At the beginning of this year we noticed that the Deepin Desktop as it is currently packaged in openSUSE relies on a packaging policy violation to bypass SUSE security team review restrictions. With a long history of code reviews for Deepin components dating back to 2017, this marks a turning point for us that leads to the removal of the Deepin Desktop from openSUSE for the time being.
I had no idea that (open)SUSE was so security minded in their packaging. It makes sense in retrospec. It sucks they didn’t catch this earlier, but this response makes me happy to use tumbleweed
No they don’t. OpenSUSE, especially tumbleweed, is way more security-focused than other distros.
It’s a very low-trust default install, and it takes some work to get things through the firewall. Compare that to Fedora where every port above 2025 is open by default.
In case you think “but those policies are not needed, they are superfluous” (like some Arch devs). They are not. Packagers send their fixes upstream, and then, other distros, with lower standards, consume the already fixed upstream releases, and sometimes pretend that this work was not needed nor present, not realizing that all distros benefit from it even if your policies are more relaxed.
There’s a reason why the Deepin Desktop Environment was never part of Debian, and only available via their own ppa repositories, even if the Deepin distro is based in Debian.
I had no idea that (open)SUSE was so security minded in their packaging. It makes sense in retrospec. It sucks they didn’t catch this earlier, but this response makes me happy to use tumbleweed
Barring Arch, and boutique distros, other distros normally have even better packaging standards than opensuse. By far.
No they don’t. OpenSUSE, especially tumbleweed, is way more security-focused than other distros.
It’s a very low-trust default install, and it takes some work to get things through the firewall. Compare that to Fedora where every port above 2025 is open by default.
that is orthogonal with packaging standards, packaging security, and packaging policy violations…
Compare this: https://www.debian.org/doc/debian-policy/
With this single page: https://en.opensuse.org/openSUSE:Packaging_guidelines
In case you think “but those policies are not needed, they are superfluous” (like some Arch devs). They are not. Packagers send their fixes upstream, and then, other distros, with lower standards, consume the already fixed upstream releases, and sometimes pretend that this work was not needed nor present, not realizing that all distros benefit from it even if your policies are more relaxed.
There’s a reason why the Deepin Desktop Environment was never part of Debian, and only available via their own ppa repositories, even if the Deepin distro is based in Debian.