Recently, openSUSE announced its decision to remove the Deepin Desktop Environment (DDE) from its distribution due to security policy compliance concerns. The deepin community takes this matter seriously and has conducted thorough reflection. Below is our official statement on the causes of this incident and the corrective measures to be implemented.
Acknowledging the Issue and Conducting Reflection
We fully respect the decision of the openSUSE team and commend their rigorous approach to system security. Over the past years, some security vulnerabilities reported by the openSUSE security team were not promptly resolved due to shortcomings in our community’s security response mechanisms. We sincerely apologize to the openSUSE team, downstream package maintainers, and all affected users. We pledge to use this incident as an opportunity to drive comprehensive systemic improvements. Upon receiving openSUSE’s announcement, we immediately communicated with the openSUSE team and contributors maintaining the DDE packages for openSUSE, sharing our subsequent improvement plans with the openSUSE security team.
Comprehensive Rectification and Transparent Follow-Up
To address historical issues and establish long-term security mechanisms, we have initiated the following corrective actions. Progress will be publicly tracked and monitored by the community:
1. Deadline for Fixing Historical Security Issues (Completed by End of May)
Prioritized Security Review: Conduct a full review of all security issues previously reported by openSUSE and their resolution status. For unresolved issues, detailed repair plans will be formulated.
In-Depth Risk Scanning: Beyond addressing historical security issues, we will perform comprehensive audits on projects potentially affected by similar vulnerabilities (e.g., deepin-daemon), ensuring all risks are eliminated.
2. Establishing Technical Accountability and Process Standards
Appointing Security Technical Leads: Multiple security issues in DDE were related to D-Bus and Polkit configurations, stemming from common errors across projects and developers. To address this, we will designate dedicated technical reviewers for D-Bus and Polkit to rigorously audit all configuration changes and additions.
Reducing Reliance on Privileged Services: In future development, we will minimize the use of privileged services (e.g., D-Bus services running with root permissions) in DDE, prioritizing security to ensure system integrity.
3. Strengthening Security Response and Collaboration Mechanisms
Establishing a Security Response Center: Enhance the responsiveness of the dedicated security mailbox (security@deepin.org). All security matters will be centrally managed by the security team to collaborate with downstream communities and maintainers, avoiding oversights or unprofessional handling by general developers.
Improving Packaging Collaboration: To prevent situations where downstream maintainers are forced to adopt workarounds like deepin-feature-enable due to packaging compliance issues, we will proactively engage with DDE maintainers across distributions, understand their challenges, and provide code-level support to facilitate better solutions.
4. Enhancing Code Modularity and Auditability
To simplify security audits, we will emphasize code modularity, allowing optional features or modules. Core functionalities of DDE will be decoupled from extensions to avoid tight integration.
Gratitude and Apologies
We extend our gratitude to the openSUSE team for their long-standing support of DDE and their persistent oversight of security issues. We also thank openSUSE’s DDE package maintainers for their contributions. The deepin community always prioritizes security and user experience. This incident has profoundly reinforced our commitment to security. We pledge to collaborate more openly, adhere to stricter standards, and respond more swiftly, working with global developers and partners to build a secure and reliable desktop ecosystem.
Finally, we apologize once again to all users, developers, and partners who support DDE. The deepin community will leverage this incident to elevate our technical capabilities and community accountability, delivering a safer and more stable open-source desktop environment for users worldwide.
中文 
need help 
Recently, openSUSE announced its decision to remove the Deepin Desktop Environment (DDE) from its distribution due to security policy compliance concerns. The deepin community takes this matter seriously and has conducted thorough reflection. Below is our official statement on the causes of this incident and the corrective measures to be implemented.
Acknowledging the Issue and Conducting Reflection
We fully respect the decision of the openSUSE team and commend their rigorous approach to system security. Over the past years, some security vulnerabilities reported by the openSUSE security team were not promptly resolved due to shortcomings in our community’s security response mechanisms. We sincerely apologize to the openSUSE team, downstream package maintainers, and all affected users. We pledge to use this incident as an opportunity to drive comprehensive systemic improvements. Upon receiving openSUSE’s announcement, we immediately communicated with the openSUSE team and contributors maintaining the DDE packages for openSUSE, sharing our subsequent improvement plans with the openSUSE security team.
Comprehensive Rectification and Transparent Follow-Up
To address historical issues and establish long-term security mechanisms, we have initiated the following corrective actions. Progress will be publicly tracked and monitored by the community:
1. Deadline for Fixing Historical Security Issues (Completed by End of May)
2. Establishing Technical Accountability and Process Standards
3. Strengthening Security Response and Collaboration Mechanisms
4. Enhancing Code Modularity and Auditability
To simplify security audits, we will emphasize code modularity, allowing optional features or modules. Core functionalities of DDE will be decoupled from extensions to avoid tight integration.
Gratitude and Apologies
We extend our gratitude to the openSUSE team for their long-standing support of DDE and their persistent oversight of security issues. We also thank openSUSE’s DDE package maintainers for their contributions. The deepin community always prioritizes security and user experience. This incident has profoundly reinforced our commitment to security. We pledge to collaborate more openly, adhere to stricter standards, and respond more swiftly, working with global developers and partners to build a secure and reliable desktop ecosystem.
Finally, we apologize once again to all users, developers, and partners who support DDE. The deepin community will leverage this incident to elevate our technical capabilities and community accountability, delivering a safer and more stable open-source desktop environment for users worldwide.
deepin Community
May 9, 2025
Attachments: