Linux-based Raspberry Pi OS is secretly installing a Microsoft repo
Raspberry Pi owners are being warned that the officially supported Raspberry Pi OS installs a Microsoft repo without notification.
A recent update to the Debian Linux-based operating system -- previously known as Raspbian -- secretly installs a Microsoft apt repository that can call home to the company's servers. For anyone concerned about telemetry in general, or who is trying to avoid contact with the Windows maker, this is clearly not good news and raises questions about trust.
See also:
- Microsoft releases KB4598291 update to fix lots of Windows 10 problems
- Mozilla issues important patch to stop Firefox triggering Windows 10's drive corruption flaw
- KB4598299 and KB4598301 are the latest problematic Windows 10 updates
News of the secretly installed repo was shared by Vivek Gite who wrote about the discovery on his nixCraft site -- in an article spotted by Günter Born. He points out that "Microsoft telemetry has a bad reputation in the Linux community", and goes on to look at what is happening and what it could mean for Raspberry Pi owners.
There was, understandably, great interest in the news, and there was much discussion on the Raspberry Pi forums. People learning of the inclusion of the repo were appalled at not only the addition of "extra bloat" and the fact that there was "no announcement" and "the release notes are available AFTER install[ing]" the OS update.
Writing about the shocking and worrying findings, Gite points out some of the issues the installation of a Microsoft repo raises:
- By using forced MS repo on my RPi 2, MS controls the software I install. For example, when I run "apt install app", I will get an app distributed and modified by MS. Maybe they will not do anything evil, but I don't want anything to do with them.
- Hardcore Linux users like me (or anyone who works in infosec/IT) will never trust Microsoft or Raspberry Pi OS to install such a repo secretly.
- Microsoft may collect more info about RPi and Linux users as many try to reduce their digital footprint such as your IP address and build a profile about you.
- Every apt-get update command pingback to MS repo.
- If you or any family members logged into the MS ecosystem such as Github, Bing, Office/Live, they could identify and track you when using same shared public IP at home.
So what can you do if you are concerned about this revelation? You can, of course, install a completely different operating system on your Pi. But if you want to stick with this recommended and supported OS, Gite offers the following tips for blocking Microsoft VSCode:
Edit your /etc/hosts on RPI (or add that domain to your Pi-Hole)
sudo vim /etc/hosts
Add the following line:
0.0.0.0 packages.microsoft.com
Save and close the file in vim. Put Debian package on hold so that it will not install further updates:
sudo apt-mark hold raspberrypi-sys-mods
Delete Microsoft's GPG key using the rm command:
sudo rm -vf /etc/apt/trusted.gpg.d/microsoft.gpg
Make sure new keys cannot be installed:
sudo touch /etc/apt/trusted.gpg.d/microsoft.gpg
Next, write protect that file on Linux using the chattr command:
sudo chattr +i /etc/apt/trusted.gpg.d/microsoft.gpg
lsattr /etc/apt/trusted.gpg.d/microsoft.gpg
Image credit: Postmodern Studio / Shutterstock