At the beginning of this year we noticed that the Deepin Desktop as it is currently packaged in openSUSE relies on a packaging policy violation to bypass SUSE security team review restrictions. With a long history of code reviews for Deepin components dating back to 2017, this marks a turning point for us that leads to the removal of the Deepin Desktop from openSUSE for the time being.
  • 𝕽𝖚𝖆𝖎𝖉𝖍𝖗𝖎𝖌𝖍@midwest.socialEnglish
    191·
    1 day ago

    Hooo-ly shit, that’s a concerning read. I have to go blacklist Deepin; it’s in Arch extra/.

    The whole article is concerning, but this part was really scary:

    The service methods were not only unauthenticated and thus accessible to all users in the system, but the D-Bus configuration file also allowed anybody to own the D-Bus service path on the system bus, which could lead to impersonation of the daemon. Among other issues, the D-Bus service allowed anybody in the system to create arbitrary new UNIX groups, add arbitrary users to arbitrary groups, set arbitrary users’ Samba passwords or overwrite almost any file on the system by invoking mkfs on them as root, leading to data loss and denial-of-service.