Raspberry Pi OS added a Microsoft repo. No, it’s not an evil secret

We had been not too long ago alerted to one thing of a tempest in a teapot: when the Raspberry Pi Basis made it simpler to put in Microsoft’s Visible Studio Code growth setting, some Linux customers mistook it for a form of Mark of the Beast, with considerations being raised about telemetry and “what Microsoft repo secretly put in with out your information.”

It is true that an replace not too long ago pushed to Raspberry Pi OS added a Microsoft repo to Raspberry Pi OS techniques—but it surely’s not true that it added any precise packages in anyway.

Investigating the adjustments

Fortunately, my very own Raspberry Pi 400 was working Ubuntu, not Raspberry Pi OS, which made it straightforward to change again to see what adjustments occurred within the system. Equally fortunately, the Raspberry Pi 400 is nearly ideally suited to distro-hopping—all I wanted to do to get a pre-update model of Pi OS working was to energy my Pi off, swap SD playing cards from the Ubuntu card I had been utilizing to my previous Pi OS card, after which hearth it again up. Presto, a pre-update Pi!

Subsequent, I made a duplicate of the whole /and many others/apt/ listing on my Pi 400, with tar czvf ~/aptbackup.tar.gz /and many others/apt. With backup in place, I did apt replace ; apt improve -y to use all of the upgrades to my system that it had missed because it was final working Pi OS.

To make an extended story quick, the one change to my bundle administration was the addition of a single file, /and many others/apt/sources.record.d/vscode.record. That file added a single repository to my sources: http://packages.microsoft.com/repos/code, with branches steady and foremost. If we take a look at the precise content material of http://packages.microsoft.com/repos/code, we are able to see it solely incorporates three packages: code, code-exploration, and code-insiders.

Lastly, performing apt coverage code confirms that Visible Studio Code was not really put in on my system—it is simply simpler to put in (and replace!) now, since its mum or dad repository is a part of my sources record, together with the GPG code verifying the contents of that repository.

Why add a third-party repo?

Previous to the Pi Basis including Microsoft’s repo for Visible Studio Code to the record, installing that IDE required some further, and reasonably non-Linux-y, steps. You wanted to open up a Net browser, go to the Visible Studio Code download page, and navigate a couple of extra minor hurdles—for instance, it is advisable to know that your system desires deb recordsdata and never rpm, that your Pi wants ARM structure packages, and eventually whether or not these packages needs to be ARM or ARM64 (which is completely different for various fashions of Pi).

When you had downloaded the hopefully appropriate model of the Visible Studio Code bundle, you then wanted to find the downloaded bundle and execute it—usually, by discovering it in File Supervisor and double-clicking it. As soon as that was accomplished, you’d must authenticate as a privileged consumer, and eventually the bundle (and its dependencies) would start to obtain and set up themselves in your Pi.

In contrast, now that the code repo (and its GPG key) are put in on the system, a consumer can merely sudo apt set up code. This can be a extra Unix-like solution to do issues, it is significantly less complicated, and it may be much more simply carried out with no GUI obtainable as effectively.

We are able to already hear some customers grumbling that it wasn’t that onerous to put in VS Code the previous approach—and to them, we would wish to level out that the first objective of the Raspberry Pi basis is not to supply superior customers with low-cost toys, it is to facilitate pc training by eradicating roadblocks.

The primary of these roadblocks, arguably, was in fact value—it is troublesome to not possible to get a full-featured, general-purpose computing machine for lower than it prices to purchase a Pi. However the issue of getting began with writing code is one other of these potential roadblocks—so making it simpler to put in a extremely popular IDE may be very a lot in keeping with the Pi Basis’s core mission.

What are the results?

With Microsoft’s repository for VS Code put in on the system, every time the system checks for updates, the server at http://packages.microsoft.com will get queries to see if there are any adjustments to the packages it makes obtainable. When you squint your eyes actually tight and maintain your mouth good, you may argue that this constitutes “telemetry”—you touched a Microsoft server, proper?

Nevertheless, that is, in Pi founder Eben Upton’s phrases, “fairly skinny gruel.” The one instrument touching that Net server is apt itself, and it doesn’t reveal something concerning the consumer’s system—it merely checks to see what’s in /repos/vscode/dists/steady and downloads the suitable Contents-*.gz file on your system structure. On my Pi 400, that is Contents-arm64.gz; on older 32-bit Pis, it could be Contents-armhf.gz.

With the Contents file downloaded, apt then parses it to find out what bundle variations can be found. This knowledge informs apt‘s responses to any consumer requests to set up an identical bundle identify and likewise lets it know whether or not there are newer variations of put in packages that needs to be downloaded and put in place after an apt improve or apt dist-upgrade command. However none of this info is leaked to Microsoft except the consumer really has put in code; in that case, Microsoft will know when a more moderen model of it’s downloaded (since that, too, comes from `packages.microsoft.com`).

For the overwhelmingly paranoid, there’s one additional risk: if Microsoft had been to make packages obtainable in its repo with the identical names as packages in the usual raspbian.raspberripi.org repository laid out in /and many others/apt/sources.record, it might override the “actual” system packages with others of its personal making.

Nevertheless, that might be an extremely apparent change on Microsoft’s half—one that might be detected virtually instantly after the corporate made it—and would successfully consequence within the instant destruction of all of the goodwill within the Linux group the corporate has spent the final six years painstakingly constructing. This doesn’t strike us as an affordable concern.

OK, effective. What if I nonetheless don’t prefer it?

When you’ve gotten this far and you are still upset {that a} Microsoft repo is current in your Raspberry Pi system, you could have choices. Probably the most nuclear possibility is to ditch Raspberry Pi OS completely—you may at all times run Ubuntu in your Pi, for one instance. There are additionally ready-made vanilla Debian photos available for the Pi, hosted at debian.org itself.

However it could be a lot less complicated to only nerf the repository you are sad about within the first place. There are a number of methods to try this: for instance, you may edit or take away the vscode.record file itself. And should you’re fearful about future Pi OS updates placing that file again or undoing your change, you may add an entry to /and many others/hosts making it not possible to contact Microsoft’s repository within the first place:

127.0.0.1    packages.microsoft.com

Presto! In case your system makes an attempt to examine Microsoft’s repo, it’s going to as an alternative examine… itself, which is able to then fail. Drawback solved.

Itemizing picture by Jim Salter