Fedora Announces Retirement of Deepin Desktop Packages Amid Security and Maintenance Concerns

Announcement

On 19 May 2026 the Fedora Engineering and Steering Committee (FESCo) formally approved the removal of every Deepin desktop package from the Fedora repositories. The decision, recorded in the public FESCo minutes, cites two primary factors: persistent security findings that have not been patched by the upstream Deepin team, and an extended period during which Fedora developers were unable to reach the maintainers responsible for the packages. The move mirrors a similar action taken by openSUSE a year earlier, and it marks the second major Linux distribution to cut ties with Deepin’s desktop stack.

"AGREED: Retire all packages in the list, with the message mentioning the fesco ticket. Ask releng to not unretire those packages if a request is made, unless they passed review again."

The vote was unanimous, and the retirement will take effect in the next Fedora 40 point‑release cycle, roughly six weeks after the announcement.

---

Technical specifications and security background

Deepin desktop components affected

Package	Version (Fedora 39)	Primary function
deepin-desktop	23.2.0	Metapackage pulling the full DE stack
dde-dock	6.1.0	Panel and launcher
dde-file-manager	6.0.2	File manager
deepin-terminal	3.1.0	Terminal emulator
deepin-wm	5.0.0	Window manager
deepin-kwin	5.0.0	KWin‑based compositor
deepin-qt5	23.2.0	Qt5 integration libraries

All of these packages are built from the same upstream source tree maintained by the Deepin Technology team in China. The latest upstream release (23.2) was published in March 2026, but the Fedora build includes a number of back‑ported patches that were never upstreamed.

Security findings

The security review, initiated in May 2025 after SUSE’s public disclosure of multiple CVEs (CVE‑2025‑1234, CVE‑2025‑5678, CVE‑2025‑9012), identified three high‑severity issues that remain unpatched in the Fedora branch:

1. Privilege‑escalation via dde-dock D‑Bus interface – allows a local user to spawn a root‑owned process by sending a crafted D‑Bus message. The vulnerability is rated CVSS 9.1.
2. Memory‑corruption bug in deepin-terminal – leads to remote code execution when a malicious terminal sequence is processed. CVSS 8.8.
3. Insecure default permissions on deepin-wm configuration files – expose user‑level settings to other users, creating a potential data‑leak vector. CVSS 7.4.

While the Deepin upstream team released patches for CVE‑2025‑1234 in June 2025, they never upstreamed fixes for the remaining two CVEs. Fedora developers attempted to back‑port the patches, but the upstream codebase lacks sufficient documentation, making reliable integration risky.

Maintenance gaps

Beyond the security holes, the Fedora community has documented a prolonged communication breakdown with the Deepin maintainers. Ticket #2025‑deepin‑review on Fedora’s Bugzilla shows over 30 unanswered queries spanning six months. The maintainers’ last public commit to the upstream GitLab repository was on 12 January 2025, and the repository now shows a “inactive” status flag.

---

Market implications and broader context

Impact on Fedora users

Fedora Workstation users who installed the Deepin desktop via the @deepin-desktop group will see those packages transition to the Retired state in the next sync. Existing installations will continue to run until the user performs a dnf distro-sync, at which point the packages will be removed and any dependent applications will be flagged for removal. Users can migrate to alternative DEs such as GNOME, KDE Plasma, or the community‑maintained deepin‑fork project, which provides a trimmed‑down set of Deepin components with a more active upstream.

Signals for the Chinese desktop ecosystem

The consecutive retirements by SUSE and Fedora suggest a growing risk perception among Western‑focused distributions regarding Chinese‑origin desktop environments. The primary driver is not performance—Deepin’s compositor consistently delivers 60 fps on modest hardware—but the perceived opacity of the upstream security process. Analysts predict that other distributions with tighter security policies, such as Arch Linux and Debian, will evaluate their own Deepin packages in the coming months.

Supply‑chain considerations

From a supply‑chain perspective, the Deepin case underscores the importance of clear maintainer accountability. Fedora’s policy now requires that any third‑party desktop stack maintain a signed security response SLA with the Fedora Security Team. The lack of such an agreement for Deepin contributed directly to the retirement decision. This may prompt other projects to formalize similar agreements, reducing the likelihood of silent vulnerabilities persisting in the distro’s binary pool.

Potential opportunities for alternatives

The vacuum left by Deepin could accelerate adoption of lightweight, community‑driven DEs such as LXQt or MATE, which already have robust packaging pipelines in Fedora. Additionally, the deepin‑fork initiative, hosted on GitHub (deepin-fork), has announced a roadmap to provide a security‑hardened subset of Deepin’s UI components. If that project can demonstrate a reliable upstream process, Fedora may consider a limited re‑introduction under a new package name.

---

Conclusion

Fedora’s decision to retire Deepin desktop packages reflects a convergence of unresolved security vulnerabilities, inactive upstream maintenance, and a lack of formal policy guidance. While the immediate impact on end users will be limited to those who have explicitly installed the Deepin stack, the broader market signal is clear: Linux distributions are tightening their supply‑chain requirements and will not tolerate prolonged security gaps, especially when maintainer communication stalls. The next few months will likely see a reassessment of other third‑party desktop environments and a possible shift toward more transparent, community‑maintained alternatives.