Fedora and openSUSE Remove Deepin Desktop Packages Over Security and Policy Violations
What Happened — Fedora and openSUSE have both removed the Deepin Desktop Environment (DDE) packages from their official repositories. The decision follows a forensic review that uncovered a packaging workaround bypassing RPM security checks, a prior policy violation, and a history of unencrypted telemetry to a Chinese analytics service.
Why It Matters for TPRM —
- Supply‑chain risk: third‑party desktop environments can introduce hidden malicious code or insecure binaries.
- Compliance exposure: using unvetted packages may breach internal security policies or regulatory standards.
- Operational impact: downstream customers may lose access to a UI they depend on, forcing migration or remediation.
Who Is Affected — Linux distribution vendors (Fedora, openSUSE), enterprises and developers that ship or rely on Deepin packages, and any downstream users of those distributions.
Recommended Actions —
- Inventory any systems that have installed Deepin Desktop packages from Fedora/openSUSE repos.
- Remove or replace DDE with a vetted desktop environment (e.g., GNOME, KDE).
- Conduct a code‑review of any retained Deepin binaries and verify integrity signatures.
- Update procurement policies to require supply‑chain security attestations for third‑party Linux components.
Technical Notes — The offending packaging employed a custom script that sidestepped the standard RPM build process, effectively allowing restricted assets to be installed without the usual verification. Earlier versions of Deepin also sent unencrypted browser‑agent data to CNZZ, a Chinese analytics platform, though recent forensic sweeps found no active spyware in the core code. Source: ZDNet Security