4saken
[H]F Junkie
- Joined
- Sep 14, 2004
- Messages
- 13,171
agreed 100%. Can't believe how overblown this is. It's absolutely nothing except something to complain about.
![[H]ard|Forum](/styles/hardforum/xenforo/logo_dark.png){kind=logo}
Microsoft Repo Secretly Installed on all Raspberry Pi’s Linux OS
- Thread starter Red Falcon
- Start date
-
- Tags
- raspberry pi
![Zarathustra[H]](https://cdn.hardforum.com/data/avatars/m/9/9298.jpg?1707758471){kind=avatar}
Zarathustra[H]
Extremely [H]
- Joined
- Oct 29, 2000
- Messages
- 38,857
I agree that the bandwidth argument is inconsequential. An apt update uses next to no bandwidth.
The rest I kind of disagree with. What about an educational system prevents you from installing the software you need when you need it yourself?
Whenever you make ANY change to ANYTHING it should be opt in, especially when it is a change that has potential security implications.
The whole secure design around *nix is about minimizing trusting other systems and services. This by default ads a trust relationship with a third party, unbeknownst to and unrequested by the user. Tha'ts pretty much the definition of what yo are never supposed to do.
No software are being installed, user still have to install the software if they want it, it was made easier for them to do so.
4saken
[H]F Junkie
- Joined
- Sep 14, 2004
- Messages
- 13,171
That's what Config Management is for. You should, this day in age, be using Ansible, or some other CM to manage these systems. If something pops up thats not in your preferred state, it removes it. Easy peasy. If you arent doing this or not looking to do this in any enterprise/etc, you are far behind the times.
Zarathustra[H]
Extremely [H]
- Joined
- Oct 29, 2000
- Messages
- 38,857
Fair, but as has been repeatedly stated in this thread, users of these devices aren't necessarily sophisticated Enterprise IT types.
Also, the fact that you can prevent changes to your systems with your own automation doesn't excuse this type of behavior. It shouldn't be necessary.
It's an equivalent to arguing that someone writing malware is fine, becuase we have antimalware software.
Vermillion
Supreme [H]ardness
- Joined
- Apr 5, 2007
- Messages
- 4,416
You're still looking at Raspbian as a "traditional" distro. It's not. Now I totally agree that the RPi foundation absolutely should have been open about adding the repo (because it's a very simple matter for an IT type to simply remove said repo). That said adding the repo for one of the most highly sought after IDE's currently in use on an educational tool is absolutely the correct decision. It installs nothing. It's simply an added repo allowing the user and only the user to install vscode if they desire. There's no privacy implications here.
And while repo poisoning is a real thing to be considered, I'd bet half the neckbeards bitching about this as a security issue probably have 50 PPAs installed on their system as it is. That makes their point about security pretty worthless in my book. Many of them even suggested that instead of using MS's vscode repo that vscodium should have been included. Still a 3rd party repo but apparently there's no security issues when it's not Microsoft's repo.
This is exactly why this change is OK and not a big deal for THIS very specific distro. It's purely aimed at education.
Nobu
[H]F Junkie
- Joined
- Jun 7, 2007
- Messages
- 10,050
Nah, I use arch, and it has 99% of what I need. The rest usually is in AUR.You're still looking at Raspbian as a "traditional" distro. It's not. Now I totally agree that the RPi foundation absolutely should have been open about adding the repo (because it's a very simple matter for an IT type to simply remove said repo). That said adding the repo for one of the most highly sought after IDE's currently in use on an educational tool is absolutely the correct decision. It installs nothing. It's simply an added repo allowing the user and only the user to install vscode if they desire. There's no privacy implications here.
And while repo poisoning is a real thing to be considered, I'd bet half the neckbeards bitching about this as a security issue probably have 50 PPAs installed on their system as it is. That makes their point about security pretty worthless in my book. Many of them even suggested that instead of using MS's vscode repo that vscodium should have been included. Still a 3rd party repo but apparently there's no security issues when it's not Microsoft's repo.
This is exactly why this change is OK and not a big deal for THIS very specific distro. It's purely aimed at education.
That said, I would be 100% fine with this if somebody was notified about the repo change. I think some of y'all are overreacting about our reactions, tbh.
Zarathustra[H]
Extremely [H]
- Joined
- Oct 29, 2000
- Messages
- 38,857
See, this is the part of the argument I have trouble with.
Why is security less of a concern just because it is educational?
Zarathustra[H]
Extremely [H]
- Joined
- Oct 29, 2000
- Messages
- 38,857
This has been explained a million times already.
Once a repository is added it is trivial for the owner of that repository to create their own version of some dependency package and give it a higher version number than the package in the other repositories and have the system automatically install it when you install updates.
This may not have happened in this case (but it has in others. Microsoft, Apple and others were just pwned this way.) and there is no guarantee Microsoft won't, deciding to distribute some version of a package that benefits them over the user, that the user never asked for.
As soon as the repository is there, added to the systems sources, the door is open. It's just a matter of whether or not the repository owner wants to walk in.
Why would you open yourself up to the possibility of this?
Think Microsoft wouldn't automatically install unwanted software on people's hardware? Remember those "Upgrade to Windows 10" dialogues that proceeded with the install if you clicked the X?
4saken
[H]F Junkie
- Joined
- Sep 14, 2004
- Messages
- 13,171
I don't care if you are an Ent IT type or not, would take a layman 2 hrs to figure out to deploy their RPI's with what they want, or remove what they dont after the fact with CM. Time to get with the times. Still a nothingburger even without that.
This seem to be like I said the legitimate fear of the slippery slope, but I am not sure what is wrong with pointing out that saying that visual code was automatically installed of every Raspberry Pi that ran an update is a bit of a misleading way to present what happened.
4saken
[H]F Junkie
- Joined
- Sep 14, 2004
- Messages
- 13,171
Same could be said for updates to software in any default repo, just depends on the rabbit hole you want to keep climbing down...still, again, nothing to be throwing a tantrum over.
Vermillion
Supreme [H]ardness
- Joined
- Apr 5, 2007
- Messages
- 4,416
Why do the crazy neckbeards not care about security if it was vscodium instead of the MS repo?
Answer: Because nothing is really installed. Until you install there is no security risk by simply having the repo unless it's owned by MS apparently.
Not to mention any Linux distro you use you have to trust the repos. Trusting MS vscode repo is no different. Back in 2018 wasn't it Gentoo that was compromised and literally said "consider all of our Github repos compromised right now."? You always have to assume a little bit of risk with any Linux distro. Not to mention the AUR with Arch and it's derivatives. I don't install much from the AUR but I damn sure check out where the shit is coming from and check out the PKGBUILD before I just paru -S. But how many of those people pissing and moaning about this probably have 2 dozen PPAs installed and have never bothered looking at the code? I'd bet a great many.
Maybe some are but I don't think I am. I was sitting in a bunch of Linux Matrix rooms when this news broke. The reaction across them all would make you think the world was ending. That type of bullshit reaction incredibly detrimental to the Linux community.
Should the RPi Foundation been up front about this change? Absolutely. PR matters.
Should this still be a topic of discussion anywhere? Nope.
Now bring me my KDE 5.21!
Zarathustra[H]
Extremely [H]
- Joined
- Oct 29, 2000
- Messages
- 38,857
Why do the crazy neckbeards not care about security if it was vscodium instead of the MS repo?
Answer: Because nothing is really installed. Until you install there is no security risk by simply having the repo unless it's owned by MS apparently.
Not to mention any Linux distro you use you have to trust the repos. Trusting MS vscode repo is no different. Back in 2018 wasn't it Gentoo that was compromised and literally said "consider all of our Github repos compromised right now."? You always have to assume a little bit of risk with any Linux distro. Not to mention the AUR with Arch and it's derivatives. I don't install much from the AUR but I damn sure check out where the shit is coming from and check out the PKGBUILD before I just paru -S. But how many of those people pissing and moaning about this probably have 2 dozen PPAs installed and have never bothered looking at the code? I'd bet a great many.
Maybe some are but I don't think I am. I was sitting in a bunch of Linux Matrix rooms when this news broke. The reaction across them all would make you think the world was ending. That type of bullshit reaction incredibly detrimental to the Linux community.
Should the RPi Foundation been up front about this change? Absolutely. PR matters.
Should this still be a topic of discussion anywhere? Nope.
Now bring me my KDE 5.21!
I trust open source projects to not mismanage their repos. I do not trust any for profit organization to do the same.
Compromized systems happen. You can't avoid them completely, all you can do is try to manage the risk.
Red Falcon
[H]ard DCOTM December 2023
- Joined
- May 7, 2007
- Messages
- 12,447
No worries, I appreciate your insight and opinions on the matter.
Last edited:
Red Falcon
[H]ard DCOTM December 2023
- Joined
- May 7, 2007
- Messages
- 12,447
I just think some transparency from the Raspberry Pi Foundation on this new feature would have been nice considering the potential ramifications.
The main issue isn't so much that we don't want Microsoft code or the ability to use said repos (having the option to do so is important), and I actually have less against Microsoft on this issue than I do with the Raspberry Pi devs and admins not being transparent when they make changes like this.
While I don't care for Microsoft's telemetry, it can be opted out of on these applications, which is fair.
When a major change is made like this to a community-driven and trust-driven platform and OS, transparency is the most important thing, and that was not presented, thus hurting the trust of said devs and admins.
Last edited:
Red Falcon
[H]ard DCOTM December 2023
- Joined
- May 7, 2007
- Messages
- 12,447
This is extremely ironic, and exactly what you mentioned earlier in the thread, wow!
1. Embrace
2. Extend
3. Extinguish
RPi is currently at Step 2. Step 3 is impending.
The 90's called, etc.
Those who forget history...
I certainly haven't.
Todd Walter
Gawd
- Joined
- May 10, 2016
- Messages
- 634
They're frequently used for kiosks and displays as they are much cheaper than things like Samsung's MagicInfo Player. You can buy the 'business class' versions from Viewsonic with the NoTouch OS on it (allows for centralized managment). That said, you would normally expect a business to use an in-house repo that gets vetted and keeps the devices one step removed from the 'net.