LINUX PICKS AND PANS

Deepin Linux: Security Threat or Safe to Use?

Open source operating systems in general are less worrisome because their code is open to inspection by anyone with the skills to understand it. Does that mean Linux computing platforms from nongovernmental sources in politically tense countries are equally worry-free?

At least one situation last year brought FOSS’ safe-to-use reputation into question. The potential problem involved the Deepin Linux distribution.

Given that several governments — including the U.S. — have concerns with Android-based mobile phone products made by Huawei, should related security concerns extend to Deepin Linux?

That question recently was posed by several Linux Picks and Pans readers following the release late last year of Deepin 15.8. In my review of that release, which focused on improvements to the in-house desktop environment called the “Deepin Desktop Environment,” or DDE, I did not address the security issue — but I wondered if I should.

The latest version, Deepin 15.10.1, appeared earlier this month as a quick fix to a weeks-old release of Deepin 15.10. The quick fix resolved an issued preventing Nvidia m250 and GTX 1060 graphics cards from enabling window effects.

The timely security question regarding how safe it was to use Deepin and the interesting new features built into DDE presented a perfect opportunity for an update. The latest Deepin Linux release has impressive new features and tweaks that make it notably better than version 15.8, which I last reviewed.

Deepin Linux 15.10 Wallpaper selection panel and slideshow feature

The Wallpaper selection panel scrolls attractive colorful images across the bottom of the screen. The new slideshow feature lets you show your favorite pictures at any interval you designate.
– click image to enlarge –

The Deepin desktop is one of the more interesting new desktop alternatives to consider. It is different, productive and gorgeous in its own right.

Deepin Deep Dive

With the launch of version 15 in late 2015, the Deepin distro, based in China, shed its Ubuntu base in favor of Debian Linux Unstable branch. That brought numerous subtle changes in the code base and software roots. Ubuntu Linux itself also is based on Debian Linux.

The chief distinguishing factor underlying Deepin’s growing popularity is its home-grown Deepin desktop Environment (DDE). It is one of the more modern desktop environments. Deepin is one of the first Linux distros to take advantage of HTML 5 technology.

Coinciding with the base affiliation change, the developers, Deepin Technology Co. Ltd., slightly changed the distro’s name. What was “Deepin Linux” is now “deepin.” That subtle rebranding was an attempt to differentiate it from previous releases named “Deepin,” “Linux Deepin” and “Hiweed GNU/Linux.”

However, the subtlety of “Deepin” versus “deepin” has all but lost its purpose. Regardless of whether the name is spelled “deepin” or “Deepin Linux” (as in this review), this distro offers users an eloquent, modern-themed Linux OS. It is easy to use and comes with high-quality software developed in house.

Work in Progress

DDE started out with lofty goals but mediocre execution. The Deepin desktop is now well-designed and very functional. Desktop shells are valued largely for how simple they are to use and how functional they are for a user’s productivity. DDE’s modern design is intuitive and classy. This latest release adds to its growing feature set.

Deepin Linux has gone through a continuing development change. This latest version marks yet another transition in the code base. No longer is the base pegged to the Debian Unstable branch.

The change to Debian Stable branch may be a step back from the bleeding edge of software packages and such, but Debian Stable is no slouch. This shift allows Deepin’s developers to keep moving forward with innovations and improved performance using a more stable base.

The Deepin desktop is offered in a widening assortment of popular Linux desktops, but the best user experience is found in this distro. That might well be the result of the in-house software the community of developers designed to run optimized for the Deepin OS.

Choice of Distro and Desktop

Other Linux distros running the Deepin desktop miss much of the unique integration you get in Deepin Linux. Often you get the software versions provided by the distro you are running.

The Linux distros offering the Deepin desktop are Archlinux, Manjaro, Ubuntu, Gentoo, Fedora, Puppy Linux, SparkyLinux, Antergos, Pardus and openSuse. Each one has its own flavor linked to the characteristics of the host distribution.

I have sampled these options, mostly for the sake of comparison. One of the better versions is available in the Manjaro Deepin Community Edition.

Safe to Use?

I posed the security question to three cybersecurity experts, raising the issues that several LinuxInsider readers asked in response to my previous Deepin Linux review.

Due to world politics and questionable tactics by other Chinese device makers, concerns have surfaced about Deepin’s potential security risk. In short, those concerns focus on whether the Linux distribution created by a developer team in China is safe to use due to its open source rather than proprietary nature.

The concerns include whether this distro’s components are being utilized to leach information back to Chinese governmental interests. Could Deepin Linux be the first instance of a Linux distro targeted by a government for surreptitious data collection?

None of my expert sources were aware of any occurrences involving spyware or malware embedded in the OS code related to Deepin Linux or any other distros. However, a concern did surface last year surrounding Deepin’s website and Appstore, according to Daniel Smith, head of threat research at Radware.

“These use a statistical analysis service called ‘CNZZ,’ now ‘Umeng+.’ It’s similar to Google Analytics in the fact that it collects data such as user agents, source and screen resolution,” he told LinuxInsider.

At the moment, no evidence exists to suggest that the Chinese government is leaching information from the analytic service used by Deepin OS, Smith said.

If this distro has been targeted to return user information back to anyone without notification, it might be the first instance of a Linux distro targeted by a government for surreptitious data collection, he agreed.

A thin line separates developmental data gathering from surreptitious information gathering. Most software to some extent collects data regardless of its country of origin, according to Smith.

“While nothing suggests that this analytic information is currently being abused, it is collecting basic data that can be abused by third parties to identify user patterns and behaviors. This could cause some privacy concern for non-Chinese users,” Smith concluded.

Open Source Safety Net

One advantage with Linux is the ability to audit the code. However, the code base of an entire operating system is large. You can not really scrutinize it all, said Steven T. Snyder, senior attorney at Bradley.

Lawyers and security experts face this situation on many fronts. Similar issues exist with foreign-made cellphones, he told LinuxInsider.

For example, news reports recently focused on the threat of malware installed on microchips.

“Security experts can’t always agree on finding malware. So what can we expect when dealing with an entire operating system?” Snyder pondered.

Regardless of the potential for security lapses, open source software provides better chances of finding troublesome software.

“I would feel more comfortable with open source code because anyone can review the code itself to understand what is happening and then modify the code as necessary,” Chris Morales, head of security analytics at Vectra, told LinuxInsider.

Still a Quandary

Dealing with potential security worries related to Deepin Linux certainly is a concern, Bradley’s Snyder warned, calling it a common problem with technology.

There are plenty of opportunities to hide things in an enormous code base. Even if you looked for a security hole, you might not find it or recognize how all the components were working together to enable some sort of back door for bad actors, he explained.

“From my perspective this is a huge concern, because at the very least there has been some evidence that some actors, maybe China, have tampered with the supply chain in different areas. So you can’t just take it on face value that we can trust it,” Snyder said.

The flip side is that rather than giving everything more scrutiny, the bigger risk is assuming software is safe because we sourced it from an ally. Problems can turn up later when we learn that it was compromised before the source acquired it, he pointed out.

Playing All Options

This type of scenario poses a 50-50 situation. A project based in China should get higher scrutiny than some other open source projects, according to Snyder.

“I think it is something to monitor. On a personal level, I’m not sure that it is any riskier than anything else,” he concluded.

“It is open source code sitting out there — but we are more on guard with China. It would be kind of brazen of them to fiddle with something like that, but maybe someone will say, ‘We’ll try it.'”

Back to Deepin Linux 15.10

Deepin 15.10 introduces new functions and updated software packages rebuilt using the Debian stable repository. This provides more timely security updates and improved system stability.

New Features include dde-kwin as the default window manager. It takes up less memory and offers better performance.

Auto merge is a really cool new feature. It is similar to a user tweak provided in the macOS recently, but I am not aware of any other Linux distro using it.

Deepin Linux 15.10 Auto Merge feature

Rather than clutter the desktop with copious icons, the new Auto Merge feature lets you place favorite launchers in color-coded drawers or folders, making them one click away. A dock bar replaces the traditional bottom panel.
– click image to enlarge –

Auto merge lets you avoid cluttering the desktop with favorite launch icons. Instead it groups icons into file folders on the desktop.

This approach is similar to what the Android and Chrome OS let you do to keep the desktop neat and organized. Just check the Auto Merge option in the desktop context menu.

Icons on the desktop will be grouped automatically into different folders: Videos, Music, Pictures, Documents, Applications and Others. You can color code the folders.

The Wallpaper slideshow, while available in other desktop environments, is a new feature for Deepin. Set a slideshow of your favorite pictures so they can display at any interval you designate.

A unique new feature that I especially like is Sound Effect switches. You can turn on or off each system sound. The settings for shut down, log out, wake up, etc., in the Control Center are separated.

Another key change provides the option to do full disk encryption during installation. That alone may lessen user-based security worries.

Deepin Close Up

The desktop design is a combination of several visual elements from other desktops. When put together into one integrated system, they constitute a new approach to the concept of an easy-to-use interface. The in-house applications complete an operating system that is tailored to the average user.

Deepin uses a dock bar instead of the traditional bottom bar. When the dock is set in the macOS-style mode, a button appears that toggles a new dock tray element — embed tray icons in the dock.

Deepin Linux 15.10 Desktop slide-out control panel and dock screenshot

The Deepin Desktop has a slide-out control panel that makes finding settings effortless. It uses a dock bar instead of a traditional panel at the bottom of the screen.

The Dock offers a choice of fashion or efficient modes. Fashion mode adds a hide/show button in the dock tray. Click it to hide the icons in the tray area and save the dock space. The power button is separated from the tray area to reduce the clicks and avoid function confusion.

In the Efficient mode, the right corner is set to show desktop. The previous ‘Show Desktop’ icon disappears.

The Settings Panel slides out from the right edge of the screen. Its transparency lets you see settings options while not losing sight of the overview desktop view. Similarly, the applications menu displays in full screen showing rows of application icons.

Deepin’s multitasking feature shows thumbnails of virtual workspaces via a display panel that hides along the top edge of the screen. The main view displays mini images of open windows on the current workspace.

Deepin lets you set a different background image for each virtual workspace. These display in the panel view as well.

You can drag a running application’s mini image from the multitasking view to another workspace. You also can right-click on the top window border of a displayed app to move it to another virtual workspace.

Bottom Line

Deepin Linux continues to show promise as a productive computing platform. This latest edition has fewer of the annoyances that plagued earlier releases.

The menus and internal dialogue boxes still have some Chinese characters. The potential user base is limited by a short list of available languages.

The ISO file on the standard download page is not a live session. It provides only a loadable interface to handle installation.

To get the live session ISO file, use the download page link in the previous paragraph. Then scroll to the bottom of the download options to the “Live Session Download” label and click the “Live Official Release” button.

Want to Suggest a Review?

Is there a Linux software application or distro you’d like to suggest for review? Something you love or would like to get to know?

Pleaseemail your ideas to me, and I’ll consider them for a future Linux Picks and Pans column.

And use the Reader Comments feature below to provide your input!

Jack M. Germain has been an ECT News Network reporter since 2003. His main areas of focus are enterprise IT, Linux and open source technologies. He has written numerous reviews of Linux distros and other open source software.Email Jack.

7 Comments

  • Thank-you for this excellent article. Deepin does, indeed, seem like an interesting distro. I’m concerned about security, for the reasons mentioned, and because the Chinese government has a history of forcing people to do things on penalty of treason/disappearing. They could, someday, order the devs to put in a backdoor.

    Personally, I’m hoping that someone forks Deepin Desktop Environment, so that we can have a thoroughly security-reviewed version available with all app integrations, in a non-Chinese distro. I would really like to use this, but I just can’t take the risk.

    One thing that I feel bears correction:

    Full disk encryption cannot protect data from the operating system, if the OS is doing the encryption. The operating system has access to the decryption key, and can access everything on that machine, encryption or not. To trust an OS because of disk encryption is like assuming it’s OK to type your social security number into

    https://WeWillStealYourIdentity.com, just because it says "https" at the beginning.

    Great article, overall. Thanks!

    • Thank you for your comments on this article. You raise a very good point about the reliability of full disk encryption controlled by the operating system.
      I frequently discuss security issues with cybersecurity experts. Interestingly, one of their often-made suggestions is to apply full disk encryption. Perhaps that mantra needs clarification. Maybe an encryption tool provided by a distro developer is not a good option.
      I AM not a security expert. I do not have any insight into how reliable Deepin Linux’s encryption application is compared to other third-party AES-compliant encryption products. But I will broach that topic in my next chat with cybersecurity experts.
      Thanks for sharing that potential flaw!

  • I thought linuxinsider was reliable so I really can’t believe I’m reading this piece of racist propaganda. It looks you didn’t mean it and were also fooled by that propaganda, but it’s still only that, propaganda and not true.

    It’s surreal and unbelievable that anyone points out security concerns on free/opensource software, ignoring the fact that most proprietary ones are __known__ to __have__ backdoors for so long. If you’re so concerned about being attacked by the chinese people maybe you should fear they can hack Windows, IOS, etc and not software that is organically more safe because anyone can inspect it. It’s also not true that they’re too large to be safe, since the bulk of the code used is shared between most GNU/Linux projects. Software security has never been and will never be a nationality issue.

    Have you ever heard of NSA, Wikileaks and EEUU government hunt on Assange and Snowden? You missed all the Cambridge Analytica scandal stuff and you’re still worried about the boogie man or even Stalin or Mao to come and spy on you? It’s just stupid to take this anti-huawei movement seriously when it’s obviously because no one can keep up with their breakthroughs on 5G, as it’s happening on tech, economy and most fields now with china way ahead. So they come up with all this baloney. And what impresses me more is that they’re accusing China of doing what AM ericans have done for decades to the whole world, although that’s ok. This is racism.

    I’ll end citing this news article entitled "Amazon Kindle users surprised by ‘Big Brother’ move":

    https://www.theguardian.com/technology/2009/jul/17/amazon-kindle-1984

    Don’t you reproduce behavior on your surroundings without any critical thinking people. Here on the net people will notice you’re being fed bullshit!

    For the world’s sake, I wish you prove yourselves more capable and smart than Trump and all those bootlickers that surround him.

    • what is racist about this article? having a general concern about a product produce by a company in a country that is well known for its lack of human/civil rights and it being an overwhelming police/surveillance state isn’t racism, but ignoring a potential security issue makes a fool.

  • You might want to fix your article. In it, you said you last reviewed 15.18 but meant to put 15.8. I do appreciate the article though. I know many places even Russia have a distribution and even a virus protection software as well. It is something that we have to keep a close eye on. I AM glad that the code can be seen by everyone so hopefully, if someone tries to slip something through hopefully it will be caught.

  • China is not the only country to exert control over its citizens but they are the league leaders after North Korea. They are also the most diligent and persistent when it comes to extracting competitor data for their own illicit use. This is nothing racist, just fact. Most of their technology code targets Windows users as the major operating system and its debatable what benefit they could get from applying this to Linux except Linux servers so IMO Deepin desktop users need not have much concern. Not too long ago the proliferation of Chinese authored programs were often poorly written and easy to identify but nowadays this is not always the case. Certainly as a Windows user I would never install anything identifiable from Chinese sources although this doesnt make everything else automatically safe, just reduces the risk if you also ignore the Microsoft inbuilt spyware.:)

    • I can’t believe what I’m reading here. China bashing again with wot?? Rogue software in OS?? !!
      Forcing people to add backdoor ??!! Are you delusional???
      So far there s literally no evidence to suggest Chinese government did those.
      What’s proven now is US has asked software companies to added back doors. Apple CEO Tim Cook openly said: Chinese didn’t ask us to add backdoor. The US government did.
      I’m not even going to start on NSA.
      Another government is AUS. The infamous AA bill legalised backdoor for AUS made software.
      And yet you are here China bashing ?!! Textbook example of brainwashing and Donny Kruger effect.
      Huawei released ALL of their software for review by UK goverment. They found no backdoor.
      DJI opene sourced their government version of drone firmware.
      I suggest you keep your BS / racism / PC out of the open source communities.
      You are a living insult to all who put effort to make software political free.
      Wot a shame.

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

LinuxInsider Channels