Follow ZDNET: Add us as a preferred source on Google.
ZDNET’s key takeaways
- Deepin Linux has been suspect for some time.
- SUSE and Fedora have dropped all Deepin packages.
- The only way forward for Deepin is a strict code review.
The first time I tested Deepin Desktop Environment (DDE), it blew me away. I thought, “This new Linux desktop will finally be the open-source operating system’s big breakthrough.”
For a while, it looked as if my prediction might come to fruition.
Also: Kubuntu vs. Fedora KDE: Which KDE Plasma distro is right for you?
But things took a concerning detour. Seven years ago, several YouTube videos, such as this one, reminded us that sometime around 2018, the Deepin Store was sending unencrypted requests to the Chinese equivalent of Google Analytics (CNZZ). The data sent to CNZZ included the user’s browser agent and other bits of information. Deepin addressed that issue and stopped collecting data.
According to Foss Linux, a forensic sweep found no evidence of active spyware in Deepin’s core.
SUSE cuts ties with the Chinese distro
Then, in 2025, things started to unravel for Deepin when SUSE decided to cut ties with the Chinese distribution. According to SUSE’s findings, “we noticed a policy violation in the packaging of the Deepin desktop environment in openSUSE. To get around security review requirements, our Deepin community packager implemented a workaround that bypasses the regular RPM packaging mechanisms to install restricted assets.”
The report continues, “As a result of this violation, and in the light of the difficult history we have with Deepin code reviews, we will be removing the Deepin Desktop packages from openSUSE distributions for the time being.”
Deepin’s problems did not end with SUSE.
Also: Red Hat Desktop vs. Fedora Hummingbird: Which AI development Linux path is right for you?
On the heels of SUSE’s announcement, the team behind Fedora (which Red Hat Enterprise Linux is based on) decided to follow suit and remove the Deepin packages due to similar security concerns. A Phoronix post quoted the Fedora Engineering and Steering Committee (FESCo) saying, “Retire all packages in the list…ask releng to not unretire those packages if a request is made, unless they passed review again.”
In a report on XDA, it was noted that Fedora “would try one more time to get in touch with the people behind Deepin’s maintenance, as ‘the DDE packages appear to have been in very bad shape for an extended period of time.’ If they didn’t reply within four weeks, Fedora would ditch Deepin.”
Deepin Desktop no longer in Fedora or SUSE repos
Well, those four weeks passed, and Fedora has officially dropped Deepin packages from the mainstay distribution.
This means you can no longer install Deepin Desktop from the official Fedora or SUSE repositories. Yes, you could build it from source and have it run on Fedora, but given the nature of this shift, why would you?
With two major Linux distributions dropping DDE due to ongoing security concerns since 2018, the writing is on the wall. Unless the developers behind Deepin make some major changes, what was once called the most beautiful Linux desktop is dead in the water.
Also: The best Linux laptops: Expert tested for students, hobbyists, and pros
That’s a shame, but it should also serve as a warning to every team creating a Linux desktop (or software in general).
That’s not to say that all is lost with Deepin. If the Deepin code could pass a stringent review, Fedora might be likely to allow the packages back in. Will that happen? No one knows.
It’s all in the open
The vast majority of Linux software is open-source, meaning anyone can download, view, modify, and repackage the code. Because of that, anyone with the necessary skills can comb through the code and look for anything suspicious. Or, users can install the software, run tools like Wireshark, and see if any network traffic is going to suspect locations. I’ve done it before — it’s not hard.
On top of that, with the advent of AI, those issues can now be spotted more quickly; with everything out in the open, developers won’t be able to hide malicious code.
Also: The best Linux distributions for beginners
As this Deepin issue has persisted for nearly 10 years and given the rise in Linux kernel vulnerabilities, it was no surprise to see the packages pulled.
The good news is that over the past few years, several Linux desktop environments have surpassed Deepin in aesthetics. KDE Plasma, Pantheon, Budgie, and even GNOME can be customized to look as good (if not better) than Deepin Desktop. Saying goodbye to Deepin is really no skin off Linux’s back.
Even so, it is a shame that such a beautiful Linux desktop environment had to fall out of favor, simply because the developers refuse to comply with security standards that have become a necessity in a world that is plagued by bad actors and malicious code.
