Among other issues, the D-Bus service allowed anybody in the system to create arbitrary new UNIX groups, add arbitrary users to arbitrary groups, set arbitrary users’ Samba passwords or overwrite almost any file on the system by invoking mkfs on them as root, leading to data loss and denial-of-service. The daemon did contain some Polkit authentication code, but it was all found in unused code paths; to top it all off, this code used the deprecated UnixProcess Polkit subject in an unsafe way, which would make it vulnerable to race conditions allowing authentication bypass, if it had been used.
<<
¿WTF?
https://security.opensuse.org/2025/05/07/deepin-desktop-removal.html
#openSUSE #Linux #POSIX #OpenSource #programming
#Deepin #WTF #frightmare #Infosec #nightmare #elmStreet
openSUSE 宣布移除 Deepin DE,原因包括打包者试图绕过 openSUSE 的安全查核等。
- DDE 是由深度科技开发的桌面环境。
- 作为一个功能丰富的桌面环境,DDE 有大量的软件包需要查核。由于发现的大量安全问题及 openSUSE 在一段团队重组时期的工作积压,查核自 2017 年起一直未能完成。
- 2025 年一月的一次检查中,openSUSE 发现 2021 年引入的 deepin-feature-enable
软件包有蹊跷。软件包内的脚本向用户解释 DDE 和 openSUSE 团队在安全方面存在分歧,并允许用户手动选择启用未被 openSUSE 安全团队查核通过的功能。openSUSE 本以为大量查核的结束表明 DDE 的各组件已被查核通过,但实际上核心组件从未经过查核,而是通过此软件包在用户的系统上被启用。
- openSUSE 团队认为 Deepin 此行为由于有向用户开诚布公因此并非恶意,但 DDE 开发团队对安全性的意识不足,且软件包违反了 openSUSE 打包政策,因此决定从 Leap 16.0 起的版本及 Tumbleweed 滚动发行版中移除 DDE 软件包。
- 虽然 openSUSE 已不建议用户使用 Deepin DE,但想要继续使用 DDE 的用户可以参考文章中的方法手工添加 Deepin 软件包源。
security.opensuse.org/~
#openSUSE #Deepin
Telegram 原文
openSUSE removes Deepin Desktop after discovering a policy-violating workaround used to bypass required security reviews of sensitive system components.
https://linuxiac.com/opensuse-removes-deepin-desktop-over-security-policy-violations/
#Deepin DE, the open source #Linux desktop developed by a Chinese company, was removed from the #openSUSE official repo.
According to openSUSE, this is due to the upstream deliberately bypasses the security guidelines and requirements and smuggling system packages when users install Deepin DE.
Now DDE is only available in 3rd party repo.
https://security.opensuse.org/2025/05/07/deepin-desktop-removal.html
Which team are you?
Debian-based Deepin 23.1 is out now with Linux kernels 6.6/6.12, smarter updates, improved hardware support, AI upgrades, and over 100 bug fixes.
https://linuxiac.com/deepin-linux-23-1-launches-with-smarter-ai/
NodeJS problematic
Ranking #linux Distributions for 2025
Time for this week's #Linux and #OpenSource news video, in which we have #Deepin 25 going immutable, the kernel 6.13, and Intel rediscovering the lost tech of "modular computers":
The upcoming Deepin Linux 25 release will introduce Solid, an immutable system offering enhanced security, snapshot management, and a layered architecture.
https://linuxiac.com/deepin-linux-25-goes-almost-immutable/
#Deepin 25 #Linux preview looks and feels more like #Windows - but is it safe ? If you're facing the end of #Windows10 and seeking a #Linux alternative, the #Deepin #distro has evolved into something you might like. There's just one catch.
https://www.zdnet.com/article/deepin-25-linux-preview-looks-and-feels-more-like-windows-but-is-it-safe/
Deepin 25 changes direction: read-only core system with atomic updates, AI-powered features, brand-new window compositing engine, an optimized DDE, and more.
https://linuxiac.com/deepin-linux-25-preview/
Which is your favourite one?
#deepin #linux #Ubuntu #opensource
Which #distro is your daily driver? Starting out with #LinuxMint has been a lot of fun, but I'm looking for something more visually appealing like #Deepin or #GarudaLinux. Bonus points if its a distribution with a focus on digital security. I'm also partly looking for inspiration for a long-term project I have in mind to build my own OS (way down the line)