Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
×
Microsoft

Raspberry Pi OS Accused of 'Phoning Home' To Microsoft (hothardware.com) 98

Slashdot reader rushtobugment quotes a story from Hot Hardware: One of the software options for running a Raspberry Pi module is Raspberry Pi OS (formerly Raspbian), the officially supported Debian-based operating system put out by The Raspberry Pi Foundation. It has been around since 2015 without too much complaint. However, a recent update has some Raspberry Pi OS users up in arms over a key change involving Microsoft.

The latest update installs a Microsoft apt respository on all any machine running Raspberry Pi OS, and does it without any admin consent. As discovered by Reddit user fortysix_n_2, the official reason is an endorsement of Microsoft's integrated development environment, Visual Studio Code, which is fine and dandy. However, it's claimed this even gets installed on headless devices that used a light image without a GUI. As a result, every time you do an "apt update" on your Pi device, the OS pings Microsoft.

"By having this repo, every time an install of Raspberry Pi OS is updated it will ping a Microsoft server. Microsoft will know you're using Raspberry Pi OS/likely Raspberry Pi owner and your IP address...." fortysix_n_2 explains.

Or, as a headline explains on the Windows Central blog, "Microsoft repo silently added to Raspberry Pi OS, folks begin the freak out..."

"As one particularly vocal commenter pointed out, modifying the sources.list in Linux without consent just doesn't happen. It also doesn't just apply to new images, it has been built out to be added to existing machines, too."

UPDATE: An anonymous Slashdot reader spotted Raspberry Pi founder Eben Upton's response to the controversy on Twitter. When asked if the foundation could be more transparent, like publishing a blog post about the repositories to be included, Upton responded:

"I can't understand why you think this was a controversial thing to do. We do things of this sort all the time without putting out a blog post about how to opt out."
This discussion has been archived. No new comments can be posted.

Raspberry Pi OS Accused of 'Phoning Home' To Microsoft

Comments Filter:
  • by Anonymous Coward on Saturday February 06, 2021 @05:39PM (#61035282)

    These same people complaining are probably using google chrome to submit there complaints, with dns servers set to 8.8.8.8, while checking their facebook app in between tik tok videos.

    And they're complaining about a repo hosted microsoft...

    • by Entrope ( 68843 ) on Saturday February 06, 2021 @05:55PM (#61035326) Homepage

      TFS is also wrong, at least to some extent. If you install VS Code, it will add that repository to your sources.list.d directory automatically. If you install Chrome, it will add its repository to your sources.list.d directory automatically. Maybe consent is implied -- but it certainly happens without explicit consent. Regardless, it makes a mountain out of a molehill. apt will not ping that server at all unless the system is configured to periodically check for updates, or the administrator runs a command like "apt update".

      Anyways, whatever minimal information is revealed by that check for update is vastly less information that Microsoft would get from anyone who runs VS Code. VS Code does allow the user to disable telemetry, but one can expect that there is plenty of telemetry baked into the enabled-by-default setting.

      • by urbieta ( 212354 )
        just add "127.0.0.1 microsoft.com" in "/etc/hosts" rasp pi will ping itself
        • by Entrope ( 68843 )

          If you mean "127.0.0.1 packages.microsoft.com", and your stub resolver uses /etc/hosts, sure.

          Or comment out the line in /etc/apt/sources.list.d/vscode.list, or whatever file Raspberry Pi OS uses -- my copy of that file says "You may comment out this entry, but any other modifications may be lost." It should be straightforward to disable the poll for updates. TFA makes it sound like an insidious change, but it seems both helpful and trivial to me.

      • Wrong (Score:5, Informative)

        by feranick ( 858651 ) on Saturday February 06, 2021 @11:54PM (#61036232)
        And this is completely incorrect. I don't have VS code installed and my sources NEVER had the MS link. Yet, on my 5 RPIs it was added in the last update. I gave consent to nobody, it just showed up. Nothing to die for, of course. One can just quickly delete the source and be done with.
        • by Anonymous Coward

          Yet, on my 5 RPIs it was added in the last update. I gave consent to nobody, it just showed up

          Waitasec, you're saying the newly named distro actually defaults to automatically and silently running a scheduled "dist-upgrade" without user interaction now??

          What name/version/fork of APT is it now using?
          This isn't even possible in Debians APT. Even if you ran dist-upgrade with -force and -y it will still ignore those last two for each and every config file conflict to prompt what to do before erasing all your config files in /etc

          This is insanely huge news. Not the Microsoft thing, but the fact you're s

        • by dskoll ( 99328 )

          Confirmed. I didn't install VS Code and yet /etc/apt/sources.list.d/vscode.list was dropped in.

          Deleting the file may not fix it. It says "You may comment out this entry, but any other modifications may be lost.". So I commented out the entry and did chattr +i /etc/apt/sources.list.d/vscode.list just in case.

        • I gave consent to nobody, it just showed up.

          You mean it showed up, like a whole host of other things "showed up", when you updated your device?

          You didn't give consent to yourself? You are the one who applied the update so you are the one that put it there, if you didn't look at what the update was going to do before you applied it then you can hardly blame others for what it did.

        • It appears there is an astroturfing campaign being practiced here. It will be interesting to see how your comment gets modded as your comment goes directly against that campaign. I will check again in a few more days.

          The fact that there is an astroturfing campaign sets off alarm bells. It points at the change as being intentional and not in the best interests of the persons using/owning the devices.

      • VSCode is open source. There's no reason to use the Microsoft version.

        The VSCodium [vscodium.com] build doesn't include telemetry.
    • Not sure why you're modded fb...? This is the right answer. A repository is hosted by Microsoft. Big fucking deal. I'd trust that source more than some random user on GitHub, which is owned by who again?
    • Exactly, like how did the tech community become even greater pussies. So MSFT has an open source repo

    • I do none of that. But go ahead, keep rationalizing.

  • Remember PRISM? (Score:5, Insightful)

    by RegistrationIsDumb83 ( 6517138 ) on Saturday February 06, 2021 @05:48PM (#61035310)
    Vs code/.net core does a lot of telemetry. To their credit, Microsoft attempts to explain this via MSDN in pretty thorough detail. And most likely, they (feel they) need stats to show adoption to justify continued investment in Linux efforts. But a lot of us still remember their involvement in PRISM, where they did mass spying on behalf of the government. Burned once, I don't think there's any way to rebuild that trust.
    • Cool story, but nothing at all relevant to the discussion which is that somehow having an apt-repo enabled is some amazing nefarious privacy risk.

      In any case if PRISM wants to know that I have a $35 toy in my room go for it.

  • Oh noes! (Score:3, Funny)

    by pngwen ( 72492 ) on Saturday February 06, 2021 @05:49PM (#61035312) Journal

    If Microsoft sees a bunch of people running a Raspberry Pi, they may do nefarious things! Why, they may use the increase in popularity of the platform as a means to justify developing more software for it! Worse, they may make books, curricula, publications, and other things of value targeted at this user base.

    How much value can we stand being offered to us?

    At least we'll always be safe on github ;)

    • They'll decide that they need to control that market too and make cheaper Arm linux boards and sell them below cost. Oh no!

    • Re:Oh noes! (Score:5, Funny)

      by AmiMoJo ( 196126 ) on Saturday February 06, 2021 @06:22PM (#61035388) Homepage Journal

      Even worse, the Debian repo maintainers have been collecting all this data for their own nefarious purposes for years already!

      Don't even mention the guys running pool.ntp.org.

    • Re:Oh noes! (Score:5, Informative)

      by Frobnicator ( 565869 ) on Saturday February 06, 2021 @06:42PM (#61035434) Journal

      After reading the links (I know, right?!) it looks like the outrage is about trust. It isn't about "Microsoft is nefarious", or about "package sources are untrustworthy".

      From reading the articles, the Pi OS folks (allegedly) distributed the packages, certificates, and list updates to the official distribution points before posting to the public GitHub repos. When people talked about it the comments on their discussion boards were (again, allegedly) deleted. They had been pushed quietly in the packaged versions for the OS before they were visibly added to the GitHub repo.

      The discussions then moved to reddit, where they were about violations of trust. Adding security certificates to an OS is a concern, if not an issue. Adding package repositories is a moderately big issue. Deleting/hiding discussions about those two is an enormous issue.

      Several users are quick to point out that they aren't concerned about the Microsoft repositories at all, instead they are quite concerned about the transparency and accountability of the maintainers who pushed out security certificates and marked them as trusted repos without community discussion, and even deleted discussion about it.

      • Several users are quick to point out that they aren't concerned about the Microsoft repositories at all, instead they are quite concerned about the transparency and accountability of the maintainers who pushed out security certificates and marked them as trusted repos without community discussion, and even deleted discussion about it.

        The trust issue is amplified by the fact that the file was installed without being "owned" by any package.

    • Re: (Score:1, Troll)

      by quonset ( 4839537 )

      Why, they may use the increase in popularity of the platform as a means to justify developing more software for it!

      Microsoft can't even get their own software coded correctly. This would be a sure way to kill of Pi OS.

    • Re:Oh noes! (Score:5, Insightful)

      by Anonymous Coward on Saturday February 06, 2021 @08:36PM (#61035784)

      I wouldn't want Microsoft to have the ability to update versions of various packages on my rpi without my consent. What if it started updating other packages OTHER than vscode which I had no intention of installing in the first place because they decided to put out their own "version"?

      This was a serious trust/security issue.

      • Exactly. A sources.list entry is, essentially, equivalent to having root on my device.They can pull all sort of crap, including deploying a 'personalized' update just for my device if I am a high-stakes target.
        • Except you willingly have given it to EVERY other entry on that list as well, whom you seem to trust blindly with no idea who the hell they even are!

          The second you hit "Update" you provided their consent to update the machine. That's life. Deal with it... Or go write your own personal OS and software if you want 100% perfect control. Because that's the ONLY way you're ever going to be able to 100% trust everything running on your machine.

          • On a vanilla Debian install, "every other entry on that list" is just the Debian servers. Is it that strange to think "I trust the Debian devs, but not Microsoft?"
            • The real question is whether you trust the Raspberry Pi Foundation because they're the ones who made this change and pushed out the update that included it.
  • This situation only happened because Microsoft is becoming far friendlier to open source/Linux, and has that apt repo for VSCode in the first place.
  • Alternatives (Score:5, Interesting)

    by cyberpunkrocker ( 1649121 ) on Saturday February 06, 2021 @05:54PM (#61035322)

    If you don't like this, don't use Raspberry Pi OS. I'm using Arch Linux ARM on all my RPI's

  • As a result, every time you do an "apt update" on your Pi device, the OS pings Microsoft.

    Yeah, along with every other repo in your sources.list file !

    So Microsoft wants to host their software on their own servers. So does Google for Google Earth, and countless other packages.

    Don't like it ? Remove Microsoft's repo from your sources.list, along with any other repo installed by default that you don't like.

    I know Microsoft basing is all the rage these days, but for freaking crying out loud...

    • by jenningsthecat ( 1525947 ) on Saturday February 06, 2021 @06:39PM (#61035424)

      As a result, every time you do an "apt update" on your Pi device, the OS pings Microsoft.

      Yeah, along with every other repo in your sources.list file !

      So Microsoft wants to host their software on their own servers. So does Google for Google Earth, and countless other packages.

      Don't like it ? Remove Microsoft's repo from your sources.list, along with any other repo installed by default that you don't like.

      I know Microsoft basing is all the rage these days, but for freaking crying out loud...

      All you people pissing on the outrage expressed in the summary need to RTFA. Here's a quote from it:
      "Never in my 2 decades of using Debian and Ubuntu has either modified my sources.list without my consent. What the actual f**k? I could understand if they just added it to the default installation image, but they had to actually write a script to add this repo to existing installations. That is shady as f**k!," a user commented in the thread.

      I'm inclined to agree with that user.

      • That guy must have missed the part where Ubuntu was sending all you system statistics to Amazon. I mean they used to have a large Amazon button right on the desktop.

        • by troff ( 529250 )

          This guy must have missed the part where these people weren't using Ubuntu.

          • Read the post above mine.

            • by troff ( 529250 )

              I did. Zero relevance.
              You're saying "oh noes, corporate information sucking happens with Ubuntu and Amazon!". When you install an Ubuntu machine, the Amazon icons are right on the desktop straight away.

              This Microsoft repository in the Raspberry Pi was installed under the radar as a part of a Raspberry Pi system mods package. There was no advertising of it being done. You're only a step away from them making it a default required INSTALL as well as just the repository entry. And the usual open-source viewing

      • dist-upgrade will changes your sources. That is consensual in the same way that installing an upgrading the Microsoft package is consensual.

      • I'm inclined to agree with that user.

        I'm not. The sources list defines the software that is part of the distro. It's entirely up to the distro maintainer where this comes from. OMFG it comes from repo A vs repo B !!! is faux outrage when apt-update already installs software the *maintainer* decides, and also gives the user a complete list which they can customise.

  • but my biggest gripe with raspian is that the default configuration is set to allow password-less sudo for the pi account. No idea why they set it up like this on a beginner board, but it creates a massive security concern when so many people use this to deploy Linux for the first time.
    • by gweihir ( 88907 )

      It goes nicely with the general secondratedness of the RPi design and the community it has. People with big egos and, at best, half a clue.

      • The raspberry pi was designed as a cheap and cheerful tool to teach primary school children about tech.

        Those people in the community forums that you're arguing with are probably 10 years old. Finding their ignorance offensive is a bit strange don't you think?
        • by gweihir ( 88907 )

          The raspberry pi was designed as a cheap and cheerful tool to teach primary school children about tech.
          Those people in the community forums that you're arguing with are probably 10 years old. Finding their ignorance offensive is a bit strange don't you think?

          I am very sure the ones I did argue with the few times I ventured in there are adults. With big egos and small skills. The moderators are not much better. I have since give up on that community as infested with people that did get nowhere in their skill-evolution but cannot accept that (which is probably why they got nowhere).

          The clueless ones here are not 10 year olds. These are "makers", i.e. people not smart enough to be engineers, but unable to see or accept that. It is like plumbers presuming to design

  • Especially on 4 GB RPIs, Raspberry Pi OS is a poor choice compared to Ubuntu. Ubuntu is better maintained, more up to date software (especially the browsers), etc. So, use Ubuntu anyway, or the growing list of Linux distros that support RPI, such as OpenSUSE, Arch, etc.

  • My monocle has just fallen out! The very first comment couldn’t be more true.

  • Great now we have to educate people on how apt works or we'll all be screwed. Add to this immunology, virology, biology, astronomy, physics, chemistry, geology, the scientific method, logical fallacies, statistics, and history.

  • The easy fix, of course, would have been going with VSCodium, which is the de-microsoftized version of VS Code, exactly like Chromium is the de-googled version of Chrome.
  • Why to use Raspbian? Fedora works without any extra patches.
  • Turn it off (Score:5, Informative)

    by Skiron ( 735617 ) on Sunday February 07, 2021 @05:31AM (#61036650)
    I noticed these repo's appear this week, so...

    Edit: /etc/apt/sources.list.d/vscode.list

    and # out the 'deb [arch=amd64,arm64,armhf] http://packages.microsoft.com/... [microsoft.com] stable main' line. That stops the repo's being used. Then, just to be on the safe side, I made the file immutable - I duuno what 'apt' will do if it tries to change it, but lets see:

    sudo chattr +i /etc/apt/sources.list.d/vscode.lis

    lsattr /etc/apt/sources.list.d/vscode.list will so that.
  • Um, seriously....? SO WHAT?

    So MS knows you have a Pi running... Big deal? They can do exactly WHAT with that information?

    Geez, some people get so up in arms over nonsense.

  • People who don't realise that sending data to vendors is creating surveillance datapoints just don't get the risks.

    As we saw in the Early Snowden realeases - data sent to Vendors is siphoned off by the NSA and collected. We can assume that other parties with access to physical infrastructure within their borders don't do likewise.

    All of this data is used to create a digital landscape that is used to locate people of interest, their activities, their communications and those they communicate with.

    Only people

This is the theory that Jack built. This is the flaw that lay in the theory that Jack built. This is the palpable verbal haze that hid the flaw that lay in...

Working...