Microsoft repo installed on all Raspberry Pi’s
reddit.comThis feels like a huge overreaction.
"(...) every time an install of Raspberry Pi OS is updated it will ping a Microsoft server. Microsoft will know you're using Raspberry Pi OS/likely Raspberry Pi owner and your IP address."
How is this is an issue? It doesn't require any login and this is exactly what happens with every APT mirror.
I imagine that Raspberry Pi OS is an distro meant for people who simply want things to work out of the box, I can see why the Raspberry foundation would want to add repos for easy installation of the VSCode.
If you want tight control of what happens in your system, you are free to install any other distro you want.
> How is this is an issue? It doesn't require any login and this is exactly what happens with every APT mirror.
Yes, but it's you who usually manage those mirrors, not some guy deciding which mirrors your apt must query now and pushing it in a regular update without notice.
I don't care if it's Microsoft or some obscure Chinese repo, but I think nobody should mess with your mirrors list or trust their keys in this way.
If you don't want "some guy" deciding which APT mirrors you use, then don't use "some guy's" linux distribution
No, it doesn't work like that. You pay for something and you complain. Even if you don't. And if the guy doesn't like criticism, he can quit at any time.
> Yes, but it's you who usually manage those mirrors,
That's not true for most people.
It's not just educational desktop environments: this issue affects Raspberry Pi OS Lite which is the primary operating system for Raspberry Pi's used in embedded and IoT applications. Some of which have automatic updates (called "unattended upgrades" in Debian parlance).
But this doesn't grant remote access to your system, and it's not like Microsoft will start shipping replacements of core packages over this repo.
Technically it does grant another avenue of supply chain attack... but if Microsoft run mirrors are being compromised then we probably have much bigger issues than some raspberry pis.
Considering the damage that can be done by botnets like Mirai, Raspberry Pis might be exactly what we should be worrting about.
The most disappointing aspect about this really is how the Raspberry Pi team and mods can't even remotely admit or acknowledge why some people are very unhappy about something like this.
What's wrong with communicating this change or making it opt-in?
Randomly pushing repos and adding trusted keys without any notice or consent is never a cool move.
I'm not surprised by this:
- The RPi Foundation exists to educate children. There is no mention of "open" on their About page and there are the long running discussions about how open their hardware is and the reliance on proprietary blobs for the GPU [0]
- The 'maker' community interest was originally a surprise to them [1] which still staggers me given that Arduino had long been a thing
- MS has a history of capturing the budgets of educators and attention of young minds. The education computer market in the UK used to be dominated by Acorn and Apple until MS decided they wanted a piece of the pie and decided that computer education in schools should be about learning to use Office [2]
[0] https://www.raspberrypi.org/about/
[1] https://www.jbs.cam.ac.uk/insight/2012/raspberry-pi-2/
[2] https://www.cbronline.com/news/acorn_backs_away_from_uk_educ...
Raspberry Pi OS comes with a ton of stuff, among others, Minecraft or the "Pi Store". It is not a minimal building block for your custom hacked Linux firmware, it's what they provide so teachers can install the stuff and have kids use it without going to a console and editing sources.list first.
Perhaps they could create a separate version of the OS for educational use in schools.
At the risk of getting bashed, isn't 'pinging a Microsoft server' what happens every time I clone, push, or pull from GitHub? There might be be bigger issues to deal with than apt repositories if you don't want to ping a Microsoft server.
If you pull from a github server, you do so by choice. If you add Microsoft's repo to your apt sources, you do so by the choice. The problem is that the repo was added silently and without giving you a choice.
I suppose I get that, but surely that is happening all over the web all the time? I don't really have a choice about what is being pinged just by going to the Reddit site that mentions the issue (unless I use pi-hole, er...).
All Raspberry Pi's, or just those using Raspberry Pi OS? There are other OS choices for your Pi, and I would be surprised if the Microsoft repo made it into all of them.
If I was going to use a Raspberry Pi for commercial use I would want full control over the OS and use Open Embedded etc, just like I have done for NXP etc. That way I have full control over my system. I think the alternative of using Raspberry PI OS and the dependency on updates on Raspberry Pi and their suppliers is too risky. So this is a non-issue for me.
To put this into perspective, I'd like to kbow how many repos and gpg keys are there already. If microsoft was added to dozens others, then this is a storm in a teacup. If it when from 2 to 3, then the change is more significant.
Lets keep in mind that the central goal of PI OS is education, not security, privacy, sticking it to corporates, IoT, etc.
Raspberry Pi has many product lines for industrial and IOT usage, including the Compute Module where security and privacy are expected. The standard operating system for such systems tends to be Raspbian Lite now called (Raspberry Pi OS Lite), which is affected by this issue.
I think that if you are producing a real device based on a compute module, you should not be using Rasbian Lite, things like Arch, Ubunti core, etc. are more suited for the purpose.
There is no real iot-style security in Raspbian lite, so before you get mad pver microsoft eepo being added, toy should be sorting that out
Why would somebody use Arch (a distribution with a rolling release) on a product?
Debian is a reasonably platform for such devices (though not the best due to the ~2 year release cycles, rather than eg, 10 years for CentOS distributions back when they were around). I do take the point that Ubuntu Core may be even more suitable, but Raspbian should work fine for many real world applications.
Redmond got finally a root shell on your Pi :-)
This is not even remotely true. All they have is the information that somene at $IP is using Rpi. Granted, I'd prefer not to give them this info, but let's stick to the facts.
This technically does give them the ability to backdoor your system if they supply an "update" for something you have installed via another repo... but that is very far fetched, obvious to anyone paying attention, and would be hell for their PR for minimal gain.
It also gives them the ability to override any package on your system with one they make. All they'd have to do is increase their version number beyond the one in the "real" repositories and Apt would automatically update to it by default.
So yes, in fact, it's quite true.
previously: https://news.ycombinator.com/item?id=26024381
Trust is hard to gain but easy to lose, and developers have a very long memory.
After almost a decade of gaining trust, Raspbian has now lost a huge amount in a single bad decision. It's yet even clear they even understand the depth of the mistake.
For future Raspberry Pi deployments, I will be sticking with non-Raspbian distributions, like vanilla Debian.