At the beginning of this year we noticed that the Deepin Desktop as it is currently packaged in openSUSE relies on a packaging policy violation to bypass SUSE security team review restrictions. With a long history of code reviews for Deepin components dating back to 2017, this marks a turning point for us that leads to the removal of the Deepin Desktop from openSUSE for the time being.
This is what vertical integration between distros and GUIs often leads to. This could be completely innocuous from Deepin’s end, because that’s just how they made it work in Deepin because they have vertical integration on their own stack. However, It’s completely bad form.
In general Deepin seems to adopt a lot of commercial software industry practices in building its tools, which I’m sympathetic to on some level, but it’s very obvious that the Linux community is not going to accept default-on telemetry. They should have known better after the CNZZ incident.
Wasn’t vertical integration, was done by packager.
We don’t believe that the openSUSE Deepin packager acted with bad intent when he implemented the “license agreement” dialog to bypass our whitelisting restrictions. The dialog itself makes the security concerns we have transparent, so this does not happen in a sneaky way, at least not towards users. It was not discussed with us, however, and it violates openSUSE packaging policies.
Right, but what I’m saying the design to need these things was likely based on Deepin running their own distro. They don’t have to consider the security guidelines of other distros like KDE or Gnome, XFCE or Enlightenment would.
This is what vertical integration between distros and GUIs often leads to. This could be completely innocuous from Deepin’s end, because that’s just how they made it work in Deepin because they have vertical integration on their own stack. However, It’s completely bad form.
In general Deepin seems to adopt a lot of commercial software industry practices in building its tools, which I’m sympathetic to on some level, but it’s very obvious that the Linux community is not going to accept default-on telemetry. They should have known better after the CNZZ incident.
Wasn’t vertical integration, was done by packager.
Right, but what I’m saying the design to need these things was likely based on Deepin running their own distro. They don’t have to consider the security guidelines of other distros like KDE or Gnome, XFCE or Enlightenment would.