openSUSE deep sixes Deepin desktop over security stink – Source: go.theregister.com

SUSE has kicked the Deepin Desktop Environment (DDE) out of its community-driven Linux distro, openSUSE, and the reasons it gives for doing so are revealing.

SUSE’s security team published a blog post – Removal of Deepin Desktop from openSUSE due to Packaging Policy Violation – that makes for eye-opening reading. The news comes just a week after openSUSE Leap 16 entered beta, a release which contains some interesting wrinkles of its own.

Deepin is the desktop of Chinese vendor Uniontech’s OS, Linux Deepin, which we last looked at in August 2024. In terms of appearance, the Deepin desktop is gorgeous. It’s colorful, fluid, and friendly. It has a strong Windows 11 influence on its layout, but it’s not a direct clone like the strange Wubuntu distro. It is also found on a few other distros, such as Ubuntu DDE, which we last looked at when the 22.04 version appeared.

According to the SUSE Security Team, though, DDE’s beauty is only skin deep. Beneath the polished surface, it’s not pretty at all. The team enumerates a whole list of problems, including claimed abuses of D-Bus and Polkit, but also some very poor design decisions. Some of these represent major security holes in the dde-api-proxy module, which are covered in depth here. The team has also publicly reported issues with Deepin’s D-Bus services and the Deepin clone tool.

SUSE’s engineers have raised these issues with the upstream developers, and in the few cases where the company did get responses or code changes, its opinions of those is not positive. The team also reports serious concerns about how the developer has packaged the desktop to work around a lack of approval from SUSE. The result is that installing this official-looking package would leave the user’s system vulnerable to attack – even though it’s ostensibly one of the desktops in the distribution’s own repositories, making it appear trustworthy.

So Deepin gets the boot. Out of what we consider remarkable generosity, though, the packager’s repository is being left as available, so if you’re determined to run this attractive but potentially risky environment, you still can – but only by manually adding the repo yourself.

A userbase of millions

For us, it’s an interesting revelation. The Reg FOSS desk tries to track developments in the Chinese Linux space, and Deepin is a major product over there, with millions of users. The main other contender in Chinese desktop environments is UKUI, designed for Ubuntu Kylin but available in many other distros too. We looked at several UKUI distros in 2022.

The Chinese distros we’ve tried are all noticeable for a considerably higher level of polish than all but a handful of the biggest names in Western FOSS desktops. They look great, work well, integrate features like handwritten input, facial recognition, “AI” chatbots, Android emulation, and more. They come with suites of homegrown apps, even if these are sometimes functionally quite basic, and well-stocked app stores.

They need to be this way in order to compete with effectively free incumbents from the West. The Register has been reporting on pirated Windows in China since at least the turn of the century, and we noted when the Windows 10 upgrade program tried to tackle the issue.

Even if not shockingly, we may be seeing why. SUSE’s findings suggest poor quality code, thrown together with insufficient concern for system security. Issues with quality control are well known, which is part of the reason that, remarkably, China only developed the tooling to make ballpoint pens as recently as 2017. Additionally, of course, there’s less reason to rigorously secure your OS if your government may compel you to install spyware in them anyway.

You beta, you beta, you bet

Aside from the retreat on the Eastern front, where is openSUSE going next? Well, there is a roadmap to give the general direction. We looked at the plans for Leap 16 at the start of last year, and now the beta is here.

It sounds startlingly different from the openSUSE of old. The announcement delivers several shocks. It says it is “expected to be Wayland-only,” although “some Xorg remnants remain for now.” That will dramatically cut the range of desktops for a start – and eliminate most of this vulture’s favorites.

But there’s more sad news. “The traditional YaST stack is retired.” Instead, users will get the Red Hat-backed Cockpit for web-based server management, and the new Myrlyn graphical package manager as a replacement for YaST’s software tool.

• SUSE doubles down on AI and Multi-Linux Support to prove it’s still in the game
• Linux Deepin 23: A polished distro from China that Western desktops could learn from
• Linux updates with an undo function? Some distros have that
• Linux Deepin’s big brother claims it’s hit three million installs

This vulture was a SUSE Linux user long before he worked for the company, and for us, YaST is one of the cornerstones of the SUSE and openSUSE experience. Running a Linux box by editing config files is the sort of geek machismo that typifies Linux users, and alienates Windows ones – driving them into Apple’s welcoming embrace. Rather than try to work out which config file, in which folder, with which cryptic syntax, you need to edit – and with which cryptic 1970s text editor, of course – for nearly 30 years, SUSE boasted one tool with one interface that let you manage every aspect of a SUSE box. Text mode or graphics mode, locally or remotely, YaST was there for you. But no more. It is very much in line with modern trends in simplification, though. Why have one tool, when you could have two?

SUSE has some industry-leading technology. It’s the only Linux vendor whose immutability function offers users the ability to turn it on and off at will. SUSE achieves this through clever use of a modern file system, rather than totally rebuilding the OS from the metal up, as Red Hat and Canonical have been forced to do. Although development of its next-generation distribution has been slow – it’s nearly three years since we first reported on it – it is getting there. We hope that the price of admission will not be too high for grizzled SUSE veterans.

The Leap 16 beta is available for download now. ®