You are viewing a single thread.
View all comments
38 points

First time seeing hate for deepin. What’s wrong with it?

permalink
report
reply
106 points

It’s by a Chinese company, and collects telemetry on its users via Umeng+, which is a Beijing-based analytics company. Even though it’s open source, the code is large enough that it’s hard to tell if there is anythinf compromising in there from the Chinese government, and/or whether/what data collected by Umeng+ is making it to the Chinese government.

permalink
report
parent
reply
23 points

It’s unfortunate, because I really like the DE. Real stand out. If it were more trustworthy, it’d be my first choice.

permalink
report
parent
reply
8 points

Apparently you can download it from the AUR if you really want to.

permalink
report
parent
reply
18 points

So I guess the backdoor is buried DeepIn the code

permalink
report
parent
reply
-7 points

I mean a simple

grep -r “string” *

Does wonders to find anything, but you need to know what you’re looking for. I’d probably look for DNS names that end in government or China specific TLDs to start with.

permalink
report
parent
reply
29 points

grep -r "evil spyware" *

nothing? awesome, I guess this software is safe to use. Let’s gooo

permalink
report
parent
reply
10 points

it’s trivial to break that approach by obfuscating strings. You can do things like using base64 encoded strings in the source code, building strings from smaller component parts, or using rot13 on, say, the host component of a URI. That last one could be pretty interesting if you, as a threat actor, owned both permutations. The hostname (minus TLD) in the source code could be the nice, human readable version (www.happysite.org) that appears to be something legit. Then, when you rot13 it to www.uncclfvgr.org, traffic is sent to the evil site doing scary things. People can be far more tricksy than that. There’s also the whole issue around whether or not the binaries you’re running actually match the code in the repo. The xz kerfuffle showed how much can be hidden that way.

EDIT: I should make it clear that I don’t use Deepin or the DE it provides because I only use WMs with no desktop, so the distro and DE are of no interest to me. I don’t know if it’s a security hazard or not, I have no horse in this fight.

permalink
report
parent
reply
9 points

There are so many ways to obfuscate things that your approach won’t work.

permalink
report
parent
reply
43 points

First time seeing hate for deepin. What’s wrong with it?

Western concerns about connections to Chinese government

Radware’s head of threat research has commented on concerns about analytics collected by Deepin, and whether these are sent to the Chinese government: while the CNZZ analytics service has been removed, analytics are still collected, now by “Umeng+”.[29] According to cybersecurity lawyer Steven T. Snyder, due to the sheer size of Deepin’s codebase, it is impossible to really scrutinize all the code comprising it to be sure the Chinese government doesn’t have backdoors.[29] The project does remain fully open source allowing anyone to review, modify or change the code to meet their standards.

permalink
report
parent
reply
32 points

due to the sheer size of [the] codebase, it’s impossible […] to be sure [it] doesn’t have backdoors.

Meanwhile Linux and systemd

permalink
report
parent
reply
13 points

Well, Windows is worse by far

permalink
report
parent
reply
4 points

Idk about worse but it is possible for two things to be bad. If one spies for china and the other spies for america, they’re both effectively the same. There’s other more trustworthy options than either however, so unless someone has a gun to your head forcing you to pick one of the two this whataboutism is a false dichotomy, just pick “something else.”

permalink
report
parent
reply
-14 points
*

Ah yes, a dystopian government OS with direct uplink to the thought police is much less of a security risk and convenience loss than a by all objective measures reasonably working and widespread OS with broad compatibility, just because the latter is made by a for profit corporation, MICROSOFT EVUL GUYS AMIRITE

I’m a Linux user myself due to the hostile practices of win11, but get some perspective ffs

permalink
report
parent
reply
3 points

This is ridiculous. If someone could write the code, someone cluld analyze it. If noone has found anything suspicious or incriminating then this just seems like anti china propaganda. “Maybe this Chinese company is collecting data! Even though their code is publically available we cant know for sure!” Meanwhile every US company is sucking up telemetry on every keystroke. Like what a thing to argue about when Microsoft, Samsung, Google, Meta, etc etc exist. And tbh, id rather china have my data then the US anyway. The US is both more likely and more capable of using it against me.

permalink
report
parent
reply
8 points

Not just deepin, but really any piece of software made by a Chinese or Chinese owned company should be treated with suspicion. At least, until the inevitable fall of the CCP occurs.

permalink
report
parent
reply
17 points

This is insane. US companies blatantly collect data, meanwhile a chinese company releases OPEN SOURCE software that hasnt been shown to do anything malicious and your response is “but maybe they somehow hid some tracking in there”. Bro examine your prejudices.

permalink
report
parent
reply
9 points

What gets me is how everyone can spout this shit and not feel any shame. Somehow it’s okay when US companies do it, but even suspecting the Chinese is enough to shun something. I’m disappointed to see all the upvotes this bigotry gets.

permalink
report
parent
reply

linuxmemes

!linuxmemes@lemmy.world

Create post

Hint: :q!


Sister communities:

Community rules (click to expand)

1. Follow the site-wide rules
2. Be civil
  • Understand the difference between a joke and an insult.
  • Do not harrass or attack members of the community for any reason.
  • Leave remarks of “peasantry” to the PCMR community. If you dislike an OS/service/application, attack the thing you dislike, not the individuals who use it. Some people may not have a choice.
  • Bigotry will not be tolerated.
  • These rules are somewhat loosened when the subject is a public figure. Still, do not attack their person or incite harrassment.
3. Post Linux-related content
  • Including Unix and BSD.
  • Non-Linux content is acceptable as long as it makes a reference to Linux. For example, the poorly made mockery of sudo in Windows.
  • No porn. Even if you watch it on a Linux machine.
4. No recent reposts
  • Everybody uses Arch btw, can’t quit Vim, and wants to interject for a moment. You can stop now.

 

Please report posts and comments that break these rules!


Important: never execute code or follow advice that you don’t understand or can’t verify, especially here. The word of the day is credibility. This is a meme community – even the most helpful comments might just be shitposts that can damage your system. Be aware, be smart, don’t fork-bomb your computer.

Community stats

  • 6.6K

    Monthly active users

  • 1.1K

    Posts

  • 24K

    Comments