Reviews

LINUX PICKS AND PANS

Deepin Linux: Security Threat or Safe to Use?

Open-source operating systems, in general, are less worrisome because their code is open to inspection by anyone with the skills to understand it. Does that mean Linux computing platforms from nongovernmental sources in politically tense countries are equally worry-free?

At least one situation last year brought FOSS’ safe-to-use reputation into question. The potential problem involved the Deepin Linux distribution.

Given that several governments — including the U.S. — have concerns with Android-based mobile phone products made by Huawei, should related security concerns extend to Deepin Linux?

That question was recently posed by several Linux Picks and Pans readers following the release late last year of Deepin 15.8. In my review of that release, which focused on improvements to the in-house desktop environment called the “Deepin Desktop Environment,” or DDE, I did not address the security issue — but I wondered if I should.

The latest version, Deepin 15.10.1, appeared earlier this month as a quick fix to a weeks-old release of Deepin 15.10. The quick fix resolved an issue preventing Nvidia m250 and GTX 1060 graphics cards from enabling window effects.

The timely security question regarding how safe it was to use Deepin and the interesting new features built into DDE presented a perfect opportunity for an update. The latest Deepin Linux release has impressive new features and tweaks that make it notably better than version 15.8, which I last reviewed.

Deepin Linux 15.10 Wallpaper selection panel and slideshow feature

The Wallpaper selection panel scrolls attractive colorful images across the bottom of the screen. The new slideshow feature lets you show your favorite pictures at any interval you designate.

The Deepin desktop is one of the more interesting new desktop alternatives to consider. It is different, productive and gorgeous in its own right.

Deepin Deep Dive

With the launch of version 15 in late 2015, the Deepin distro, based in China, shed its Ubuntu base in favor of Debian Linux Unstable branch. That brought numerous subtle changes in the code base and software roots. Ubuntu Linux itself also is based on Debian Linux.

The chief distinguishing factor underlying Deepin’s growing popularity is its home-grown Deepin Desktop Environment (DDE). It is one of the more modern desktop environments. Deepin is one of the first Linux distros to take advantage of HTML 5 technology.

Coinciding with the base affiliation change, the developers, Deepin Technology Co. Ltd., slightly changed the distro’s name. What was “Deepin Linux” is now “deepin.” That subtle rebranding was an attempt to differentiate it from previous releases named “Deepin,” “Linux Deepin” and “Hiweed GNU/Linux.”

However, the subtlety of “Deepin” versus “deepin” has all but lost its purpose. Regardless of whether the name is spelled “deepin” or “Deepin Linux” (as in this review), this distro offers users an eloquent, modern-themed Linux OS. It is easy to use and comes with high-quality software developed in-house.

Work in Progress

DDE started out with lofty goals but mediocre execution. The Deepin desktop is now well-designed and very functional. Desktop shells are valued largely for how simple they are to use and how functional they are for a user’s productivity. DDE’s modern design is intuitive and classy. This latest release adds to its growing feature set.

Deepin Linux has gone through a continuing development change. This latest version marks yet another transition in the code base. No longer is the base pegged to the Debian Unstable branch.

The change to the Debian Stable branch may be a step back from the bleeding edge of software packages and such, but Debian Stable is no slouch. This shift allows Deepin’s developers to keep moving forward with innovations and improved performance using a more stable base.

The Deepin desktop is offered in a widening assortment of popular Linux desktops, but the best user experience is found in this distro. That might well be the result of the in-house software the community of developers designed to run optimized for the Deepin OS.

Choice of Distro and Desktop

Other Linux distros running the Deepin desktop miss much of the unique integration you get in Deepin Linux. Often you get the software versions provided by the distro you are running.

The Linux distros offering the Deepin desktop are Archlinux, Manjaro, Ubuntu, Gentoo, Fedora, Puppy Linux, SparkyLinux, Antergos, Pardus, and openSuse. Each one has its own flavor linked to the characteristics of the host distribution.

I have sampled these options, mostly for the sake of comparison. One of the better versions is available in the Manjaro Deepin Community Edition.

Safe to Use?

I posed the security question to three cybersecurity experts, raising the issues that several LinuxInsider readers asked in response to my previous Deepin Linux review.

Due to world politics and questionable tactics by other Chinese device makers, concerns have surfaced about Deepin’s potential security risk. In short, those concerns focus on whether the Linux distribution created by a developer team in China is safe to use due to its open-source rather than proprietary nature.

The concerns include whether this distro’s components are being utilized to leach information back to Chinese governmental interests. Could Deepin Linux be the first instance of a Linux distro targeted by a government for surreptitious data collection?

None of my expert sources were aware of any occurrences involving spyware or malware embedded in the OS code related to Deepin Linux or any other distros. However, a concern did surface last year surrounding Deepin’s website and Appstore, according to Daniel Smith, head of threat research at Radware.

“These use a statistical analysis service called ‘CNZZ,’ now ‘Umeng+.’ It’s similar to Google Analytics in the fact that it collects data such as user agents, source, and screen resolution,” he told LinuxInsider.

At the moment, no evidence exists to suggest that the Chinese government is leaching information from the analytic service used by Deepin OS, Smith said.

If this distro has been targeted to return user information back to anyone without notification, it might be the first instance of a Linux distro targeted by a government for surreptitious data collection, he agreed.

A thin line separates developmental data gathering from surreptitious information gathering. Most software, to some extent, collects data regardless of its country of origin, according to Smith.

“While nothing suggests that this analytic information is currently being abused, it is collecting basic data that can be abused by third parties to identify user patterns and behaviors. This could cause some privacy concerns for non-Chinese users,” Smith concluded.

Open Source Safety Net

One advantage of Linux is the ability to audit the code. However, the code base of an entire operating system is large. You can not really scrutinize it all, said Steven T. Snyder, senior attorney at Bradley.

Lawyers and security experts face this situation on many fronts. Similar issues exist with foreign-made cellphones, he told LinuxInsider.

For example, news reports recently focused on the threat of malware installed on microchips.

“Security experts can’t always agree on finding malware. So what can we expect when dealing with an entire operating system?” Snyder pondered.

Regardless of the potential for security lapses, open-source software provides better chances of finding troublesome software.

“I would feel more comfortable with open source code because anyone can review the code itself to understand what is happening and then modify the code as necessary,” Chris Morales, head of security analytics at Vectra, told LinuxInsider.

Still a Quandary

Dealing with potential security worries related to Deepin Linux certainly is a concern, Bradley’s Snyder warned, calling it a common problem with technology.

There are plenty of opportunities to hide things in an enormous code base. Even if you looked for a security hole, you might not find it or recognize how all the components were working together to enable some sort of back door for bad actors, he explained.

“From my perspective, this is a huge concern because, at the very least, there has been some evidence that some actors, maybe China, have tampered with the supply chain in different areas. So you can’t just take it on face value that we can trust it,” Snyder said.

The flip side is that rather than giving everything more scrutiny, the bigger risk is assuming the software is safe because we sourced it from an ally. Problems can turn up later when we learn that it was compromised before the source acquired it, he pointed out.

Playing All Options

This type of scenario poses a 50-50 situation. A project based in China should get higher scrutiny than some other open-source projects, according to Snyder.

“I think it is something to monitor. On a personal level, I’m not sure that it is any riskier than anything else,” he concluded.

“It is open source code sitting out there — but we are more on guard with China. It would be kind of brazen of them to fiddle with something like that, but maybe someone will say, ‘We’ll try it.'”

Back to Deepin Linux 15.10

Deepin 15.10 introduces new functions and updated software packages rebuilt using the Debian stable repository. This provides more timely security updates and improved system stability.

New Features include dde-kwin as the default window manager. It takes up less memory and offers better performance.

Auto merge is a really cool new feature. It is similar to a user tweak provided in the macOS recently, but I am not aware of any other Linux distro using it.

Deepin Linux 15.10 Auto Merge feature

Rather than clutter the desktop with copious icons, the new Auto Merge feature lets you place favorite launchers in color-coded drawers or folders, making them one click away. A dock bar replaces the traditional bottom panel.

Auto merge lets you avoid cluttering the desktop with favorite launch icons. Instead, it groups icons into file folders on the desktop.

This approach is similar to what the Android and Chrome OS let you do to keep the desktop neat and organized. Just check the Auto Merge option in the desktop context menu.

Icons on the desktop will be grouped automatically into different folders: Videos, Music, Pictures, Documents, Applications, and Others. You can color-code the folders.

The Wallpaper slideshow, while available in other desktop environments, is a new feature for Deepin. Set a slideshow of your favorite pictures so they can display at any interval you designate.

A unique new feature that I especially like is Sound Effect switches. You can turn on or off each system sound. The settings for shut down, log out, wake up, etc., in the Control Center are separated.

Another key change provides the option to do full disk encryption during installation. That alone may lessen user-based security worries.

Deepin Close Up

The desktop design is a combination of several visual elements from other desktops. When put together into one integrated system, they constitute a new approach to the concept of an easy-to-use interface. The in-house applications complete an operating system that is tailored to the average user.

Deepin uses a dock bar instead of the traditional bottom bar. When the dock is set in the macOS-style mode, a button appears that toggles a new dock tray element — embed tray icons in the dock.

Deepin Linux 15.10 Desktop slide-out control panel and dock screenshot

The Deepin Desktop has a slide-out control panel that makes finding settings effortless. It uses a dock bar instead of a traditional panel at the bottom of the screen.

The Dock offers a choice of fashion or efficient modes. Fashion mode adds a hide/show button in the dock tray. Click it to hide the icons in the tray area and save the dock space. The power button is separated from the tray area to reduce the clicks and avoid function confusion.

In the Efficient mode, the right corner is set to show the desktop. The previous ‘Show Desktop’ icon disappears.

The Settings Panel slides out from the right edge of the screen. Its transparency lets you see settings options while not losing sight of the overview desktop view. Similarly, the applications menu displays in full-screen, showing rows of application icons.

Deepin’s multitasking feature shows thumbnails of virtual workspaces via a display panel that hides along the top edge of the screen. The main view displays mini images of open windows on the current workspace.

Deepin lets you set a different background image for each virtual workspace. These display in the panel view as well.

You can drag a running application’s mini image from the multitasking view to another workspace. You also can right-click on the top window border of a displayed app to move it to another virtual workspace.

Bottom Line

Deepin Linux continues to show promise as a productive computing platform. This latest edition has fewer of the annoyances that plagued earlier releases.

The menus and internal dialogue boxes still have some Chinese characters. The potential user base is limited by a short list of available languages.

The ISO file on the standard download page is not a live session. It provides only a loadable interface to handle the installation.

To get the live session ISO file, use the download page link in the previous paragraph. Then scroll to the bottom of the download options to the “Live Session Download” label and click the “Live Official Release” button.


Suggest a Review

Is there a Linux software application or distro you’d like to suggest for review? Something you love or would like to get to know?

Email your ideas to me, and I’ll consider them for a future column.

And use the Reader Comments feature below to provide your input!

Jack M. Germain

Jack M. Germain has been an ECT News Network reporter since 2003. His main areas of focus are enterprise IT, Linux and open source technologies. He has written numerous reviews of Linux distros and other open source software.Email Jack.

5 Comments

  • Thank-you for this excellent article. Deepin does, indeed, seem like an interesting distro. I’m concerned about security, for the reasons mentioned, and because the Chinese government has a history of forcing people to do things on penalty of treason/disappearing. They could, someday, order the devs to put in a backdoor.

    Personally, I’m hoping that someone forks Deepin Desktop Environment, so that we can have a thoroughly security-reviewed version available with all app integrations, in a non-Chinese distro. I would really like to use this, but I just can’t take the risk.

    One thing that I feel bears correction:

    Full disk encryption cannot protect data from the operating system, if the OS is doing the encryption. The operating system has access to the decryption key, and can access everything on that machine, encryption or not.

    Great article, overall. Thanks!

    • Thank you for your comments on this article. You raise a very good point about the reliability of full disk encryption controlled by the operating system.

      I frequently discuss security issues with cybersecurity experts. Interestingly, one of their often-made suggestions is to apply full disk encryption. Perhaps that mantra needs clarification. Maybe an encryption tool provided by a distro developer is not a good option.

      I am not a security expert. I do not have any insight into how reliable Deepin Linux’s encryption application is compared to other third-party AES-compliant encryption products. But I will broach that topic in my next chat with cybersecurity experts.

      Thanks for sharing that potential flaw!

      • what is racist about this article? having a general concern about a product produce by a company in a country that is well known for its lack of human/civil rights and it being an overwhelming police/surveillance state isn’t racism, but ignoring a potential security issue makes a fool.

        • I can’t believe what I’m reading here. China bashing again with wot?? Rogue software in OS?? !!

          Forcing people to add backdoor ??!! Are you delusional???

          So far there s literally no evidence to suggest Chinese government did those.

          What’s proven now is US has asked software companies to added back doors. Apple CEO Tim Cook openly said: Chinese didn’t ask us to add backdoor. The US government did.

          I’m not even going to start on NSA.

          Another government is AUS. The infamous AA bill legalised backdoor for AUS made software.

          And yet you are here China bashing ?!! Textbook example of brainwashing and Donny Kruger effect.

          Huawei released ALL of their software for review by UK goverment. They found no backdoor.

          DJI opene sourced their government version of drone firmware.

          I suggest you keep your BS / racism / PC out of the open source communities.

          You are a living insult to all who put effort to make software political free.

          Wot a shame.

  • You might want to fix your article. In it, you said you last reviewed 15.18 but meant to put 15.8. I do appreciate the article though. I know many places even Russia have a distribution and even a virus protection software as well. It is something that we have to keep a close eye on. I am glad that the code can be seen by everyone so hopefully, if someone tries to slip something through hopefully it will be caught.

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

More by Jack M. Germain
More in Reviews

LinuxInsider Channels