I'm a little surprised that they covered a work-around to install Deepin - I wouldn't expect a team with such a strong opinion to make a judgement call on whether or not to distribute the software but then go out of their way to document platform-specific steps to use it, rather than leaving that responsibility to Deepin.

This is really concerning, how many other packages are distributed by OpenSUSE which do not match their policies and are not reviewed?

A Linux distribution is supposed to be more coherent and vetted than an app store. This... does not inspire confidence.

> The history of Deepin code reviews clearly shows that upstream is lacking security culture

As somebody that doesn't write code for a living (i manage infrastructure)... besides common sense, where would one start looking in order to learn "security culture" ?