35
submitted 5 months ago by ComradeRachel to c/opensuse@lemmy.world
top 5 comments
sorted by: hot top controversial new old
[-] that_leaflet@lemmy.world 25 points 5 months ago

Short version

We don’t believe that the openSUSE Deepin packager acted with bad intent when he implemented the “license agreement” dialog to bypass our whitelisting restrictions. The dialog itself makes the security concerns we have transparent, so this does not happen in a sneaky way, at least not towards users. It was not discussed with us, however, and it violates openSUSE packaging policies.

...

The experience with Deepin software and its upstream during the code reviews that we performed has not been the best. More than once, security issues we reported have been replaced by new security issues. Other times, upstream did not invest the effort to fully analyze the issues we reported and fixed them insufficiently. Generally the communication with upstream proved difficult, maybe also due to the language barrier. While upstream stated at times that they don’t have enough resources to deal with security reports, which is worrying enough, the design and implementation of Deepin D-Bus components often changed radically in unrelated ways. This makes the security assessment of Deepin components a moving target. Building trust towards Deepin components has thus been extremely difficult over the years.

The history of Deepin code reviews clearly shows that upstream is lacking security culture, and the same classes of security issues keep appearing....

[-] sugar_in_your_tea@sh.itjust.works 2 points 5 months ago

The history of Deepin code reviews clearly shows that upstream is lacking security culture, and the same classes of security issues keep appearing…

Ouch.

[-] that_leaflet@lemmy.world 2 points 5 months ago

Security is hard and not the fun part of programming (for most people anyway).

KDE and Gnome have problems too.

Rationale for Accepting kio-admin into openSUSE

We have dealt with these types of APIs in KDE since 2017 without achieving any notable improvements. As we are responsible for product security we tried to protect our users from potentially harmful components. At this point, though, we don’t believe that this situation will change anytime soon. Meanwhile users still want to use features like the one found in Dolphin, and don’t understand why openSUSE does not include them.

https://security.opensuse.org/2025/02/21/kio-admin-admittance.html

[-] sugar_in_your_tea@sh.itjust.works 2 points 5 months ago

Oh certainly. What I was pointing out is the repeated failure and lack of acknowledgement of security issues. KDE and GNOME take it seriously, it seems Deepin does not.

[-] swelter_spark@reddthat.com 9 points 5 months ago
this post was submitted on 08 May 2025
35 points (100.0% liked)

openSUSE

984 readers
1 users here now

openSUSE is an open, free and secure operating system for PC, laptops, servers and ARM devices. Managing your emails, browsing the web, watching online streams, playing games, serving websites or doing office work never felt this empowering. And best part? It's not only backed by one of the leaders in open source industry, but also driven by lively community.

founded 2 years ago
MODERATORS