Raspberry Pi OS has added a Microsoft repo. No, it’s not an evil secret

Raspberry Pi OS has added a Microsoft repo. No, it’s not an evil secret

by

  • The controversial Pi update only adds Microsoft’s US Code repo in a separate file in sources.list.d. No actual packages are installed.

    Jim Salter

  • If we dig a step further, we can see that there are only three packages in the new repo; all three are related to the Visual Studio code. (The other two packages are alternate, with newer versions of Electron and other changes.)

    Jim Salter

  • My only real complaint about the Microsoft repo and packages is a lack of descriptive metadata. Clearly, Microsoft has an honest oversight, since the metadata (although very basic) is present in apt-cache search, just not in apt search.

    Jim Salter

We were recently warned about something storming in a teapot: when the Raspberry Pi Foundation made it easier to install Microsoft’s Visual Studio Code development environment, some Linux users mistaken it for a sort of Mark of the Beast, with concerns about telemetry. and “who secretly installed Microsoft Repo without your knowledge.”

It’s true that a recent update to Raspberry Pi OS added a Microsoft repo to Raspberry Pi OS systems – but it’s not true that it added any actual packages.

Examine the changes

To the right of the 40-pin GPIO header you can see the SD card slot of the Pi 400. Do you want to play with two different distros without removing the problem and reinstalling when you switch? Use only two different SD cards!
Enlarge / To the right of the 40-pin GPIO header you can see the SD card slot of the Pi 400. Do you want to play with two different distros without removing the problem and reinstalling when you switch? Use only two different SD cards!

Jim Salter

Fortunately, my own Raspberry Pi 400 was running Ubuntu, not Raspberry Pi OS, which made it easy to switch back to see what changes had been made to the system. Equally lucky, the Raspberry Pi 400 is almost ideal for distro-hopping – all I had to do to get a version of Pi OS working before the update was to turn off my Pi, swap SD cards from the Ubuntu card I used after my old Pi OS card, and then fire it up again. Presto, a pre-update of Pi!

Then I made a copy of the whole /etc/apt/ guide on my Pi 400, with tar czvf ~/aptbackup.tar.gz /etc/apt. With backup in place, I did it apt update ; apt upgrade -y to apply all the upgrades to my system that it has been missing since it last used Pi OS.

To cut a long story short, the only change in my package management was the addition of a single file, /etc/apt/sources.list.d/vscode.list. That file added a single repository to my resources: http://packages.microsoft.com/repos/code, with branches stable and main. If we look at the actual content of http://packages.microsoft.com/repos/code, we can see that it contains only three packages: code, code-exploration, en code-insiders.

Finally, act apt policy code confirm that Visual Studio Code is not really installed on my system – it’s just easier to install now (and update!), as the parent statement is part of my source list, along with the GPG code confirming the contents of the repository.

Why add a third party repo?

Before the Pi Foundation added Microsoft’s repo for Visual Studio Code to the list, installing the IDE required a few extra, and rather non-Linux-y, steps. You need to open a web browser, go to the Visual Studio Code download page, and navigate a few more small obstacles – for example, you need to know that your system wants deb files and not rpm, that you need Pi ARM architecture packages, and ultimately whether the packages should be ARM or ARM64 (which differs for different models of Pi).

After downloading the hopefully correct version of the Visual Studio code package, you should find and execute the downloaded package – usually by finding it in File Manager and double-clicking on it. Once this is done, you will need to verify as a privileged user, and eventually the package (and its dependency) will start downloading and installing themselves on your Pi.

On the other hand, the code repo (and its GPG key) is installed on the system, a user can easily sudo apt install code. It’s a more Unix-like way of doing things, it’s much simpler and it’s much easier to run without a GUI available.

We can already hear users grumbling that it was not that difficult to install US Code the old way – and for them we want to point out that the primary purpose of the Raspberry Pi Foundation is not to provide advanced users with . cheap toys, it is to facilitate computer education by removing roadblocks.

The first of these barriers was, of course, price – it’s hard to impossible to get a general purpose computer device for less than it costs to buy a Pi. But the difficulty of getting started with writing code is another possible roadblock. This therefore makes it easier to install a very popular IDE, it is very much in line with the core mission of the Pi Foundation.

What are the consequences?

With the Microsoft US Code Repository installed on the system, the server operates each time the system checks for updates http://packages.microsoft.com get inquiries to see if there are any changes to the packages that make it available. If you hold your eyes really tight and keep your mouth straight, you can argue that this is ‘telemetry’ – you’ve touched a Microsoft server, right?

However, according to Pi founder Eben Upton, it is ‘pretty thin grain’. The only tool that the web server touches is apt itself, and it does not reveal anything about the user’s system – it looks like it’s in it /repos/vscode/dists/stable and download the appropriate Contents-*.gz file for your system architecture. On my Pi 400 it is Contents-arm64.gz; on older 32-bit Pis, it would be Contents-armhf.gz.

With the content file downloaded, apt then analyze it to determine which package versions are available. This information informs aptanswers to any user requests to install a corresponding package name and also let him know if there are newer versions of it installed packages to download and to a apt upgrade or apt dist-upgrade order. But none of this information is leaked to Microsoft unless the user actually does. has installed code; in that case, Microsoft will know when to download a newer version (since it also comes from ‘packages.microsoft.com’).

For the overwhelmingly paranoid, there is another possibility: if Microsoft were to make packages available in its repo with the same names as standard packages raspbian.raspberripi.org repository specified in /etc/apt/sources.list, it can replace the “right” system packages with others who make them themselves.

However, this would be an incredibly obvious change from Microsoft – one that would be detected almost immediately after the company made it – and would actually lead to the immediate destruction of all the goodwill in the Linux community that the company spent the past six years. carefully built. This does not fall to us as a reasonable matter.

Ok good. What if I still dislike it?

If you have come this far and are still upset that a Microsoft repo is available on your Raspberry Pi system, you have options. The most important option is to drop Raspberry Pi OS completely – you can always use Ubuntu on your Pi, for example. There are also ready-made vanilla Debian images available for the Pi, hosted at debian.org itself.

But it will be much simpler to just lapse the repository for which you are unhappy in the first place. There are different ways to do this: for example, you can use the vscode.list file itself. And if you are worried about future updates of Pi OS, which will return the file or undo your change, you can add an entry /etc/hosts makes it impossible to contact Microsoft’s repository in the first place:

127.0.0.1    packages.microsoft.com

Presto! If your system tries to check Microsoft’s repo, it’s done instead … itself, which then fails. Problem solved.

List by Jim Salter

Source