Raspberry Pi OS added a Microsoft repo. No, it’s not a bad secret | GeekComparison

by

  • The controversial Pi update adds Microsoft’s VS Code repo to a separate file in sources.list.d. There are no actual packages installed.

    Jim Salter

  • If we dig one step further, we can see that there are only three packs in the newly added repo; all three are related to Visual Studio Code. (The other two packs are alternate builds, with newer versions of Electron and some other changes.)

    Jim Salter

  • My only real complaint about Microsoft’s repo and packages is a lack of descriptive metadata. This is clearly an honest mistake by Microsoft, as the metadata (though very basic) is present in apt-cache search, just not in apt search.

    Jim Salter

We were recently warned of something of a storm in a teapot: When the Raspberry Pi Foundation made it easier to install Microsoft’s Visual Studio Code development environment, some Linux users thought it was some sort of Mark of the Beast, with concern about telemetry and “what Microsoft repo has secretly installed without your knowledge.”

It is true that an update recently pushed to Raspberry Pi OS added a Microsoft repo to Raspberry Pi OS systems, but it is not true that actual packages were added.

Exploring the changes

Just to the right of the 40-pin GPIO header, you'll see the Pi 400's SD card slot. Want to play with two different distributions without the hassle of uninstalling and reinstalling when you switch? Just use two different SD cards!
enlarge / Just to the right of the 40-pin GPIO header, you’ll see the Pi 400’s SD card slot. Want to play with two different distributions without the hassle of uninstalling and reinstalling when you switch? Just use two different SD cards!

Jim Salter

Fortunately, my own Raspberry Pi 400 was running Ubuntu, not Raspberry Pi OS, which made it easy to switch back to see what changes have occurred to the system. Equally fortunately, the Raspberry Pi 400 is almost ideally suited for distro hopping – all I had to do to get a pre-update version of Pi OS running was turn off my Pi, swap SD cards from the Ubuntu- card I had used to my old Pi OS card and then reboot it. Presto, a pre-update Pi!

Then I made a copy of the whole /etc/apt/ map on my Pi 400, with tar czvf ~/aptbackup.tar.gz /etc/apt. With backup in place, I did apt update ; apt upgrade -y to apply all the upgrades to my system that it had missed since it last ran with Pi OS.

Long story short, the only change in my package manager was the addition of a single file, /etc/apt/sources.list.d/vscode.list. That file added a single repository to my resources: http://packages.microsoft.com/repos/codewith branches stable and main. If we look at the actual content of http://packages.microsoft.com/repos/codewe can see that it contains only three packages: code, code-explorationand code-insiders.

Finally performing apt policy code confirms that Visual Studio Code isn’t actually installed on my system – it’s just easier to install (and update!) now as the parent repository is part of my sources list, along with the GPG code that verifies the contents of that repository.

Why add a third-party repo?

Before the Pi Foundation added Microsoft’s repo for Visual Studio Code to the list, installing that IDE required some extra, and rather non-Linux-y, steps. You had to open a web browser, go to the Visual Studio Code download page and go through a few more minor hurdles, for example you need to know that your system deb files and not rpmthat your Pi needs ARM architecture packages, and finally whether those packages should be? ARM or ARM64 (which is different for different Pi models).

After you downloaded the hopefully correct version of the Visual Studio Code package, you had to locate and run the downloaded package, usually by locating it in the File Manager and double-clicking it. Once that’s done, you’ll need to authenticate as a privileged user, and eventually the package (and its dependencies) should start downloading and installing itself on your Pi.

By contrast, now the code repo (and its GPG key) installed on the system, a user can simply: sudo apt install code. This is a more Unix-like way of doing things, it’s significantly simpler and much easier to run without a GUI available as well.

We can already hear some users grumbling that it wasn’t that hard to install VS Code the old-fashioned way – and to them, we want to point out that the primary purpose of the Raspberry Pi foundation is not to provide advanced users with cheap toys. , it is to facilitate computer education by removing roadblocks.

The first of those roadblocks, of course, was price — it’s hard to impossible to get a full-featured general-purpose computing device for less than it costs to buy a Pi. But the difficulty of getting started writing code is one of those potential obstacles – so making it easier to install a very popular IDE aligns well with the Pi Foundation’s core mission.

What are the consequences?

With Microsoft’s repository for VS Code installed on the system, every time the system checks for updates, the server will http://packages.microsoft.com will be prompted to see if there are any changes to the packages it makes available. If you really squeeze your eyes shut and hold your mouth just right, you could argue that this is “telemetry” – you touched a Microsoft server, right?

However, this is, in the words of Pi founder Eben Upton, “pretty thin gruel.” The only tool that touches that web server is: apt itself, and it doesn’t reveal anything about the user’s system – it just checks what’s in it /repos/vscode/dists/stable and download the correct one Contents-*.gz file for your system architecture. On my Pi 400, that is Contents-arm64.gz; on older 32-bit Pis, it would be: Contents-armhf.gz.

With the content file downloaded, apt then parses it to determine which package versions are available. Inform this data apt‘s responses to user requests for install a matching package name and also let me know if there are newer versions of it installed packages to be downloaded and installed after a apt upgrade or apt dist-upgrade order. But none of this information is leaked to Microsoft unless the user actually has installed code; in that case, Microsoft will know when a newer version of it will be downloaded (since that too comes from `packages.microsoft.com`).

For the overwhelmingly paranoid, there’s another possibility: if Microsoft were to make available packages in its repo with the same names as packages in the standard raspbian.raspberripi.org repository specified in /etc/apt/sources.listit could overwrite the “real” system packages with others of its own making.

However, that would be an incredibly obvious change from Microsoft — one that would be detected almost immediately after the company created it — and would basically result in the immediate destruction of all the goodwill in the Linux community that the company has enjoyed over the past few years. has spent six years laboriously building. This does not seem to us to be a reasonable concern.

Okay fine. What if I still don’t like it?

If you’ve come this far and are still mad that there is a Microsoft repo on your Raspberry Pi system, you have options. The most nuclear option is to ditch Raspberry Pi OS completely – you can always run Ubuntu on your Pi, for example. There are also ready-made vanilla Debian images available for the Pi, hosted on debian.org itself.

But it would be much easier to just nerf the repository you’re not happy with in the first place. There are several ways to do that: for example, you can use the vscode.list file itself. And if you’re concerned about future Pi OS updates reverting that file or undoing your change, you can add an entry to /etc/hosts making it impossible to contact Microsoft’s repository in the first place:

127.0.0.1    packages.microsoft.com

Forward! If your system tries to check Microsoft’s repo, it will instead… check itself, which will fail. Problem solved.

List image by Jim Salter

Leave a Comment