Microsoft repo secretly installed on Raspbian

“In a recent update, the Raspberry Pi OS installed a Microsoft apt repository on all machines running Raspberry Pi OS without the person’s or admin’s knowledge. Every time a Raspbian device is updated by having this repo, it will ping a Microsoft server.”

This is a shadiness that I wasn’t expecting from a company that’s promoting open source software like them. But luckly the community is always vigilant and can spot these privacy violating acts that are not even openly disclosed. Until they come up with an official statement I’ll make sure to hold off from the Pi upgrade that was waiting in my Amazon cart.

7 Likes

they’re probably going to brush it off as “value add”
if you weren’t planning on using raspian, like for batocera you’re probably safe

1 Like

Posted this link in the newsdump thread, but my post was flagged because of “click-bait”.

2 Likes

@GigaBusterEXE It’s about supporting a company that does stuff like these. I know I can run other OSes on it, but it shouldn’t happen.

@oxbird I’m very sorry that happened to you. I went through the news and the posts on the Raspberry Pi forum and it’s absolutely not a bait.

I contacted the moderator, hopefully they reverse their decision.

3 Likes

I just got off work so I can take a closer look at the “shadiness” in detail.

TBH my initial impressions of this were “meh”, however, I can see the point of view you guys are trying to present regarding privacy.

I’ll respond back once I’ve found out more.

This is ridiculously click-baity. That “secret Microsoft repository” is configured normally by /etc/apt/sources.list.d/vscode.list and is to support the community edition of VS Code which the Raspberry Pi Foundation includes along with a pile of other development tools because their mission is education and the tool are relevant to that. It’s not hidden, and running “apt update” you clearly see the repos you’re updating from. Plus, it’s easy to uninstall VS or just comment out the repo.

TLDR: Trash article is trash. If you want to read it, you should read the archive of it so as not to reward them with clicks. https://archive.is/Vng1d

5 Likes

So after looking at it I came to this conclusion.

A lot of people use VSCode.

A lot of Pico users requested an easier install path to get VSCode on their machines.

The dev responded by making a change to make that easier.

How he went about making the sausage pissed off a lot of people (MS haters).

He and regular Debian devs discuss a more elegant way to accomplish the goal.

Links:

TBH I’d hardly call this news. But to each their own.

5 Likes

In my opinion I find it interesting there is a VS Code for Pi being added to the repo list when it could of just been left up to the end-user, the kits they were selling on the Microsoft Store(online/former retail stores) used a varying number of pre-installed stuff on the full Raspbian desktop. (Never used VS Code on a Pi)

If anyone has followed what Microsoft has been doing for years with IoT and their own “Microsoft Store”, they’ve sold plenty of Pi solutions for education reasons. On the IoT side they did offer some how-to scripting to use Windows IoT(Pi hardware) tied to Raspbian running Pi as a hub.

They bring up a solid point about use case on the lite install. Ultimately this feels like drama because mIcRoSoFt BaD.

Idk I’m jaded and hate everything.

6 Likes

You nailed it

4 Likes

I think it still has to install the repository config file so that the installer can find the packages even on the “lite” install for if the person wants to install it later.

I mean, it really isn’t just “MiCrOsOfT BaD” though…

I somewhat trust when i do “apt update” on a fresh raspbian to ping raspbian servers… I don’t want to ping microsoft and other repos…

If they’d package OS Code to raspbian repo id have no issue with it.
If there’s a metapackage that will add the repo when i do “sudo apt install mscode” i’d had no issue with it…
If they’d package MS Code to raspbian repo i’d have less problem with it, since i’d trust that raspbian vetoed it…

However, given how MS is already gimping open source versions of Code (not allowing extensions), i’d rather have a choice…

7 Likes

That’s a whole lot more reasonable take on it than the clickbait article took. :thumbsup:

1 Like

It be like it is… because outrage cancel culture. It’s inherent to the Linux community.

The microsoft is evil crowd always pulls this stuff. I said they have a point but it’s the tone of the article that makes me want to dismiss their point.

I roll my eyes every time I see this behavior.

Who cares that it’s not a raspbian server? The software is for raspbian so it is a raspbian repo. Do I remove the Ubuntu repos because my mint install hits them?

It’s just software virtue signalling.

5 Likes

Not a native speaker, so i might loose something reading the article, but the tone doesn’t seem particularly offensive… A bit paranoid - yes, but it explains reasoning behind paranoia and offers solutions if you are also “microsoft paranoid”… Why is there no special woflram, vlc, firefox,… repo by default?

I’m glad you don’t mind it’s not a raspbian server. However there are practical reasons for it… Even if you don’t care about virtue signaling, security/privacy aspects or cancel culture…

When microsoft decides new/old version of raspbian is no longer supported, or they get bored and remove the repo, or they decide to change the url, or i upgrade my installation and upgrade script doesn’t update 3rd party repos, maybe my country block *.microsoft.com domains…
Apt will constantly complain about “no such version” or whatever it’s error is after that. Usually, if you stay with default repos, for a lifetime of the installation (including upgrade cycles) there is no need to be dependent on anything not provided by the man repo.

And hundreds of headless IOT deployments of rpi’s will now (potentially) spew errors during maintenance,… I’m guilty of creating a scipted “automatic cluster upgrade procedure” that does exactly things like that. And i’d be unhappy about the amount of mail i’d receive that my installation config is out of whack after an update…

Mint is downstream from ubuntu. If mint decided this is the best way to distribute their software, eliminating duplication - fine; great even.
I see no reason why a fresh ubuntu installation would rummage through mint repos though…

1 Like

It’s not that it’s offensive, it’s that the endless anti microsoft anything paranoia affects others and the community.

You’re not wrong in saying it should probably be a PPA you add to your sources but if you’re saying that because you think pinging microsoft is bad then I’m wondering what the point is.

As for software versioning, I don’t know who maintains the vs code version for raspbian on the repo in question, but I have to wonder why it even matters? There’s so many other wrongs in the world that this seems inconsequential. All the other situations are hypothetical and we could play that kind of game all day.

Again it’s not that the argument is bad. It’s good… it’s the way they’re going about making it.

1 Like

VSCode is not mit license and so is distributed in binary form from the owners.

If there were official repos on raspbian, it would just be a middleman to the Microsoft repo which hosts the software.

The extra load and cost and maintenance is not worth it so it makes a lot of sense to just have end users pointed directly at Microsoft repos.

3 Likes

ah, this makes a bit more sense now.

Np :+1: