Fedora Drops Deepin Desktop Environment: Security Flaws and Maintenance Lapses Lead to Removal

Overview

In a decisive move, the Fedora Engineering Steering Committee (FESCo) has voted to remove all Deepin-related packages from Fedora's repositories. The decision, passed unanimously on May 19, follows a year-long investigation into serious security vulnerabilities and a complete breakdown of maintenance efforts. The release engineering team has been instructed not to restore any packages unless they undergo a fresh review—a signal that Deepin's presence in Fedora is effectively over for the foreseeable future.

Fedora Drops Deepin Desktop Environment: Security Flaws and Maintenance Lapses Lead to Removal
Source: itsfoss.com

Background: The openSUSE Report That Started It All

The trouble began in May 2025 when the openSUSE security team published a detailed report on Deepin's packages. They had already pulled all Deepin components from their own repositories after a review revealed critical flaws across multiple components. The report highlighted severe D-Bus interface issues in the deepin-file-manager daemon—some of which remained unfixed even after partial patches were applied. Additionally, both deepin-api and deepin-system-monitor were found to be using deprecated Polkit authentication in an insecure manner, leaving users exposed to privilege escalation attacks.

Fedora's Response: A Wake-Up Call Ignored

Adam Williamson, a member of Fedora's QA team, saw the openSUSE report and raised a pointed question: If SUSE's security team had uncovered these issues, what was the state of Fedora's own Deepin packages? The answer was troubling. Fedora had been shipping Deepin without any meaningful security review. The project's own package review guidelines were found lacking—no requirements, tools, or instructions existed for reviewers to consider security issues. Remarkably, some security-related guidelines had once been in place but were deleted years ago, leaving a dangerous gap.

The Missing Security Review Process

Fedora's package review process had no built-in security checks for Deepin packages. This meant that even if a reviewer wanted to evaluate risks, there were no standards to follow. The openSUSE report essentially served as an external audit that exposed Fedora's own oversight.

Deepin's Declining Health in Fedora

By the time FESCo cast its vote, the Deepin packages were already on life support. Core components had been consistently failing to build across Fedora 42, 43, and 44. The desktop environment had been removed from Fedora spins and fedora-comps months earlier because essential packages simply could not compile. The situation was dire, and no one was stepping up to fix it.

The Stewardship Crisis

The DeepinDE Special Interest Group (SIG) had lost most of its key members over time. Zamir Sun, the former SIG coordinator, explained in an email to FESCo: To make a long story short, all the initial packagers of the Deepin DE packages (namely felixonmars, mosquito, cheeselee, and me as the coordinator) are being too busy for the vast amount of work in maintaining DeepinDE. And we never got active packagers to take the effort so we have to see it going away from Fedora. This left only one maintainer, Felix Wang (known as topazus), who was still actively touching the packages—but he was unresponsive to bug reports, maintainer pings, and direct emails. Whenever Fedora's automatic build-failure policy orphaned a package, topazus would simply reclaim it without fixing the underlying problems.

Fedora Drops Deepin Desktop Environment: Security Flaws and Maintenance Lapses Lead to Removal
Source: itsfoss.com

The Final Vote and Aftermath

On May 5, FESCo sent a formal outreach to the Deepin maintainers, giving them four weeks to respond. With no substantive reply, the committee moved forward. The vote on May 19 was unanimous: +7 in favor, 0 against, 0 abstentions (see vote details above). The release engineering team has been instructed not to reinstate any Deepin packages unless they go through a proper, security-conscious review from scratch. As of now, Deepin's journey in Fedora has reached an abrupt end.

Implications for the Future

This decision sends a clear message: security and maintenance are non-negotiable for packages in Fedora. The committee's move also highlights the need for a robust security review process to prevent similar lapses. For users, it means that Deepin is no longer available as an installable desktop environment in Fedora. However, the door is not entirely closed—if a new group of maintainers emerges and submits properly reviewed packages, Deepin could theoretically return. For now, though, the chapter is closed.

Summary of Key Events

  • May 2025: openSUSE posts a security report detailing critical flaws in Deepin packages.
  • After May 2025: Fedora discovers it had been shipping Deepin without security reviews.
  • Months prior to vote: Deepin packages fail to build; desktop removed from spins.
  • May 5: FESCo reaches out to maintainers, receives no meaningful response.
  • May 19: FESCo votes 7-0 to retire all Deepin packages.
  • Current: Packages cannot be reinstated without a fresh review.
Tags:

Recommended

Discover More

Unlocking Ancient Secrets: How Archaeologists Identified a Pompeii Doctor Using CT and 3D ReconstructionThe Financial Web: How Tesla Gained $573 Million from SpaceX and xAI in 2025Electric SUV Price War: Five Models Now Under $40,000, Ending Affordability Barrier10 Key Facts About the UK’s Antitrust Probe Into Microsoft’s Business SoftwareHuxley Universe by Ben Mauro Poised to Revolutionize Sci-Fi: Industry Insiders Weigh In