Raspberry Pi OS added a Microsoft repo. No, it’s not an evil secret
February 8, 2021
47         0

by admin


We were recently alerted to something of a tempest in a teapot: when the Raspberry Pi Foundation made it easier to install Microsoft’s Visual Studio Code development environment, some Linux users mistook it for a sort of Mark of the Beast, with concerns being raised about telemetry and “what Microsoft repo secretly installed without your knowledge.”

It’s true that an update recently pushed to Raspberry Pi OS added a Microsoft repo to Raspberry Pi OS systems—but it’s not true that it added any actual packages whatsoever.

Investigating the changes

Just to the right of the 40-pin GPIO header, you can see the Pi 400's SD card slot. Want to play with two different distros without the hassle of uninstalling and reinstalling when you switch? Just use two different SD cards!
Enlarge / Just to the right of the 40-pin GPIO header, you can see the Pi 400’s SD card slot. Want to play with two different distros without the hassle of uninstalling and reinstalling when you switch? Just use two different SD cards!

Jim Salter

Luckily, my own Raspberry Pi 400 was running Ubuntu, not Raspberry Pi OS, which made it easy to switch back to see what changes occurred in the system. Equally luckily, the Raspberry Pi 400 is almost ideally suited to distro-hopping—all I needed to do to get a pre-update version of Pi OS running was to power my Pi off, swap SD cards from the Ubuntu card I had been using to my old Pi OS card, and then fire it back up. Presto, a pre-update Pi!

Next, I made a copy of the entire /etc/apt/ directory on my Pi 400, with tar czvf ~/aptbackup.tar.gz /etc/apt. With backup in place, I did apt update ; apt upgrade -y to apply all the upgrades to my system that it had missed since it was last running Pi OS.

To make a long story short, the only change to my package management was the addition of a single file, /etc/apt/sources.list.d/vscode.list. That file added a single repository to my sources: http://packages.microsoft.com/repos/code, with branches stable and main. If we look at the actual content of http://packages.microsoft.com/repos/code, we can see it only contains three packages: code, code-exploration, and code-insiders.

Finally, performing apt policy code confirms that Visual Studio Code was not actually installed on my system—it’s just easier to install (and update!) now, since its parent repository is part of my sources list, along with the GPG code verifying the contents of that repository.

Why add a third-party repo?

Prior to the Pi Foundation adding Microsoft’s repo for Visual Studio Code to the list, installing that IDE required some extra, and rather non-Linux-y, steps. You needed to open up a Web browser, go to the Visual Studio Code download page, and navigate a few more minor hurdles—for example, you need to know that your system wants deb files and not rpm, that your Pi needs ARM architecture packages, and finally whether those packages should be ARM or ARM64 (which is different for different models of Pi).

Once you had downloaded the hopefully correct version of the Visual Studio Code package, you then needed to locate the downloaded package and execute it—typically, by finding it in File Manager and double-clicking it. Once that was done, you’d need to authenticate as a privileged user, and finally the package (and its dependencies) would begin to download and install themselves on your Pi.

By contrast, now that the code repo (and its GPG key) are installed on the system, a user can simply sudo apt install code. This is a more Unix-like way to do things, it’s considerably simpler, and it can be far more easily performed without a GUI available as well.

We can already hear some users grumbling that it wasn’t that hard to install VS Code the old way—and to them, we’d like to point out that the primary purpose of the Raspberry Pi foundation isn’t to provide advanced users with cheap toys, it’s to facilitate computer education by removing roadblocks.

The first of those roadblocks, arguably, was of course price—it’s difficult to impossible to get a full-featured, general-purpose computing device for less than it costs to buy a Pi. But the difficulty of getting started with writing code is another of those potential roadblocks—so making it easier to install a very popular IDE is very much in line with the Pi Foundation’s core mission.

What are the consequences?

With Microsoft’s repository for VS Code installed on the system, each time the system checks for updates, the server at http://packages.microsoft.com gets queries to see if there are any changes to the packages it makes available. If you squint your eyes really tight and hold your mouth just right, you might argue that this constitutes “telemetry”—you touched a Microsoft server, right?

However, this is, in Pi founder Eben Upton’s words, “pretty thin gruel.” The only tool touching that Web server is apt itself, and it does not reveal anything about the user’s system—it simply checks to see what’s in /repos/vscode/dists/stable and downloads the appropriate Contents-*.gz file for your system architecture. On my Pi 400, that’s Contents-arm64.gz; on older 32-bit Pis, it would be Contents-armhf.gz.

With the Contents file downloaded, apt then parses it to determine what package versions are available. This data informs apt‘s responses to any user requests to install a matching package name and also lets it know whether there are newer versions of installed packages that should be downloaded and put in place after an apt upgrade or apt dist-upgrade command. But none of this information is leaked to Microsoft unless the user actually has installed code; in that case, Microsoft will know when a newer version of it is downloaded (since that, too, comes from `packages.microsoft.com`).

For the overwhelmingly paranoid, there is one further possibility: if Microsoft were to make packages available in its repo with the same names as packages in the standard raspbian.raspberripi.org repository specified in /etc/apt/sources.list, it could override the “real” system packages with others of its own making.

However, that would be an incredibly obvious change on Microsoft’s part—one that would be detected almost immediately after the company made it—and would effectively result in the immediate destruction of all the goodwill in the Linux community the company has spent the last six years painstakingly building. This does not strike us as a reasonable concern.

OK, fine. What if I still don’t like it?

If you’ve gotten this far and you’re still upset that a Microsoft repo is present on your Raspberry Pi system, you have options. The most nuclear option is to ditch Raspberry Pi OS entirely—you can always run Ubuntu on your Pi, for one example. There are also ready-made vanilla Debian images available for the Pi, hosted at debian.org itself.

But it would be much simpler to just nerf the repository you’re unhappy about in the first place. There are several ways to do that: for example, you can edit or remove the vscode.list file itself. And if you’re worried about future Pi OS updates putting that file back or undoing your change, you can add an entry to /etc/hosts making it impossible to contact Microsoft’s repository in the first place:

127.0.0.1    packages.microsoft.com

Presto! If your system attempts to check Microsoft’s repo, it will instead check… itself, which will then fail. Problem solved.

Listing image by Jim Salter

subscribe for YouMedia Newsletter
0 comments

Leave a Reply

Your email address will not be published. Required fields are marked *

newsletter
subscribe for YouMedia Newsletter
LET'S HANG OUT ON SOCIAL