The packages had deteriorated into poor condition and been neglected for an extended stretch.
Deepin, the visually acclaimed Chinese desktop environment, has been quietly exiled from Fedora's repositories — not through a single dramatic rupture, but through the slow erosion of trust: unresolved security vulnerabilities, unreachable maintainers, and packages left to deteriorate. This follows SUSE's own removal of Deepin in 2025, where the concerns were sharper still, touching on alleged attempts to sidestep security review entirely. In the open-source world, where trust is infrastructure, the cost of silence and neglect is measured in exactly these kinds of quiet removals.
- Fedora's vote was unambiguous — seven to zero — retiring all Deepin packages after a month-long window for engagement produced little more than silence and excuses.
- SUSE had already sounded the alarm a year earlier, not just over vulnerabilities but over what appeared to be deliberate attempts to bypass security review procedures.
- Fedora's own reviewers admitted the episode exposed a gap in their oversight infrastructure, acknowledging they lacked the formal mechanisms SUSE had to catch security-sensitive changes before they landed.
- Deepin is not permanently banned, but reinstatement requires a full security review from scratch — a high bar with no timeline and uncertain motivation on Deepin's side.
- Users who rely on Deepin can still run it as a standalone distribution, but its absence from Fedora signals a deepening credibility problem for the project across the broader Linux ecosystem.
Deepin, the Chinese desktop environment known for its visual elegance, has been removed from Fedora's repositories following a vote by the distribution's leadership — the second major Linux platform to take this step after SUSE made the same call in May 2025.
SUSE's removal had carried a pointed edge: beyond citing security vulnerabilities, SUSE alleged that Deepin's packagers had attempted to circumvent its security review process. That decision prompted Fedora to conduct its own examination, and what they found was troubling. One Fedora reviewer noted the episode had exposed a gap in the team's own oversight — they lacked the formal mechanisms needed to catch security-sensitive changes before they reached the distribution.
Fedora initially sought to work with Deepin's maintainers rather than act unilaterally. But the team found itself unable to reach key people, and the packages themselves had fallen into poor condition through apparent neglect. In April 2026, Fedora issued a formal ultimatum: four weeks to respond and commit to addressing the security concerns.
The deadline passed without meaningful engagement. Some maintainers who did respond said they were simply too busy; others never replied at all. On May 20, 2026, Fedora voted seven to zero to retire all packages maintained by the Deepin group.
The door is not entirely closed — Deepin can seek reinstatement, but only after completing a full security review from scratch. Whether the project has the resources or will to pursue that path remains an open question.
Deepin, the Chinese desktop environment that has earned praise for its visual polish, is finding itself locked out of major Linux distributions. The latest blow came when Fedora's development team voted to retire all Deepin packages from its repositories, citing unresolved security vulnerabilities and a breakdown in communication with the people responsible for maintaining the software.
This is the second major Linux distribution to take this step. SUSE had already removed Deepin from its systems back in May 2025, citing similar security concerns alongside something more pointed: evidence that Deepin's packagers had attempted to circumvent SUSE's security review process. That decision prompted Fedora to conduct its own examination of Deepin's code and practices. What they found was troubling enough that one Fedora reviewer noted the situation exposed a gap in their own oversight: the team was apparently lagging behind SUSE in having formal policies and mechanisms to catch security-sensitive package changes before they landed in the distribution.
Fedora initially tried to work with Deepin's maintainers to address the problems. But as conversations progressed, the Fedora team discovered they were unable to reach key people involved in Deepin's development and maintenance. The packages themselves, according to Fedora's assessment, had deteriorated into poor condition and had apparently been neglected for an extended stretch. Rather than simply removing Deepin outright, Fedora issued a formal ultimatum in April 2026: the team would attempt one final contact with Deepin's maintainers, giving them four weeks to respond and commit to fixing the security issues.
The deadline passed without the necessary engagement. Some of the people Fedora did manage to reach explained that they were simply too busy to dedicate time to resolving Fedora's concerns. Others never responded at all. On May 20, 2026, Fedora's leadership voted to retire all packages maintained by the Deepin group. The vote was decisive: seven in favor, zero opposed, zero abstaining.
The retirement is not quite a permanent ban. Fedora's decision includes a provision that Deepin can attempt to return to the distribution, but only after undergoing a complete security review from scratch. The team also instructed Fedora's release engineering group to reject any requests to restore the packages unless and until that review is completed and passed. For now, Deepin remains available to users who want to run it as a standalone distribution or install it on other systems, but it has lost its place in one of Linux's most widely used and respected distributions. Whether the project will have the resources and motivation to pursue reinstatement remains an open question.
Notable Quotes
The DDE packages appear to have been in very bad shape for an extended period of time.— Fedora team, in their ultimatum to Deepin maintainers
The Hearth Conversation Another angle on the story
Why does it matter that Deepin got dropped from Fedora? It's still a desktop environment people can use.
It matters because Fedora is a major distribution that millions of people rely on. When a package gets retired, users lose easy access to it, and the project loses credibility and reach. It signals that something is seriously wrong.
But the source says Deepin can come back if it passes review. So this isn't permanent?
Technically no, but practically it might be. The fact that maintainers couldn't even respond to Fedora's four-week contact window suggests the project may not have the capacity or will to go through another full security review.
What was the actual security problem? The article mentions it but doesn't spell it out.
The source doesn't give specifics, but it mentions attempts to bypass SUSE's review process. That's a red flag because it suggests intentional evasion, not just carelessness. That's harder to come back from.
So SUSE did this first, and Fedora followed. Are other distros watching?
Almost certainly. When SUSE and Fedora both move against a project, it sends a message to the entire ecosystem. Other maintainers are probably already reconsidering whether to keep Deepin in their repos.
What does this say about open source maintenance in general?
It shows the fragility of it. Deepin is beautiful software, but beauty doesn't matter if the people maintaining it can't or won't engage with the community's security standards. Open source depends on trust and communication. When those break down, the project gets isolated.