Extract of the statement:

“The history of Deepin code reviews clearly shows that upstream is lacking security culture, and the same classes of security issues keep appearing. Although we only looked at a small fraction of the code Deepin consists of, we found security issues nearly every time we looked at one of its components.”

#Linux#openSUSE

I try to dig a bit deeper about the packager and upstream, so I looked for 1st hand sources.

The packager, Hillwood Yang, is an #openSUSE member, who also complained about the upstream when packaging DDE:

https://hillwoodhome.net/2020/09/24/deepin-desktop-wont-be-brought-into-opensuse/

But he soon submitted his “workaround”, which is what openSUSE accusing now:

https://build.opensuse.org/project/show/X11:Deepin:Factory#comment-1437010

Besides that I saw not relations between packager and upstream.

Two things are sure:
1. Code from upstream is in bad quality
2. The packager for openSUSE bypasses the security guideline

But there’s no obvious evidence that the upstream initiated the idea.

#Linux