| by Arround The Web | No comments

Fedora Pulls the Plug on Deepin Over Security and Maintenance Failures

Fedora's Engineering Steering Committee (FESCo) has voted to retire all Deepin-related packages from the distribution's repositories.

The vote passed with +7, 0, 0 at a May 19 meeting. On top of that, the release engineering team has been told not to reinstate any of these packages unless they go through a fresh review.

A year in the making

The story starts with openSUSE. In May 2025, their security team published a detailed report on Deepin's packages, stating that they had pulled them from their repos after a review had flagged serious problems across multiple components.

The deepin-file-manager daemon had significant D-Bus interface issues, some of which stayed unfixed even after partial patches. Both deepin-api and deepin-system-monitor were found using deprecated Polkit authentication in an unsafe way.

That report prompted Adam Williamson of the Fedora QA team to open a ticket with a pointed question attached. If SUSE's security team found all of this, what did Fedora's situation look like?

Turns out Fedora had been shipping these packages without any meaningful security review, and the project's own package review guidelines were found lacking without any requirements, tools, or instructions for reviewers to consider security issues.

A thing to note here is that some security-related guidelines did exist at one point but were deleted years ago.

Was already on life support

By the time FESCo cast its vote, the Deepin packages were already in rough shape on their own. Core packages had been failing to build across Fedora 42, 43, and 44.

The desktop environment had already been pulled from Fedora spins and fedora-comps months earlier because essential packages simply could not build.

The ones who were supposed to be the stewards of this effort in Fedora, the DeepinDE SIG, lost many of its key members over time. One of the original maintainers, Zamir Sun, who had served as the SIG's coordinator, confirmed as much in a reply to FESCo's outreach email:

To make a long story short, all the initial packagers of the Deepin DE packages(namely felixonmars, mosquito(no longer with Fedoraproject) and cheeselee in FAS, and me as the coordinator) are being too busy for the vast amount of work in maintaining DeepinDE. And we never got active packagers to take the effort so we have to see it going away from Fedora.

That left a certain Felix Wang (topazus) as the one person still actively touching the packages, who has not been replying to bug reports, maintainer pings, or direct emails.

And whenever Fedora's build failure policy automatically orphaned a package, topazus would simply reclaim it without fixing anything.

FESCo sent its formal outreach on May 5 and gave four weeks for a response. With nothing substantive coming back, the committee moved to retire the full package set. Release Engineering has also been told not to reinstate any of these packages unless they go through a proper review first.

So that is the end of line for Deepin on Fedora, for now. If, in the future, some people step up and take the packages through a fresh review, maybe this desktop environment will make a comeback.

But given the state things were left in, that is not a bet anyone should be making just yet.

Related posts:

  1. Heroes of Fedora Quality for Fedora 44
  2. Proposal to Centralize Per-User Environment Variables Under Systemd in Fedora Rejected
  3. After 2 Weeks of Delay, Fedora 44 is Finally Here!
  4. Heavy Community Backlash Blocks Fedora's AI Developer Desktop Initiative

Source: It's FOSS