We were recently alerted to something of a tempest in a teapot: when the Raspberry Pi Foundation made it easier to install Microsoft’s Visual Studio Code development environment, some Linux users mistook it for a sort of Mark of the Beast, with concerns being raised about telemetry and “what Microsoft repo secretly installed without your knowledge.”
It’s true that an update recently pushed to Raspberry Pi OS added a Microsoft repo to Raspberry Pi OS systems—but it’s not true that it added any actual packages whatsoever.
Investigating the changes
Luckily, my own Raspberry Pi 400 was running Ubuntu, not Raspberry Pi OS, which made it easy to switch back to see what changes occurred in the system. Equally luckily, the Raspberry Pi 400 is almost ideally suited to distro-hopping—all I needed to do to get a pre-update version of Pi OS running was to power my Pi off, swap SD cards from the Ubuntu card I had been using to my old Pi OS card, and then fire it back up. Presto, a pre-update Pi!
Next, I made a copy of the entire
/etc/apt/ directory on my Pi 400, with
tar czvf ~/aptbackup.tar.gz /etc/apt. With backup in place, I did
apt update ; apt upgrade -y to apply all the upgrades to my system that it had missed since it was last running Pi OS.
To make a long story short, the only change to my package management was the addition of a single file,
/etc/apt/sources.list.d/vscode.list. That file added a single repository to my sources:
http://packages.microsoft.com/repos/code, with branches
main. If we look at the actual content of
http://packages.microsoft.com/repos/code, we can see it only contains three packages:
apt policy code confirms that Visual Studio Code was not actually installed on my system—it’s just easier to install (and update!) now, since its parent repository is part of my sources list, along with the GPG code verifying the contents of that repository.
Why add a third-party repo?
Prior to the Pi Foundation adding Microsoft’s repo for Visual Studio Code to the list, installing that IDE required some extra, and rather non-Linux-y, steps. You needed to open up a Web browser, go to the Visual Studio Code download page, and navigate a few more minor hurdles—for example, you need to know that your system wants
deb files and not
rpm, that your Pi needs ARM architecture packages, and finally whether those packages should be
ARM64 (which is different for different models of Pi).
Once you had downloaded the hopefully correct version of the Visual Studio Code package, you then needed to locate the downloaded package and execute it—typically, by finding it in File Manager and double-clicking it. Once that was done, you’d need to authenticate as a privileged user, and finally the package (and its dependencies) would begin to download and install themselves on your Pi.
By contrast, now that the
code repo (and its GPG key) are installed on the system, a user can simply
sudo apt install code. This is a more Unix-like way to do things, it’s considerably simpler, and it can be far more easily performed without a GUI available as well.
We can already hear some users grumbling that it wasn’t that hard to install VS Code the old way—and to them, we’d like to point out that the primary purpose of the Raspberry Pi foundation isn’t to provide advanced users with cheap toys, it’s to facilitate computer education by removing roadblocks.
The first of those roadblocks, arguably, was of course price—it’s difficult to impossible to get a full-featured, general-purpose computing device for less than it costs to buy a Pi. But the difficulty of getting started with writing code is another of those potential roadblocks—so making it easier to install a very popular IDE is very much in line with the Pi Foundation’s core mission.
What are the consequences?
With Microsoft’s repository for VS Code installed on the system, each time the system checks for updates, the server at
http://packages.microsoft.com gets queries to see if there are any changes to the packages it makes available. If you squint your eyes really tight and hold your mouth just right, you might argue that this constitutes “telemetry”—you touched a Microsoft server, right?
However, this is, in Pi founder Eben Upton’s words, “pretty thin gruel.” The only tool touching that Web server is
apt itself, and it does not reveal anything about the user’s system—it simply checks to see what’s in
/repos/vscode/dists/stable and downloads the appropriate
Contents-*.gz file for your system architecture. On my Pi 400, that’s
Contents-arm64.gz; on older 32-bit Pis, it would be
With the Contents file downloaded,
apt then parses it to determine what package versions are available. This data informs
apt‘s responses to any user requests to
install a matching package name and also lets it know whether there are newer versions of installed packages that should be downloaded and put in place after an
apt upgrade or
apt dist-upgrade command. But none of this information is leaked to Microsoft unless the user actually has installed
code; in that case, Microsoft will know when a newer version of it is downloaded (since that, too, comes from `packages.microsoft.com`).
For the overwhelmingly paranoid, there is one further possibility: if Microsoft were to make packages available in its repo with the same names as packages in the standard
raspbian.raspberripi.org repository specified in
/etc/apt/sources.list, it could override the “real” system packages with others of its own making.
However, that would be an incredibly obvious change on Microsoft’s part—one that would be detected almost immediately after the company made it—and would effectively result in the immediate destruction of all the goodwill in the Linux community the company has spent the last six years painstakingly building. This does not strike us as a reasonable concern.
OK, fine. What if I still don’t like it?
If you’ve gotten this far and you’re still upset that a Microsoft repo is present on your Raspberry Pi system, you have options. The most nuclear option is to ditch Raspberry Pi OS entirely—you can always run Ubuntu on your Pi, for one example. There are also ready-made vanilla Debian images available for the Pi, hosted at debian.org itself.
But it would be much simpler to just nerf the repository you’re unhappy about in the first place. There are several ways to do that: for example, you can edit or remove the
vscode.list file itself. And if you’re worried about future Pi OS updates putting that file back or undoing your change, you can add an entry to
/etc/hosts making it impossible to contact Microsoft’s repository in the first place:
Presto! If your system attempts to check Microsoft’s repo, it will instead check… itself, which will then fail. Problem solved.
Listing image by Jim Salter