Why Fedora and openSUSE Dropped the Deepin Desktop Environment

The openSUSE security team reported that a community packager implemented a workaround to bypass the project’s standard RPM packaging mechanisms. This workaround allowed restricted assets to be installed without triggering the normal security review process.

This bypass was considered a serious policy violation because openSUSE relies on strict packaging rules to ensure that components interacting with sensitive system functionality undergo mandatory security checks.

Once that violation was discovered, the project removed Deepin packages from its distributions until the issues could be resolved.

Fedora developers evaluating their own Deepin packages were therefore already aware of the concerns raised by openSUSE.

Security concerns involving D‑Bus and privilege handling

Beyond packaging policy violations, several technical security concerns were repeatedly raised during reviews of Deepin components.

Reports highlighted issues involving D‑Bus services and privilege escalation paths, particularly where Deepin components interact with system services. Some reporting also referenced problems related to Polkit (PolicyKit) privilege handling, which controls how user processes request administrative permissions.

One area of long‑running concern was the Deepin file manager’s D‑Bus service, whose security review had been ongoing for years without reaching a stable resolution. Reviewers noted that fixes sometimes addressed reported problems only partially or introduced new issues in subsequent updates.

Because D‑Bus services can expose system functionality to applications, design mistakes or insufficient restrictions could allow unintended privilege access if not carefully audited.

The impact of limited upstream responsiveness

Another factor influencing both distributions was communication and responsiveness from upstream developers.

During earlier security reviews, openSUSE maintainers reported difficulties getting issues fully addressed and noted that fixes sometimes did not fully resolve the underlying problems.

For Linux distributions, upstream collaboration is critical. When maintainers cannot reliably coordinate with upstream developers, it becomes harder to:

• audit security‑sensitive code
• verify that vulnerabilities are fixed
• maintain patches over time

Combined with the packaging violation and unresolved technical concerns, this lack of effective coordination contributed to the decision to remove Deepin from official repositories.

What this means for users who still want Deepin

The removal from Fedora and openSUSE repositories does not mean Deepin itself has disappeared. It simply means those distributions no longer ship or maintain the packages in their official repositories.

Users who prefer Deepin still have several options:

• Run a distribution where Deepin is a primary or officially supported desktop
• Install Deepin from unofficial or third‑party repositories
• Build the environment manually from source packages

However, using unofficial packages comes with trade‑offs. Packages outside official repositories may not undergo the same level of security auditing or packaging policy checks required by distributions like Fedora or openSUSE.

The broader lesson for Linux distributions

The Deepin removal highlights an important reality of Linux distribution governance: inclusion depends not only on features or popularity but also on maintainability, transparency, and security review compliance.

Even visually polished or widely used desktop environments can be removed if maintainers cannot ensure secure integration with the underlying system.

For Fedora and openSUSE, the decision ultimately reflects a conservative security stance—prioritizing trustworthy packaging and responsive maintenance over keeping every desktop environment available in the official repositories.