Microsoft Repo Secretly Installed on all Raspberry Pi’s Linux OS

Red Falcon

[H]ard DCOTM December 2023
Joined
May 7, 2007
Messages
12,381
Definitely worth the watch for those involved with the Raspberry Pi community.




Thanks for Jeff Geerling for the video, and removal commands:
sudo rm /etc/apt/sources.list.d/vscode.list
sudo rm /etc/apt/trusted.gpg.d/microsoft.gpg
sudo apt update



Further information on it can be found here.
It seems that it contains VS Code IDE for your Raspberry Pi. Now keep in mind this is a server with a lite image, and there is no need to install this on my old RPi 2. Naturally, it made many Linux users unhappy. To make matters worse, the official Raspberry Pi forums admins quickly locked down and deleted the topic threads, claiming it was “Microsoft bashing.”
 
Last edited:
I don't have any Raspberry Pi's, but I am a long time Linux user.

If anything at all added a repository to my system on it's own, I would be livid.

This is one of the reasons I hate Windows.

I need to be in complete 100% control of my local machines, and they need to not do anything without me initiating it manually.

I've been looking at Hardkernels Odroid devices lately. Hopefully they won't pull this nonsense.
 
VSCode contains telemetry, so yeah, Microsoft is gaining information from users with these latest updates.
It might be worth watching the video and/or reading the article before making such assumptions.

To be clear, adding a repository under apt does not install the software. It just allows apt to fetch the package list from that repository and list it as available for installation.

Every time you do an "apt-get update" or the more modern "apt update" to refresh the list of packages, your device would connect to that repository, and download its available package list, but it wouldn't actually install anything UNLESS it contained a package that you already have installed on your system at a newer revision, in which case it would be listed as an available update when doing "apt-get upgrade", "apt upgrade", "apt-get dist-upgrade" or "apt dist-upgrade".

There is a limited amount of information they can gain from just having the repository added in and of itself, including source IP and (maybe) install unique identifier (I can't remember if apt sends that as part of the update or not), but that's about it, unless of course the also maliciously design a package with the same name as a package that already exists on the system as a dependency, and give it a higher version number, so it installs itself as an update. Then that malicious program can do whatever it wants.

Still, one must wonder, if they are OK with just adding a third party repository users didn't ask for, what else are they OK with? And why would you open yourself up to the possibility of a dependency attack?

I still think it is a shitty thing to do.
 
Last edited:
To be clear, adding a repository under apt does not install the software. It just allows apt to fetch the package list from that repository and list is as available for installation.

There is a limited amount of information they can gain from just having the repository added in and of itself, including source IP and (maybe) install unique identifier, but that's about it.

Still, one must wonder, if they are OK with just adding a third party repository users didn't ask for, what else are they OK with?
depending on where it is in the sources.conf, packages in the repo could take priority over packages in the main repos, and those packages could depend on other packages in the ms repos. You could easily have a lot of ms packages installed just from doing an `apt-get upgrade`
 
depending on where it is in the sources.conf, packages in the repo could take priority over packages in the main repos, and those packages could depend on other packages in the ms repos. You could easily have a lot of ms packages installed just from doing an `apt-get upgrade`

Yeah, I edited in my UNLESS statement above after thinking more about it, but it looks like you replied before I could do so :p
 
I personally find this inexcusable and Eben Upton should know better, what else are they going to spring on the community?

I wish revise their direction with full open source principals in mind, and maybe/perhaps switch to RISC-V?
 
I'm not really too familiar, but, since you're using Raspberry Pi OS, can't they, since they're the ones creating this variation of the OS, include whatever repositories they want on it? Don't other OSes do this already? You're agreeing to use Raspberry Pi OS, so that means you're agreeing to whatever is included in that OS for repositories?
 
I don't have any Raspberry Pi's, but I am a long time Linux user.

If anything at all added a repository to my system on it's own, I would be livid.

This is one of the reasons I hate Windows.

I need to be in complete 100% control of my local machines, and they need to not do anything without me initiating it manually.

I've been looking at Hardkernels Odroid devices lately. Hopefully they won't pull this nonsense.
For a linux machine... certainly.

For a raspberry pi, a tiny computer meant for school children..... eeeh
The Raspberry Pi Foundation is a charity founded in 2009 to promote the study of basic computer science in schools

If people don't like it, buy something else that isn't for children.
 
  • Like
Reactions: travm
like this
For a linux machine... certainly.

For a raspberry pi, a tiny computer meant for school children..... eeeh

If people don't like it, buy something else that isn't for children.

You are making a specious argument. The ORIGINAL intent of the raspberry pi was too focus on promoting computer science in schools. emphasis on original. So instead of cherry picking lets look at the whole tree:

The Raspberry Pi Foundation is a UK-based charity that works to put the power of computing and digital making into the hands of people all over the world. We do this so that more people are able to harness the power of computing and digital technologies for work, to solve problems that matter to them, and to express themselves creatively.



We engage millions of young people in learning computing and digital making skills through a thriving network of clubs and events, and through partnerships with youth organisations. We enable any school to offer students the opportunity to study computing and computer science through providing the best possible curriculum, resources, and training for teachers. We work to deepen our understanding of how young people learn about computing and digital making, and to use that knowledge to increase the impact of our own work and to advance the field of computing education. We make computing and digital making accessible to all through providing low-cost, high-performance single-board computers and free software.

Still they have an emphasis on enabling knowledge in young people but clearly the message is now lets lower the bar for everyone. So no I don't think its fair to dismiss the claim based on "well its for children."

Actually claiming its for children only makes the issue worse. Now youre silently installing repos which can be used to override packages and potentially put spyware on children's machines.
 
Actually claiming its for children only makes the issue worse. Now youre silently installing repos which can be used to override packages and potentially put spyware on children's machines.
Then don't use it.

Just admit it, if this was a repo pushed for anything other than Microsoft, people would grumble for 20 minutes and move on.
 
I imagine there are quite a few IT managers who're pissed, probably some with an email/letter from their security manager asking them wtf...
 
I imagine there are quite a few IT managers who're pissed, probably some with an email/letter from their security manager asking them wtf...
No because telemetry doesn’t make it out of our buildings, it gets blocked. It just winds up next to all the billions of entries from Google and Facebook as a minor blip in our nightly reports.
 
Then don't use it.

Sure. Now that we know, we have the choice to not use it.

Part of the problem with all this is that they didn't tell anyone. The repos just showed up without any notification, and once they are there it would be trivial for the owner of the repo to trick the system into installing a package as an update to something already installed, that may do things like collect data.

In general, informed consent and opt out is not ideal, but it is OK. The gold standard here is "Opt In".

In this case you can still opt out by just removing the repo, but the HUGE problem is that they snuck it in without telling anyone.
 
Just admit it, if this was a repo pushed for anything other than Microsoft, people would grumble for 20 minutes and move on.

I don't think so. The norm, at least with Debian/Ubuntu/Mint and related distributions that use apt is that the only automatically installed repos are the ones belonging to the distribution, and in some cases the upstream distribution. (Mint - for instance - uses it's own repos as well as upstream Ubuntu repos, as it is based on Ubuntu).

Arbitrary addition of third party repos would likely cause people to cry foul, no matter who those 3rd party repos belonged to.

Peope can and do add third party repos on their own if there is a specific package they need that is either not included with their distribution, or is of an older version than they need in their distribution, but this is an OPT IN relationship that (hopefully) is done in an informed way, understanding the risks.

Having a third party repo, any third party repo just randomly appear one day is likely to get some serious unwanted attention.
 
Then don't use it.

Just admit it, if this was a repo pushed for anything other than Microsoft, people would grumble for 20 minutes and move on.
100%. They would be angry it's there and then just go remove it. Just on their discord channels and wipe their cheesy-poof fingers clean and write an angry message.

But, it's Microsoft, so I expect a bunch of moaning for weeks until the distro creator removes it because of the constant cry baby emails.
 
To be clear, adding a repository under apt does not install the software. It just allows apt to fetch the package list from that repository and list is as available for installation.

Every time you do an "apt-get update" or the more modern "apt update" to refresh the list of packages, your device would connect to that repository, and download its available package list, but it wouldn't actually install anything UNLESS it contained a package that you already have installed on your system at a newer revision, in which case it would be listed as an available update when doing "apt-get upgrade", "apt upgrade", "apt-get dist-upgrade"
or "apt dist-upgrade".

There is a limited amount of information they can gain from just having the repository added in and of itself, including source IP and (maybe) install unique identifier (I can't remember if apt sends that as part of the update or not), but that's about it.

Still, one must wonder, if they are OK with just adding a third party repository users didn't ask for, what else are they OK with?

I still think it is a shitty thing to do.
Microsoft is a shitty company. Did you expect ethics from them in the slightest?
 
I imagine there are quite a few IT managers who're pissed, probably some with an email/letter from their security manager asking them wtf...

I don’t think rpi is very common in business settings? At least not outside of arm software development houses?

and even if it were, “hey your systems are talking to Microsoft” ? Probably not. Likely just drowned out in the noise of everything else that checks in with them these days.

Anyways, I feel like this would have been better handled for Raspbian the way Ubuntu does its third-party repos. There they are available as sources, but disabled by default until you explicitly tell it to turn them on. Could have been a simple option at install/setup time the way Ubuntu asks if you want to install any of that extra software for additional media format support, etc.

Why they’d enable anything other than base software repos by default, shrug. Not communicating about it proactively? Also poor decision. Closing threads asking about it certainly does not help the situation either.
 
No but it discredits you, baselessly classifying people you know nothing about. Not a good look.
I think you are missing the point.
It isn't so much that the Microsoft repo was added as much as the fact that the repo was added without any prior notification to the user-base and community.

The fact that Microsoft is notorious for telemetry of all levels, and the fact that posts made about this very thing within that community were deleted and censored, shows that this had obvious malicious intent.
If the devs wanted to add the Microsoft repo and properly informed the community of it ahead of time (basic community respect and transparency - what this is all based on with Raspberry Pi), this would have been more than acceptable behavior, even if the end users and community didn't agree with it and just chose to skip it, remove it, or opt-out.

That didn't happen, though.
Maybe you are used to getting back doored on your Apple environment and don't care, but don't assume to classify everyone else, whom you know nothing about, are just like you; respect works both ways.

Then don't use it.

Just admit it, if this was a repo pushed for anything other than Microsoft, people would grumble for 20 minutes and move on.
For many businesses and users, not using Raspberry Pi OS isn't an option due to either unported code to other operating systems, or massive unoptimization or lack of features in said other operating systems - it isn't that simple.
If any sysadmin or IT personnel allowed something other than Microsoft updates directly on a Microsoft OS, grumbling for 20 minutes and moving on, then said individuals would be fired within 20 minutes and would be moving on to the next job interview.

For someone telling others to not "baselessly classify people you know nothing about", you sure are doing a lot of just that.
 
Last edited:
I don’t think rpi is very common in business settings? At least not outside of arm software development houses?

and even if it were, “hey your systems are talking to Microsoft” ? Probably not. Likely just drowned out in the noise of everything else that checks in with them these days.

Anyways, I feel like this would have been better handled for Raspbian the way Ubuntu does its third-party repos. There they are available as sources, but disabled by default until you explicitly tell it to turn them on. Could have been a simple option at install/setup time the way Ubuntu asks if you want to install any of that extra software for additional media format support, etc.

Why they’d enable anything other than base software repos by default, shrug. Not communicating about it proactively? Also poor decision. Closing threads asking about it certainly does not help the situation either.
If it's used in schools and by enthusiasts, I don't see why small businesses or even some larger business in corner cases couldn't. They would probably prefer an enterprise solution, but lets not pretend the tech guy has never begged his boss to use some weird/obscure hardware because it's "perfect". ;)
 
Microsoft is a shitty company. Did you expect ethics from them in the slightest?
No, but the Raspberry Pi community does expect better from the developers and project leads, especially with major changes that could lead to potential data leakage, privacy risks, and security risks.
I don’t think rpi is very common in business settings? At least not outside of arm software development houses?
They are more common in business and enterprise than you think.
and even if it were, “hey your systems are talking to Microsoft” ? Probably not. Likely just drowned out in the noise of everything else that checks in with them these days.
That could lead to massive security risks and even unnecessary network traffic and additional resource loads that could heavily effect project testing and loads, even if we don't consider the potential security risks.
Anyways, I feel like this would have been better handled for Raspbian the way Ubuntu does its third-party repos. There they are available as sources, but disabled by default until you explicitly tell it to turn them on. Could have been a simple option at install/setup time the way Ubuntu asks if you want to install any of that extra software for additional media format support, etc.

Why they’d enable anything other than base software repos by default, shrug. Not communicating about it proactively? Also poor decision. Closing threads asking about it certainly does not help the situation either.
Agreed, and the fact that they did all of this shows that they care more about being in Microsoft's pocket than the community that allowed them to get where they are today.
 
If it's used in schools and by enthusiasts, I don't see why small businesses or even some larger business in corner cases couldn't. They would probably prefer an enterprise solution, but lets not pretend the tech guy has never begged his boss to use some weird/obscure hardware because it's "perfect". ;)
Raspberry Pi units are used in many businesses and enterprises in large clusters for testing and developing applications, managing databases, etc.
They are far more cost efficient overall than x86-64 or ARM workstations, VMs, and platforms for such tasks.

Perhaps not all businesses and enterprises are running Raspberry Pi OS, but for those that do, this just became a very critical security risk and trust issue, and now all further updates are going to need to be heavily vetted going forward.
In other words, we expect better from these individuals.
 
Then don't use it.

Sure. Now that we know, we have the choice to not use it.

Part of the problem with all this is that they didn't tell anyone. The repos just showed up without any notification, and once they are there it would be trivial for the owner of the repo to trick the system into installing a package as an update to something already installed, that may do things like collect data.

In general, informed consent and opt out is not ideal, but it is OK. The gold standard here is "Opt In".

In this case you can still opt out by just removing the repo, but the HUGE problem is that they snuck it in without telling anyone.

Also, in addition to this. Yes. Now that this has happened I fully do expect lots of people to move on to an alternative.

Maybe Hardkernel's very capable ODroid devices? There are quite a few choices in small ARM single board computers.

I mean, it sucks if you have already bought the hardware, but with Raspberry Pi's, even if you do have to toss them out, at least you haven't wasted a ton of money.
 
Anyways, I feel like this would have been better handled for Raspbian the way Ubuntu does its third-party repos. There they are available as sources, but disabled by default until you explicitly tell it to turn them on. Could have been a simple option at install/setup time the way Ubuntu asks if you want to install any of that extra software for additional media format support, etc.

Why they’d enable anything other than base software repos by default, shrug. Not communicating about it proactively? Also poor decision. Closing threads asking about it certainly does not help the situation either.
VS code is not installed from what I understand, they just made it easy for the user to install it.
 
If it's used in schools and by enthusiasts, I don't see why small businesses or even some larger business in corner cases couldn't. They would probably prefer an enterprise solution, but lets not pretend the tech guy has never begged his boss to use some weird/obscure hardware because it's "perfect". ;)
I've got at least a dozen in each of our buildings, the telemetry is blocked by default because it isn't a traffic pattern we explicitly allow, but the contents of the Microsoft Telemetry is at worst benign it contains version information and occasionally crash dumps but nothing we consider a security risk. Chromebooks on the other hand you wanna talk about telemetry it's a whole different animal its basically a system status mixed with a screenshot broken down to text form, give them another year or so and I'm guessing they will have found a way to get the mic to identify and report what you had for breakfast that morning. Apple falls in line with Microsoft for whats reported pretty minor and pretty benign but it does contain the apple ID's that are signed into the system for iCloud and iTunes and such when it's making the report so it contains some "private" information but it's already information you have given them previously so it's not considered a risk. The biggest risk surprise surprise is Facebook if the page loads an ad, it's talking to Facebook or Google but more times than not Facebook and it contains everything that the ad could scrape from the machine based on your cookie settings which 99% of the time is "Allow Everything".

I am still working with Palo Alto to better identify and filter that traffic it hits the Deny rules on the way out so it's not like it ever gets delivered but I am trying to set up a sinkhole so that it can be trapped and analyzed for content easier. But between Facebook and Google, they generate so much traffic my biggest issue is if I did have a legitimate security issue it very well could get masked in the pure onslaught from those two alone. But in terms of Education IT security, we're not really concerned with the data that Apple and Microsoft are trying to pull because there isn't anything in there that is considered a risk.

If anything my largest risk issue is Amazon Web Services and their utter lack of due diligence on who they sell their services to, they are hard to filter because it is very easy to accidentally block out the bulk of their services when trying to block out a single malicious actor using their services, and it seems AWS hosts just about everything.
 
To be clear, adding a repository under apt does not install the software. It just allows apt to fetch the package list from that repository and list is as available for installation.

Every time you do an "apt-get update" or the more modern "apt update" to refresh the list of packages, your device would connect to that repository, and download its available package list, but it wouldn't actually install anything UNLESS it contained a package that you already have installed on your system at a newer revision, in which case it would be listed as an available update when doing "apt-get upgrade", "apt upgrade", "apt-get dist-upgrade"
or "apt dist-upgrade".

There is a limited amount of information they can gain from just having the repository added in and of itself, including source IP and (maybe) install unique identifier (I can't remember if apt sends that as part of the update or not), but that's about it.

Still, one must wonder, if they are OK with just adding a third party repository users didn't ask for, what else are they OK with?

I still think it is a shitty thing to do.

...and what do you know. Microsoft, Apple and others were just hit by a repository dependency attack like this...
 
VS code is not installed from what I understand, they just made it easy for the user to install it.

yep. I was just saying - why not put the repos in there but leave them disabled by default? Still makes it easy for anyone to enable if they want, and isn’t nearly as poorly received as this. Like Ubuntu’s proprietary repos.

I mean, this is “just” adding a repo, not even installing any software from it. But as we can see, it has gotten a response that I expect wasn’t even considered when the decision was made. As has been pointed out, Linux users are far from tolerant when it comes to anything forking with their system configurations, and the rpi folks should have been aware that a very vocal segment of their user base might have a poor reaction to adding a Microsoft repo.

That said, rpi runs on Broadcom hardware, so I never considered them especially open-source friendly. Just look at how the rpi4 was launched and how long it took for it to get proper hardware accelerated video support. If the opinion of the power users was something they cared about I expect they wouldn’t be closing threads just asking about it on their forums, either (although, to be fair, a lot of Linux users default to a “very strong” reaction to anything Microsoft, so I’d bet that at least a few of those posts were very much just nerdrage Microsoft bashing).

I haven’t dived into arm Linux yet, but when I do, pine stuff seems like a more open-source friendly option for end users. I don’t think it has a community of users and developers even close to the size of rpi, though.
 
yep. I was just saying - why not put the repos in there but leave them disabled by default? Still makes it easy for anyone to enable if they want, and isn’t nearly as poorly received as this. Like Ubuntu’s proprietary repos.

I mean, this is “just” adding a repo, not even installing any software from it. But as we can see, it has gotten a response that I expect wasn’t even considered when the decision was made. As has been pointed out, Linux users are far from tolerant when it comes to anything forking with their system configurations, and the rpi folks should have been aware that a very vocal segment of their user base might have a poor reaction to adding a Microsoft repo.

That said, rpi runs on Broadcom hardware, so I never considered them especially open-source friendly. Just look at how the rpi4 was launched and how long it took for it to get proper hardware accelerated video support. If the opinion of the power users was something they cared about I expect they wouldn’t be closing threads just asking about it on their forums, either (although, to be fair, a lot of Linux users default to a “very strong” reaction to anything Microsoft, so I’d bet that at least a few of those posts were very much just nerdrage Microsoft bashing).

I haven’t dived into arm Linux yet, but when I do, pine stuff seems like a more open-source friendly option for end users. I don’t think it has a community of users and developers even close to the size of rpi, though.
All I can really say on the subject is that the students and teachers like working on the Pi4's, we have a small smattering of alternatives but the overall user experience on the Pi's is leagues ahead. I am sure the others are just as good but if you just want to sit down and use it and not have to spend time tinkering trying to make things work then the Pi is the goto with maybe the ODroids being a distant second, but then again we have maybe 16 ODroid N2+'s and like 80 Pi 4's.
 
Man so much misinformation and MS hate flowing through this thread.

Now I'm certainly no MS lover (I downright loathe Windows 10) I don't see this repo as a bad thing. Yes, the RPi foundation should have been more up front about it. No they shouldn't have made it opt-in. Raspbian by default is meant to be install it and go learn type OS. It's not your typical Linux distro and never has been. It's a distro that IS and ALWAYS HAS BEEN designed for educational purposes and should be treated as such. So yes vscode should be there. Vscode is only one of the most used IDEs currently. Why shouldn't it be on an educational device?

The BS about bandwidth or overhead are just worthless arguments. It's a single tiny text file that gets pulled upon reboot and a sudo apt update command. MS and computer OEMs have been doing far worse for YEARS with the crapware installed on Windows be default.

So many people just want to piss and moan about this stuff. It's ridiculous and the basement neckbeards frothing at the mouth about this are really giving the Linux community a bad name.

Personally I don't run Raspbian on any of my pi's because it isn't a normal distro aimed at someone like me.

Here's a great read about this "issue":

https://popey.com/blog/2021/02/pitchforks-set-to-stun/
 
I feel like there is real reason people dislike it, they do not want student and other people first days on Linux to use VSCode and the Microsoft Cloud infrastructure to learn development and other informatics stuff, instead of their alternative or at least for VSCode and those suite to be easier to launch for their user than the alternative and that is the future being started here.

And instead they make "bigger deal" of what is more concrete and less speculative but from the motivation above. A bit of a reaction to prevent some possible slippery slope.
 
You guys want to know why Linux will forever be under 1% market share? It's because control freaks like you whine about a someone adding an open source app repository to your system

This is the same reason you fools have 600 different current Linux repositories; quite the waste of effort when there's only like fifteen different maintained windowing environments!

Red Falcon, you are such a control freak, I'm surprised you haven't just written your own OS (and then discover the pain of doing everything for yourself)
 
Last edited:
You guys want to know why Linux will forever be under 1% market share? It's because control freaks like you whine about a someone adding an open source app repository to your system

This is the same reason you fools have 600 different current repositories; quite the waste of effort when there's only like fifteen different maintained windowing environments!

Who says Linux wants to grow desktop market share?

If compromising the system is what it takes to enroll others, then I am fine with my 1% system. It's not a popularity contest.

As has just been shown in this other news thread, adding third party repositories nilly willy can be a serious vulnerability, and is best avoided.

When it comes down to it, Linux is more of an OS for purists, who want to be in control of every aspect of their operating system, and never want it to ever do anything automated behind their backs, even if the intent is to be helpful. The only automation we want, is the automation we intentionally set up and configure ourselves. Everything else should be disabled.

If my operating system or any installed program ever reaches out to any other machine over the network, LAN or WAN, without me explicitly telling it to, that is a major fail. Honestly, I don't even like broadcast/multicast except for maybe DHCP. If I want my OS or a program to talk to another machine, I'll figure out what IP that machine is using, point it at that IP manually, and maybe even set up my own script to tell it what to do with that IP and how often. I expect it to never do anything on its own.

If you make these compromises to Linux in order to try to get mass appeal, then Linux ceases to be Linux, and there is no longer any point to it.

If people like the way Windows works, they should keep it and stay the hell away from making stupid demands that wind up ruining Linux. We don't need or want them in our community. :p
 
Last edited:
I'm not really too familiar, but, since you're using Raspberry Pi OS, can't they, since they're the ones creating this variation of the OS, include whatever repositories they want on it? Don't other OSes do this already? You're agreeing to use Raspberry Pi OS, so that means you're agreeing to whatever is included in that OS for repositories?

Certainly.

It is the choice of the distribution maintainer what repositories are included with the distribution.

There are a few issues with what happened here though.

1.) Typically default repositories are either controlled by the distribution itself, or by a trusted upstream source (like how Linux Mint includes upstream Ubuntu repositories, as it is based on Ubuntu, and how Ubuntu used to include upstream Debian repositories back in the day)

2.) The microsoft repository just installed itself. No announcement, no opt-in, nothing. Many power users, and especially Linux/Unix users REALLY don't like when their system does stuff without them asking it to.

3.) The fact that they chose to add a repository maintained by Microsoft, who have a long history of abusing relationships like this to force "their way or the highway" on users, and probably to harvest data, is a real concern, especially since Microsoft doesn't exactly have a long, warm and fuzzy relationship with the open source community.

4.) Again, as mentioned above, third party repository dependency attacks are a real thing, and a serious vulnerability.
 
Back
Top