Microsoft Repo Secretly Installed on all Raspberry Pi’s Linux OS

4saken

[H]F Junkie
Joined
Sep 14, 2004
Messages
11,462
Man so much misinformation and MS hate flowing through this thread.

Now I'm certainly no MS lover (I downright loathe Windows 10) I don't see this repo as a bad thing. Yes, the RPi foundation should have been more up front about it. No they shouldn't have made it opt-in. Raspbian by default is meant to be install it and go learn type OS. It's not your typical Linux distro and never has been. It's a distro that IS and ALWAYS HAS BEEN designed for educational purposes and should be treated as such. So yes vscode should be there. Vscode is only one of the most used IDEs currently. Why shouldn't it be on an educational device?

The BS about bandwidth or overhead are just worthless arguments. It's a single tiny text file that gets pulled upon reboot and a sudo apt update command. MS and computer OEMs have been doing far worse for YEARS with the crapware installed on Windows be default.

So many people just want to piss and moan about this stuff. It's ridiculous and the basement neckbeards frothing at the mouth about this are really giving the Linux community a bad name.

Personally I don't run Raspbian on any of my pi's because it isn't a normal distro aimed at someone like me.

Here's a great read about this "issue":

https://popey.com/blog/2021/02/pitchforks-set-to-stun/
agreed 100%. Can't believe how overblown this is. It's absolutely nothing except something to complain about.
 

Zarathustra[H]

Fully [H]
Joined
Oct 29, 2000
Messages
31,678
Man so much misinformation and MS hate flowing through this thread.

Now I'm certainly no MS lover (I downright loathe Windows 10) I don't see this repo as a bad thing. Yes, the RPi foundation should have been more up front about it. No they shouldn't have made it opt-in. Raspbian by default is meant to be install it and go learn type OS. It's not your typical Linux distro and never has been. It's a distro that IS and ALWAYS HAS BEEN designed for educational purposes and should be treated as such. So yes vscode should be there. Vscode is only one of the most used IDEs currently. Why shouldn't it be on an educational device?

The BS about bandwidth or overhead are just worthless arguments. It's a single tiny text file that gets pulled upon reboot and a sudo apt update command. MS and computer OEMs have been doing far worse for YEARS with the crapware installed on Windows be default.

So many people just want to piss and moan about this stuff. It's ridiculous and the basement neckbeards frothing at the mouth about this are really giving the Linux community a bad name.

Personally I don't run Raspbian on any of my pi's because it isn't a normal distro aimed at someone like me.

Here's a great read about this "issue":

https://popey.com/blog/2021/02/pitchforks-set-to-stun/

I agree that the bandwidth argument is inconsequential. An apt update uses next to no bandwidth.

The rest I kind of disagree with. What about an educational system prevents you from installing the software you need when you need it yourself?

Whenever you make ANY change to ANYTHING it should be opt in, especially when it is a change that has potential security implications.

The whole secure design around *nix is about minimizing trusting other systems and services. This by default ads a trust relationship with a third party, unbeknownst to and unrequested by the user. Tha'ts pretty much the definition of what yo are never supposed to do.
 

LukeTbk

Gawd
Joined
Sep 10, 2020
Messages
1,014
The rest I kind of disagree with. What about an educational system prevents you from installing the software you need when you need it yourself?
No software are being installed, user still have to install the software if they want it, it was made easier for them to do so.
 

4saken

[H]F Junkie
Joined
Sep 14, 2004
Messages
11,462
I agree that the bandwidth argument is inconsequential. An apt update uses next to no bandwidth.

The rest I kind of disagree with. What about an educational system prevents you from installing the software you need when you need it yourself?

Whenever you make ANY change to ANYTHING it should be opt in, especially when it is a change that has potential security implications.

The whole secure design around *nix is about minimizing trusting other systems and services. This by default ads a trust relationship with a third party, unbeknownst to and unrequested by the user. Tha'ts pretty much the definition of what yo are never supposed to do.
That's what Config Management is for. You should, this day in age, be using Ansible, or some other CM to manage these systems. If something pops up thats not in your preferred state, it removes it. Easy peasy. If you arent doing this or not looking to do this in any enterprise/etc, you are far behind the times.
 

Zarathustra[H]

Fully [H]
Joined
Oct 29, 2000
Messages
31,678
That's what Config Management is for. You should, this day in age, be using Ansible, or some other CM to manage these systems. If something pops up thats not in your preferred state, it removes it. Easy peasy. If you arent doing this or not looking to do this in any enterprise/etc, you are far behind the times.

Fair, but as has been repeatedly stated in this thread, users of these devices aren't necessarily sophisticated Enterprise IT types.

Also, the fact that you can prevent changes to your systems with your own automation doesn't excuse this type of behavior. It shouldn't be necessary.

It's an equivalent to arguing that someone writing malware is fine, becuase we have antimalware software.
 

Vermillion

Supreme [H]ardness
Joined
Apr 5, 2007
Messages
4,220
I agree that the bandwidth argument is inconsequential. An apt update uses next to no bandwidth.

The rest I kind of disagree with. What about an educational system prevents you from installing the software you need when you need it yourself?

Whenever you make ANY change to ANYTHING it should be opt in, especially when it is a change that has potential security implications.

The whole secure design around *nix is about minimizing trusting other systems and services. This by default ads a trust relationship with a third party, unbeknownst to and unrequested by the user. Tha'ts pretty much the definition of what yo are never supposed to do.

You're still looking at Raspbian as a "traditional" distro. It's not. Now I totally agree that the RPi foundation absolutely should have been open about adding the repo (because it's a very simple matter for an IT type to simply remove said repo). That said adding the repo for one of the most highly sought after IDE's currently in use on an educational tool is absolutely the correct decision. It installs nothing. It's simply an added repo allowing the user and only the user to install vscode if they desire. There's no privacy implications here.

And while repo poisoning is a real thing to be considered, I'd bet half the neckbeards bitching about this as a security issue probably have 50 PPAs installed on their system as it is. That makes their point about security pretty worthless in my book. Many of them even suggested that instead of using MS's vscode repo that vscodium should have been included. Still a 3rd party repo but apparently there's no security issues when it's not Microsoft's repo. :rolleyes:

Fair, but as has been repeatedly stated in this thread, users of these devices aren't necessarily sophisticated Enterprise IT types.
This is exactly why this change is OK and not a big deal for THIS very specific distro. It's purely aimed at education.
 

Nobu

Supreme [H]ardness
Joined
Jun 7, 2007
Messages
5,409
You're still looking at Raspbian as a "traditional" distro. It's not. Now I totally agree that the RPi foundation absolutely should have been open about adding the repo (because it's a very simple matter for an IT type to simply remove said repo). That said adding the repo for one of the most highly sought after IDE's currently in use on an educational tool is absolutely the correct decision. It installs nothing. It's simply an added repo allowing the user and only the user to install vscode if they desire. There's no privacy implications here.

And while repo poisoning is a real thing to be considered, I'd bet half the neckbeards bitching about this as a security issue probably have 50 PPAs installed on their system as it is. That makes their point about security pretty worthless in my book. Many of them even suggested that instead of using MS's vscode repo that vscodium should have been included. Still a 3rd party repo but apparently there's no security issues when it's not Microsoft's repo. :rolleyes:


This is exactly why this change is OK and not a big deal for THIS very specific distro. It's purely aimed at education.
Nah, I use arch, and it has 99% of what I need. The rest usually is in AUR.

That said, I would be 100% fine with this if somebody was notified about the repo change. I think some of y'all are overreacting about our reactions, tbh.
 

Zarathustra[H]

Fully [H]
Joined
Oct 29, 2000
Messages
31,678
No software are being installed, user still have to install the software if they want it, it was made easier for them to do so.

This has been explained a million times already.

Once a repository is added it is trivial for the owner of that repository to create their own version of some dependency package and give it a higher version number than the package in the other repositories and have the system automatically install it when you install updates.

This may not have happened in this case (but it has in others. Microsoft, Apple and others were just pwned this way.) and there is no guarantee Microsoft won't, deciding to distribute some version of a package that benefits them over the user, that the user never asked for.

As soon as the repository is there, added to the systems sources, the door is open. It's just a matter of whether or not the repository owner wants to walk in.

Why would you open yourself up to the possibility of this?


Think Microsoft wouldn't automatically install unwanted software on people's hardware? Remember those "Upgrade to Windows 10" dialogues that proceeded with the install if you clicked the X?
 

4saken

[H]F Junkie
Joined
Sep 14, 2004
Messages
11,462
Fair, but as has been repeatedly stated in this thread, users of these devices aren't necessarily sophisticated Enterprise IT types.

Also, the fact that you can prevent changes to your systems with your own automation doesn't excuse this type of behavior. It shouldn't be necessary.

It's an equivalent to arguing that someone writing malware is fine, becuase we have antimalware software.
I don't care if you are an Ent IT type or not, would take a layman 2 hrs to figure out to deploy their RPI's with what they want, or remove what they dont after the fact with CM. Time to get with the times. Still a nothingburger even without that.
 

LukeTbk

Gawd
Joined
Sep 10, 2020
Messages
1,014
As soon as the repository is there, added to the systems sources, the door is open. It's just a matter of whether or not the repository owner wants to walk in.

Why would you open yourself up to the possibility of this?
This seem to be like I said the legitimate fear of the slippery slope, but I am not sure what is wrong with pointing out that saying that visual code was automatically installed of every Raspberry Pi that ran an update is a bit of a misleading way to present what happened.
 

4saken

[H]F Junkie
Joined
Sep 14, 2004
Messages
11,462
This has been explained a million times already.

Once a repository is added it is trivial for the owner of that repository to create their own version of some dependency package and give it a higher version number than the package in the other repositories and have the system automatically install it when you install updates.

This may not have happened in this case (but it has in others. Microsoft, Apple and others were just pwned this way.) and there is no guarantee Microsoft won't, deciding to distribute some version of a package that benefits them over the user, that the user never asked for.

As soon as the repository is there, added to the systems sources, the door is open. It's just a matter of whether or not the repository owner wants to walk in.

Why would you open yourself up to the possibility of this?


Think Microsoft wouldn't automatically install unwanted software on people's hardware? Remember those "Upgrade to Windows 10" dialogues that proceeded with the install if you clicked the X?

Same could be said for updates to software in any default repo, just depends on the rabbit hole you want to keep climbing down...still, again, nothing to be throwing a tantrum over.
 

Vermillion

Supreme [H]ardness
Joined
Apr 5, 2007
Messages
4,220
See, this is the part of the argument I have trouble with.

Why is security less of a concern just because it is educational?

Why do the crazy neckbeards not care about security if it was vscodium instead of the MS repo?

Answer: Because nothing is really installed. Until you install there is no security risk by simply having the repo unless it's owned by MS apparently. ;)

Not to mention any Linux distro you use you have to trust the repos. Trusting MS vscode repo is no different. Back in 2018 wasn't it Gentoo that was compromised and literally said "consider all of our Github repos compromised right now."? You always have to assume a little bit of risk with any Linux distro. Not to mention the AUR with Arch and it's derivatives. I don't install much from the AUR but I damn sure check out where the shit is coming from and check out the PKGBUILD before I just paru -S. But how many of those people pissing and moaning about this probably have 2 dozen PPAs installed and have never bothered looking at the code? I'd bet a great many.

I think some of y'all are overreacting about our reactions, tbh.
Maybe some are but I don't think I am. I was sitting in a bunch of Linux Matrix rooms when this news broke. The reaction across them all would make you think the world was ending. That type of bullshit reaction incredibly detrimental to the Linux community.

Should the RPi Foundation been up front about this change? Absolutely. PR matters.
Should this still be a topic of discussion anywhere? Nope.

Now bring me my KDE 5.21!
 

Zarathustra[H]

Fully [H]
Joined
Oct 29, 2000
Messages
31,678
Why do the crazy neckbeards not care about security if it was vscodium instead of the MS repo?

Answer: Because nothing is really installed. Until you install there is no security risk by simply having the repo unless it's owned by MS apparently. ;)

Not to mention any Linux distro you use you have to trust the repos. Trusting MS vscode repo is no different. Back in 2018 wasn't it Gentoo that was compromised and literally said "consider all of our Github repos compromised right now."? You always have to assume a little bit of risk with any Linux distro. Not to mention the AUR with Arch and it's derivatives. I don't install much from the AUR but I damn sure check out where the shit is coming from and check out the PKGBUILD before I just paru -S. But how many of those people pissing and moaning about this probably have 2 dozen PPAs installed and have never bothered looking at the code? I'd bet a great many.


Maybe some are but I don't think I am. I was sitting in a bunch of Linux Matrix rooms when this news broke. The reaction across them all would make you think the world was ending. That type of bullshit reaction incredibly detrimental to the Linux community.

Should the RPi Foundation been up front about this change? Absolutely. PR matters.
Should this still be a topic of discussion anywhere? Nope.

Now bring me my KDE 5.21!

I trust open source projects to not mismanage their repos. I do not trust any for profit organization to do the same.

Compromized systems happen. You can't avoid them completely, all you can do is try to manage the risk.
 

Red Falcon

[H]F Junkie
Joined
May 7, 2007
Messages
10,907
Red Falcon, you are such a control freak, I'm surprised you haven't just written your own OS (and then discover the pain of doing everything for yourself)
I just think some transparency from the Raspberry Pi Foundation on this new feature would have been nice considering the potential ramifications.
The main issue isn't so much that we don't want Microsoft code or the ability to use said repos (having the option to do so is important), and I actually have less against Microsoft on this issue than I do with the Raspberry Pi devs and admins not being transparent when they make changes like this.

While I don't care for Microsoft's telemetry, it can be opted out of on these applications, which is fair.
When a major change is made like this to a community-driven and trust-driven platform and OS, transparency is the most important thing, and that was not presented, thus hurting the trust of said devs and admins.
 
Last edited:

jfreund

[H]ard|Gawd
Joined
Sep 3, 2006
Messages
1,194
Man so much misinformation and MS hate flowing through this thread.

Now I'm certainly no MS lover (I downright loathe Windows 10) I don't see this repo as a bad thing. Yes, the RPi foundation should have been more up front about it. No they shouldn't have made it opt-in. Raspbian by default is meant to be install it and go learn type OS. It's not your typical Linux distro and never has been. It's a distro that IS and ALWAYS HAS BEEN designed for educational purposes and should be treated as such. So yes vscode should be there. Vscode is only one of the most used IDEs currently. Why shouldn't it be on an educational device?

The BS about bandwidth or overhead are just worthless arguments. It's a single tiny text file that gets pulled upon reboot and a sudo apt update command. MS and computer OEMs have been doing far worse for YEARS with the crapware installed on Windows be default.

So many people just want to piss and moan about this stuff. It's ridiculous and the basement neckbeards frothing at the mouth about this are really giving the Linux community a bad name.

Personally I don't run Raspbian on any of my pi's because it isn't a normal distro aimed at someone like me.

Here's a great read about this "issue":

https://popey.com/blog/2021/02/pitchforks-set-to-stun/

1. Embrace

2. Extend

3. Extinguish

RPi is currently at Step 2. Step 3 is impending.
 
Joined
May 10, 2016
Messages
625
I don’t think rpi is very common in business settings? At least not outside of arm software development houses?

and even if it were, “hey your systems are talking to Microsoft” ? Probably not. Likely just drowned out in the noise of everything else that checks in with them these days.

Anyways, I feel like this would have been better handled for Raspbian the way Ubuntu does its third-party repos. There they are available as sources, but disabled by default until you explicitly tell it to turn them on. Could have been a simple option at install/setup time the way Ubuntu asks if you want to install any of that extra software for additional media format support, etc.

Why they’d enable anything other than base software repos by default, shrug. Not communicating about it proactively? Also poor decision. Closing threads asking about it certainly does not help the situation either.
They're frequently used for kiosks and displays as they are much cheaper than things like Samsung's MagicInfo Player. You can buy the 'business class' versions from Viewsonic with the NoTouch OS on it (allows for centralized managment). That said, you would normally expect a business to use an in-house repo that gets vetted and keeps the devices one step removed from the 'net.
 

Lumpus

Limp Gawd
Joined
Sep 2, 2005
Messages
369
JayTwoCents put out a very useful YouTube on how to build a custom pc sensor panel with a RaspberryPi

 
Top