openSUSE Removes Deepin Desktop Over Security Policy Violations

openSUSE removes Deepin Desktop after discovering a policy-violating workaround used to bypass required security reviews of sensitive system components.

In recent development, the openSUSE project has decided to remove the Deepin Desktop Environment (DDE), well-known for its polished visuals and user-friendly experience, from its repositories, citing substantial packaging policy violations.

According to disclosures from the openSUSE security team, a troubling workaround was discovered in the DDE packaging. Specifically, the Deepin community packager introduced a “license agreement” dialog within the deepin-feature-enable package, effectively circumventing standard security review processes required by openSUSE.

Ordinarily, components such as D-Bus system service configurations and Polkit policies must undergo stringent review by the SUSE security team before being whitelisted for inclusion in openSUSE distributions.

In this case, however, the discovered “license agreement” allowed users to bypass these security checks, installing components flagged by the security team as potentially unsafe simply by accepting the license.

Deepin's license agreement allows users to bypass the security checks.
Deepin’s license agreement allows users to bypass the security checks.

This practice emerged during routine security reviews in January 2025, revealing that key Deepin components, such as the deepin-daemon and file manager, had bypassed formal review processes altogether.

Although the Deepin packager likely did not intend malicious harm and openly communicated the security concerns via the “license agreement,” the approach was nonetheless deemed unacceptable due to clear violations of openSUSE’s packaging policies and the potential security risks posed to users.

The deeper issue, however, is rooted in the historically strained interactions between openSUSE security teams and Deepin’s upstream developers.

Reports indicate recurring security concerns, insufficient vulnerability remediation, and inconsistent communication, possibly exacerbated by language barriers (Deepin is a Chinese Linux distro heavily targeting users in China) and limited upstream resources. Consequently, maintaining a secure and reliable integration of Deepin within openSUSE has become increasingly untenable.

Given the security record of Deepin and the concerns expressed in the previous section, we don’t recommend the use the Deepin desktop at this time.

In response to these developments, openSUSE will entirely remove Deepin Desktop from the Tumbleweed rolling release and the forthcoming Leap 16.0 distribution. For Leap 15.6 users, only the problematic deepin-feature-enable package will be removed.

For users who wish to continue using Deepin despite acknowledged security concerns, openSUSE suggests manually adding the Deepin development project repositories. Nevertheless, users are urged to exercise caution given the outlined security risks.

For more information, see the official openSUSE announcement.

Image credits: openSUSE

Bobby Borisov

Bobby Borisov

Bobby, an editor-in-chief at Linuxiac, is a Linux professional with over 20 years of experience. With a strong focus on Linux and open-source software, he has worked as a Senior Linux System Administrator, Software Developer, and DevOps Engineer for small and large multinational companies.

One comment

  1. Wilbur Jaywright

    “Well-known for its polished visuals and user-friendly experience,” until you actually try to do anything with it. It immediately falls apart. Also, there’s a typo in the quote, though I’m not sure if it was you or them.

Leave a Reply

Your email address will not be published. Required fields are marked *