The Raspberry Pi operating system added a Microsoft repo. No it’s not a bad secret

by



[ad_1]

  • The controversial Pi update simply adds Microsoft’s VS Code repository in a separate file in sources.list.d. No actual package was installed.

    Jim salter

  • Digging a little deeper, we can see that there are only three packages in the newly added repository; all three are related to Visual Studio Code. (The other two packages are alternate versions, with newer versions from Electron and a few other changes.)

    Jim salter

  • My only real complaint about the Microsoft repository and packages is the lack of descriptive metadata. This is clearly an honest oversight on Microsoft’s part, as the metadata (although terribly basic) is present in the apt-cache search, but not in the apt search.

    Jim salter

We were recently alerted to a storm in a teapot: When the Raspberry Pi Foundation facilitated the installation of Microsoft’s Visual Studio Code development environment, some Linux users mistook it for some sort of Mark of the Beast, with telemetry concerns. and “what Microsoft repo secretly installed without your knowledge”.

It’s true that a recently pushed Raspberry Pi OS update added a Microsoft repo to Raspberry Pi operating systems – but it’s not true that it added actual packages.

Investigate the changes

Just to the right of the 40 pin GPIO header you can see the Pi 400's SD card slot. Want to play with two different distributions without having to uninstall and reinstall when you switch? Just use two different SD cards!
Enlarge / Just to the right of the 40 pin GPIO header you can see the Pi 400’s SD card slot. Want to play with two different distributions without having to uninstall and reinstall when you switch? Just use two different SD cards!

Jim salter

Luckily my own Raspberry Pi 400 was running Ubuntu, not the Raspberry Pi operating system, which made it easy to come back to see the changes in the system. Fortunately, the Raspberry Pi 400 is almost ideally suited for distro-hopping – all I had to do to get a pre-updated version of Pi OS running was to turn off my Pi, swap the SD cards from the Ubuntu card I was using on my old Pi OS card and then relaunch it. Presto, a Pi pre-update!

Then I made a copy of the set /etc/apt/ directory on my Pi 400, with tar czvf ~/aptbackup.tar.gz /etc/apt. With the backup in place I made it apt update ; apt upgrade -y to apply any upgrades to my system that it had missed since the last Pi OS run.

To sum up, the only change to my package management was the addition of a single file, /etc/apt/sources.list.d/vscode.list. This file added only one repository to my sources: http://packages.microsoft.com/repos/code, with branches stable and main. If we look at the actual content of http://packages.microsoft.com/repos/code, we can see that it only contains three packages: code, code-exploration, and code-insiders.

Finally, perform apt policy code confirms that Visual Studio Code was not actually installed on my system – that’s right Easier to install (and update!) now, since its parent repository is part of my sources list, with the GPG code verifying the contents of that repository.

Why add a third-party repo?

Before the Pi Foundation added Microsoft’s repository for Visual Studio Code to the list, installing this IDE required additional steps, and rather not Linux-y. You had to open a web browser, navigate to the Visual Studio Code download page, and navigate a few more minor hurdles. For example, you should know that your system wants deb files and not rpm, that your Pi needs ARM architecture packages, and finally whether these packages should be ARM or ARM64 (which is different for different Pi models).

Once you’ve downloaded the hopefully correct version of the Visual Studio Code package, then you need to locate the downloaded package and run it, usually by finding it in File Manager and double-clicking it. Once this has been done, you will need to authenticate as a privileged user, and finally the package (and its dependencies) would start to download and install on your Pi.

However, now that the code repo (and its GPG key) are installed on the system, a user can simply sudo apt install code. It’s a more Unix way of doing things, it’s considerably simpler, and it can be a lot easier to run without a GUI available.

We can already hear some users complaining that it was not that difficult to install VS Code the old fashioned way – and for them we would like to stress that the main purpose of the Raspberry Pi foundation is not to provide to advanced users of cheap toys is to facilitate computer education by removing roadblocks.

The first of those hurdles, arguably, was of course price – it’s difficult, if not impossible, to get a complete, versatile computing device for less than it costs to buy a Pi. But the difficulty of getting started Writing code is another one of those potential hurdles – so facilitating the installation of a very popular IDE is very much in line with the core mission of the Pi Foundation.

What are the consequences?

With Microsoft’s repository for VS Code installed on the system, whenever the system checks for updates, the server will http://packages.microsoft.com gets queries to see if there are any changes in the packages it makes available. If you squint really hard and hold your mouth perfectly, you could argue that this constitutes “telemetry” – you hit a Microsoft server, right?

However, it is, in the words of Pi founder Eben Upton, “pretty thin oatmeal”. The only tool affecting this web server is apt itself, and it doesn’t reveal anything about the user’s system – it just checks what’s in /repos/vscode/dists/stable and download the appropriate file Contents-*.gz file for your system architecture. On my Pi 400, it is Contents-arm64.gz; on older 32-bit Pis, this would be Contents-armhf.gz.

Once the content file is downloaded, apt then scan to determine the available package versions. These data inform aptuser responses to any request install a corresponding package name and also lets it know if there are newer versions of installed packages that should be downloaded and installed after a apt upgrade or apt dist-upgrade order. But none of this information is disclosed to Microsoft unless the user at installed code; in this case, Microsoft will know when a newer version of it is downloaded (since this too is from `packages.microsoft.com`).

For those who are extremely paranoid, there is another possibility: if Microsoft made available packages in its repository with the same names as the packages in the standard raspbian.raspberripi.org repository specified in /etc/apt/sources.list, it could replace the “real” system packages with others of its own making.

However, that would be an incredibly obvious change on Microsoft’s part – a change that would be detected almost immediately after the company was founded – and effectively result in the immediate destruction of all the goodwill of the Linux community that the company has spent. over the past six years. meticulously constructed. This does not strike us as a reasonable concern.

OK fine. What if I still don’t like it?

If you’ve come this far and are still upset about having a Microsoft repo on your Raspberry Pi system, you have options. The more nuclear option is to ditch the Raspberry Pi operating system altogether – you can still run Ubuntu on your Pi, for example. There are also ready-to-use Debian vanilla images available for the Pi, hosted on debian.org itself.

But it would be much easier to just nerf the repository that you are not happy with initially. There are several ways to do this: for example, you can modify or delete the vscode.list file itself. And if you’re concerned about future Pi OS updates that deliver this file or revert your change, you can add an entry to /etc/hosts making it impossible to contact the Microsoft repository in the first place:

127.0.0.1    packages.microsoft.com

Presto! If your system tries to verify Microsoft’s repository, it will verify instead … itself, which will then fail. Problem solved.

Ad image by Jim Salter

[ad_2]

Source link