Extract of the statement:
“The history of Deepin code reviews clearly shows that upstream is lacking security culture, and the same classes of security issues keep appearing. Although we only looked at a small fraction of the code Deepin consists of, we found security issues nearly every time we looked at one of its components.”
I try to dig a bit deeper about the packager and upstream, so I looked for 1st hand sources.
The packager, Hillwood Yang, is an #openSUSE member, who also complained about the upstream when packaging DDE:
https://hillwoodhome.net/2020/09/24/deepin-desktop-wont-be-brought-into-opensuse/
But he soon submitted his “workaround”, which is what openSUSE accusing now:
https://build.opensuse.org/project/show/X11:Deepin:Factory#comment-1437010
Besides that I saw not relations between packager and upstream.
Two things are sure:
1. Code from upstream is in bad quality
2. The packager for openSUSE bypasses the security guideline
But there’s no obvious evidence that the upstream initiated the idea.
A space for Bonfire maintainers and contributors to communicate
