Raspberry Pi OS Accused of 'Phoning Home' To Microsoft

Slashdot reader rushtobugment quotes a story from Hot Hardware: One of the software options for running a Raspberry Pi module is Raspberry Pi OS (formerly Raspbian), the officially supported Debian-based operating system put out by The Raspberry Pi Foundation. It has been around since 2015 without too much complaint. However, a recent update has some Raspberry Pi OS users up in arms over a key change involving Microsoft.

The latest update installs a Microsoft apt respository on all any machine running Raspberry Pi OS, and does it without any admin consent. As discovered by Reddit user fortysix_n_2, the official reason is an endorsement of Microsoft's integrated development environment, Visual Studio Code, which is fine and dandy. However, it's claimed this even gets installed on headless devices that used a light image without a GUI. As a result, every time you do an "apt update" on your Pi device, the OS pings Microsoft.

"By having this repo, every time an install of Raspberry Pi OS is updated it will ping a Microsoft server. Microsoft will know you're using Raspberry Pi OS/likely Raspberry Pi owner and your IP address...." fortysix_n_2 explains.
Or, as a headline explains on the Windows Central blog, "Microsoft repo silently added to Raspberry Pi OS, folks begin the freak out..."

"As one particularly vocal commenter pointed out, modifying the sources.list in Linux without consent just doesn't happen. It also doesn't just apply to new images, it has been built out to be added to existing machines, too."

UPDATE: An anonymous Slashdot reader spotted Raspberry Pi founder Eben Upton's response to the controversy on Twitter. When asked if the foundation could be more transparent, like publishing a blog post about the repositories to be included, Upton responded:

"I can't understand why you think this was a controversial thing to do. We do things of this sort all the time without putting out a blog post about how to opt out."

Oh no a repo run by microsoft...

[Anonymous Coward]

These same people complaining are probably using google chrome to submit there complaints, with dns servers set to 8.8.8.8, while checking their facebook app in between tik tok videos.

And they're complaining about a repo hosted microsoft...

Re:Oh no a repo run by microsoft...

[Entrope]

TFS is also wrong, at least to some extent. If you install VS Code, it will add that repository to your sources.list.d directory automatically. If you install Chrome, it will add its repository to your sources.list.d directory automatically. Maybe consent is implied -- but it certainly happens without explicit consent. Regardless, it makes a mountain out of a molehill. apt will not ping that server at all unless the system is configured to periodically check for updates, or the administrator runs a command like "apt update".

Anyways, whatever minimal information is revealed by that check for update is vastly less information that Microsoft would get from anyone who runs VS Code. VS Code does allow the user to disable telemetry, but one can expect that there is plenty of telemetry baked into the enabled-by-default setting.

Re:

[urbieta]

just add "127.0.0.1 microsoft.com" in "/etc/hosts" rasp pi will ping itself

Re:

[Entrope]

If you mean "127.0.0.1 packages.microsoft.com", and your stub resolver uses /etc/hosts, sure.

Or comment out the line in /etc/apt/sources.list.d/vscode.list, or whatever file Raspberry Pi OS uses -- my copy of that file says "You may comment out this entry, but any other modifications may be lost." It should be straightforward to disable the poll for updates. TFA makes it sound like an insidious change, but it seems both helpful and trivial to me.

Re:

[fph il quozientatore]

Good luck updating, with that line in your /etc/hosts.

Wrong

[feranick]

And this is completely incorrect. I don't have VS code installed and my sources NEVER had the MS link. Yet, on my 5 RPIs it was added in the last update. I gave consent to nobody, it just showed up. Nothing to die for, of course. One can just quickly delete the source and be done with.

Re:

[Anonymous Coward]

Yet, on my 5 RPIs it was added in the last update. I gave consent to nobody, it just showed up

Waitasec, you're saying the newly named distro actually defaults to automatically and silently running a scheduled "dist-upgrade" without user interaction now??

What name/version/fork of APT is it now using?
This isn't even possible in Debians APT. Even if you ran dist-upgrade with -force and -y it will still ignore those last two for each and every config file conflict to prompt what to do before erasing all your config files in /etc

This is insanely huge news. Not the Microsoft thing, but the fact you're s

Re:

[dskoll]

Confirmed. I didn't install VS Code and yet /etc/apt/sources.list.d/vscode.list was dropped in.

Deleting the file may not fix it. It says "You may comment out this entry, but any other modifications may be lost.". So I commented out the entry and did chattr +i /etc/apt/sources.list.d/vscode.list just in case.

Re:

[exomondo]

I gave consent to nobody, it just showed up.

You mean it showed up, like a whole host of other things "showed up", when you updated your device?

You didn't give consent to yourself? You are the one who applied the update so you are the one that put it there, if you didn't look at what the update was going to do before you applied it then you can hardly blame others for what it did.

Re:

[strikethree]

It appears there is an astroturfing campaign being practiced here. It will be interesting to see how your comment gets modded as your comment goes directly against that campaign. I will check again in a few more days.

The fact that there is an astroturfing campaign sets off alarm bells. It points at the change as being intentional and not in the best interests of the persons using/owning the devices.

Re:

[infolation]

VSCode is open source. There's no reason to use the Microsoft version.

The VSCodium [vscodium.com] build doesn't include telemetry.

Re: Oh no a repo run by microsoft...

[Anonymouse Cowtard]

Not sure why you're modded fb...? This is the right answer. A repository is hosted by Microsoft. Big fucking deal. I'd trust that source more than some random user on GitHub, which is owned by who again?

Re: Oh no a repo run by microsoft...

[mylogic]

Exactly, like how did the tech community become even greater pussies. So MSFT has an open source repo

Re: Oh no a repo run by microsoft...

[longk]

I do none of that. But go ahead, keep rationalizing.

Remember PRISM?

[RegistrationIsDumb83]

Vs code/.net core does a lot of telemetry. To their credit, Microsoft attempts to explain this via MSDN in pretty thorough detail. And most likely, they (feel they) need stats to show adoption to justify continued investment in Linux efforts. But a lot of us still remember their involvement in PRISM, where they did mass spying on behalf of the government. Burned once, I don't think there's any way to rebuild that trust.

Re:

[thegarbz]

Cool story, but nothing at all relevant to the discussion which is that somehow having an apt-repo enabled is some amazing nefarious privacy risk.

In any case if PRISM wants to know that I have a $35 toy in my room go for it.

Oh noes!

[pngwen]

If Microsoft sees a bunch of people running a Raspberry Pi, they may do nefarious things! Why, they may use the increase in popularity of the platform as a means to justify developing more software for it! Worse, they may make books, curricula, publications, and other things of value targeted at this user base.

How much value can we stand being offered to us?

At least we'll always be safe on github ;)

Re:

[Darinbob]

They'll decide that they need to control that market too and make cheaper Arm linux boards and sell them below cost. Oh no!

Re:Oh noes!

[AmiMoJo]

Even worse, the Debian repo maintainers have been collecting all this data for their own nefarious purposes for years already!

Don't even mention the guys running pool.ntp.org.

Re:

[vbdasc]

Debian.org good, Microsoft.com bad. This is a huge difference.

This was a joke, in case someone doesn't notice.

Re:

[fph il quozientatore]

I agree with everything you wrote minus the joke part.

Re:

[mustafap]

>Don't even mention the guys running pool.ntp.org.

That's the funniest thing I heard all week, thanks :)

Re:

[WallyL]

Why, I haven't got the time of day to talk about that!

Re:Oh noes!

[Frobnicator]

After reading the links (I know, right?!) it looks like the outrage is about trust. It isn't about "Microsoft is nefarious", or about "package sources are untrustworthy".

From reading the articles, the Pi OS folks (allegedly) distributed the packages, certificates, and list updates to the official distribution points before posting to the public GitHub repos. When people talked about it the comments on their discussion boards were (again, allegedly) deleted. They had been pushed quietly in the packaged versions for the OS before they were visibly added to the GitHub repo.

The discussions then moved to reddit, where they were about violations of trust. Adding security certificates to an OS is a concern, if not an issue. Adding package repositories is a moderately big issue. Deleting/hiding discussions about those two is an enormous issue.

Several users are quick to point out that they aren't concerned about the Microsoft repositories at all, instead they are quite concerned about the transparency and accountability of the maintainers who pushed out security certificates and marked them as trusted repos without community discussion, and even deleted discussion about it.

Re:

[whoever57]

Several users are quick to point out that they aren't concerned about the Microsoft repositories at all, instead they are quite concerned about the transparency and accountability of the maintainers who pushed out security certificates and marked them as trusted repos without community discussion, and even deleted discussion about it.

The trust issue is amplified by the fact that the file was installed without being "owned" by any package.

Re:

[quonset]

Why, they may use the increase in popularity of the platform as a means to justify developing more software for it!

Microsoft can't even get their own software coded correctly. This would be a sure way to kill of Pi OS.

Re:Oh noes!

[Anonymous Coward]

I wouldn't want Microsoft to have the ability to update versions of various packages on my rpi without my consent. What if it started updating other packages OTHER than vscode which I had no intention of installing in the first place because they decided to put out their own "version"?

This was a serious trust/security issue.

Re:

[fph il quozientatore]

Exactly. A sources.list entry is, essentially, equivalent to having root on my device.They can pull all sort of crap, including deploying a 'personalized' update just for my device if I am a high-stakes target.

Re:

[mkopack73]

Except you willingly have given it to EVERY other entry on that list as well, whom you seem to trust blindly with no idea who the hell they even are!

The second you hit "Update" you provided their consent to update the machine. That's life. Deal with it... Or go write your own personal OS and software if you want 100% perfect control. Because that's the ONLY way you're ever going to be able to 100% trust everything running on your machine.

Re:

[fph il quozientatore]

On a vanilla Debian install, "every other entry on that list" is just the Debian servers. Is it that strange to think "I trust the Debian devs, but not Microsoft?"

Re:

[fph il quozientatore]

This misses various points.

1. The packaged programs don't run with root privileges (most of the time). The installers do (all the time). Debian packagers are those who write the installers.

2. Debian packagers care a lot about 'freeness' and license and would never put closed-source parts in their main repo. VS Code as built by Microsoft is *not* 100% MIT-licensed open source (see my other comments in this thread).

3. Irrespective of what the content of the packages is, the controller of the .deb repo can, in

Re:

[exomondo]

The real question is whether you trust the Raspberry Pi Foundation because they're the ones who made this change and pushed out the update that included it.

Ironically

[The MAZZTer]

This situation only happened because Microsoft is becoming far friendlier to open source/Linux, and has that apt repo for VSCode in the first place.

Alternatives

[cyberpunkrocker]

If you don't like this, don't use Raspberry Pi OS. I'm using Arch Linux ARM on all my RPI's

Re: Alternatives

[aRTeeNLCH]

Thanks for the tip, I've been thinking of getting one, and I've been impressed since forever with the quality of the Arch documentation.

Re:

[thegarbz]

But can I use Visual Studio code on Arch without Arch being declared EVIL(tm)?

Oh give me a fucking break...

[ZombieCatInABox]

As a result, every time you do an "apt update" on your Pi device, the OS pings Microsoft.

Yeah, along with every other repo in your sources.list file !

So Microsoft wants to host their software on their own servers. So does Google for Google Earth, and countless other packages.

Don't like it ? Remove Microsoft's repo from your sources.list, along with any other repo installed by default that you don't like.

I know Microsoft basing is all the rage these days, but for freaking crying out loud...

Re:Oh give me a fucking break...

[jenningsthecat]

As a result, every time you do an "apt update" on your Pi device, the OS pings Microsoft.

Yeah, along with every other repo in your sources.list file !

So Microsoft wants to host their software on their own servers. So does Google for Google Earth, and countless other packages.

Don't like it ? Remove Microsoft's repo from your sources.list, along with any other repo installed by default that you don't like.

I know Microsoft basing is all the rage these days, but for freaking crying out loud...

All you people pissing on the outrage expressed in the summary need to RTFA. Here's a quote from it:
"Never in my 2 decades of using Debian and Ubuntu has either modified my sources.list without my consent. What the actual f**k? I could understand if they just added it to the default installation image, but they had to actually write a script to add this repo to existing installations. That is shady as f**k!," a user commented in the thread.

I'm inclined to agree with that user.

Re:

[ArchieBunker]

That guy must have missed the part where Ubuntu was sending all you system statistics to Amazon. I mean they used to have a large Amazon button right on the desktop.

Re:

[troff]

This guy must have missed the part where these people weren't using Ubuntu.

Re:

[ArchieBunker]

Read the post above mine.

Re:

[troff]

I did. Zero relevance.
You're saying "oh noes, corporate information sucking happens with Ubuntu and Amazon!". When you install an Ubuntu machine, the Amazon icons are right on the desktop straight away.

This Microsoft repository in the Raspberry Pi was installed under the radar as a part of a Raspberry Pi system mods package. There was no advertising of it being done. You're only a step away from them making it a default required INSTALL as well as just the repository entry. And the usual open-source viewing

Re:

[radarskiy]

dist-upgrade will changes your sources. That is consensual in the same way that installing an upgrading the Microsoft package is consensual.

Re:

[thegarbz]

I'm inclined to agree with that user.

I'm not. The sources list defines the software that is part of the distro. It's entirely up to the distro maintainer where this comes from. OMFG it comes from repo A vs repo B !!! is faux outrage when apt-update already installs software the *maintainer* decides, and also gives the user a complete list which they can customise.

a bit rude

[niftydude]

but my biggest gripe with raspian is that the default configuration is set to allow password-less sudo for the pi account. No idea why they set it up like this on a beginner board, but it creates a massive security concern when so many people use this to deploy Linux for the first time.

Re:

[gweihir]

It goes nicely with the general secondratedness of the RPi design and the community it has. People with big egos and, at best, half a clue.

Re: a bit rude

[niftydude]

The raspberry pi was designed as a cheap and cheerful tool to teach primary school children about tech.

Those people in the community forums that you're arguing with are probably 10 years old. Finding their ignorance offensive is a bit strange don't you think?

Re:

[gweihir]

The raspberry pi was designed as a cheap and cheerful tool to teach primary school children about tech.
Those people in the community forums that you're arguing with are probably 10 years old. Finding their ignorance offensive is a bit strange don't you think?

I am very sure the ones I did argue with the few times I ventured in there are adults. With big egos and small skills. The moderators are not much better. I have since give up on that community as infested with people that did get nowhere in their skill-evolution but cannot accept that (which is probably why they got nowhere).

The clueless ones here are not 10 year olds. These are "makers", i.e. people not smart enough to be engineers, but unable to see or accept that. It is like plumbers presuming to design

RPI OS isnt the best Linux OS choice anyway

[Eravnrekaree]

Especially on 4 GB RPIs, Raspberry Pi OS is a poor choice compared to Ubuntu. Ubuntu is better maintained, more up to date software (especially the browsers), etc. So, use Ubuntu anyway, or the growing list of Linux distros that support RPI, such as OpenSUSE, Arch, etc.

Re: RPI OS isnt the best Linux OS choice anyway

[Anonymouse Cowtard]

Why are you running a browser on a Pi? RaspPi OS is better if you're not using a desktop environment (again, why would you when there's ssh?)

Re: RPI OS isnt the best Linux OS choice anyway

[Anonymouse Cowtard]

Yeah I'm aware of that, but I can't see the use case other than "my computer cost $50".

Re: RPI OS isnt the best Linux OS choice anyway

[AnonymousNoel]

That's a pretty good reason, no?

Re:

[SuiteSisterMary]

Why wouldn't you run a browser on a Pi?

My god

[ArchieBunker]

My monocle has just fallen out! The very first comment couldn’t be more true.

Re:

[Anonymous Coward]

You left out that your raspberry pi tattles on you to microsoft.

Re:Linux now overrun by karens

[gweihir]

Nope. It does happen basically never and in the rare cases it happens anybody sane asks for user consent first. In the base-Debian, it does not happen at all. You need to manually add non-free or some other repos first.

Re:

[thegarbz]

Which is all quite irrelevant, in the end when you run your upgrade you will get listed a complete list of packages to be installed and you can customise at any point. The reality is you are always in control of executing your update, and you've never been in control over what updates are offered to you.

Having a different repo doesn't change this. "OMG Debian doesn't do this!" Is something that I have trouble giving even the slightest fuck about.

Re:

[dskoll]

The issue is that this effectively gives Microsoft root access to every single Pi on earth. Even if you didn't install VSCode, if MSFT decided to (say) make available a newer version of glibc, then it would be pulled from the MSFT repo and any postinstall scripts would run as root.

This is not something I signed up for.

Re:

[thegarbz]

The issue is that this effectively gives Microsoft root access

No, it does absolutely nothing of the sort. Having a repo set in your system gives the owner of the repo precisely ZERO additional control over you system.

Even if you didn't install VSCode, if MSFT decided to (say) make available a newer version of glibc, then it would be pulled from the MSFT repo and any postinstall scripts would run as root.

The user would have to initiate an upgrade to a nefarious package, and MS would have to publish a package with an invalid higher version number that the official repo. They would get instantly found out and will have committed the dumbest crime imaginable all to get control of your hobby toy.

Apply a bit of common sense to your doomsday scenarios. If MS we

Re:

[Anonymous Coward]

It's true that there's some upset that the repo (and worse, Microsoft's GPG key) got added at all, just because people don't want Microsoft on their systems.

The real upset, though, is that these additions were made as part of a post-install script from another non-Microsoft package, raspberrypi-sys-mods, whose package description somehow wasn't even pushed to GitHub until two weeks after the package was actually in use by RPiOS.

There have been many mis-steps with this package and it's being characterized by

Re:You got to be kidding me

[spaceman375]

In your arrogance you whipped up a one line command that would correct what you thought was the problem. You didn't bother looking first. The actual file is /etc/apt/sources.list.d/vscode.list. Always take a step back, then double check before hitting "Post."

Which is still missing the point. The change was rolled out in a surreptitious manner, and initial posts expressing concern were deleted. THAT is the problem.

Morons

[backslashdot]

Great now we have to educate people on how apt works or we'll all be screwed. Add to this immunology, virology, biology, astronomy, physics, chemistry, geology, the scientific method, logical fallacies, statistics, and history.

VSCodium

[fph il quozientatore]

The easy fix, of course, would have been going with VSCodium, which is the de-microsoftized version of VS Code, exactly like Chromium is the de-googled version of Chrome.

Re:

[Bu11etmagnet]

> de-microsoftized version of VS Code

That sounds a lot like dehydrated water ( https://culinarylore.com/food-... [culinarylore.com] )

Fedora works

[short]

Why to use Raspbian? Fedora works without any extra patches.

Turn it off

[Skiron]

I noticed these repo's appear this week, so...

Edit: /etc/apt/sources.list.d/vscode.list

and # out the 'deb [arch=amd64,arm64,armhf] http://packages.microsoft.com/... [microsoft.com] stable main' line. That stops the repo's being used. Then, just to be on the safe side, I made the file immutable - I duuno what 'apt' will do if it tries to change it, but lets see:

sudo chattr +i /etc/apt/sources.list.d/vscode.lis

lsattr /etc/apt/sources.list.d/vscode.list will so that.

Re:Turn it off

[bartjan]

Also don't forget to disable the GPG key that is also installed, in /etc/apt/trusted.gpg.d/microsoft.gpg

Re:

[Skiron]

Good point. I just deleted it, and it doesn't show up in apt-key list now.

Re:

[QuestorTapes]

This sound like a job for...

      A quick shell script.

Strikes me as a Tempest In A Teapot...

<yawn/>

So????

[mkopack73]

Um, seriously....? SO WHAT?

So MS knows you have a Pi running... Big deal? They can do exactly WHAT with that information?

Geez, some people get so up in arms over nonsense.

Re:

[BardBollocks]

Creates a Surveillance Datapoint.

Surveillance datapoint

[BardBollocks]

People who don't realise that sending data to vendors is creating surveillance datapoints just don't get the risks.

As we saw in the Early Snowden realeases - data sent to Vendors is siphoned off by the NSA and collected. We can assume that other parties with access to physical infrastructure within their borders don't do likewise.

All of this data is used to create a digital landscape that is used to locate people of interest, their activities, their communications and those they communicate with.

Only people

Re:

[BardBollocks]

err.. can't assume they don't do likewise.

Re:

[BardBollocks]

sorry, but you either don't understand the ramifications, or you don't understand the technology or the surveillance methods being used.