Linux-based Raspberry Pi OS is secretly installing a Microsoft repo

Raspberry Pi site through magnifying glass

Raspberry Pi owners are being warned that the officially supported Raspberry Pi OS installs a Microsoft repo without notification.

A recent update to the Debian Linux-based operating system -- previously known as Raspbian -- secretly installs a Microsoft apt repository that can call home to the company's servers. For anyone concerned about telemetry in general, or who is trying to avoid contact with the Windows maker, this is clearly not good news and raises questions about trust.

See also:

Advertisement

News of the secretly installed repo was shared by Vivek Gite who wrote about the discovery on his nixCraft site -- in an article spotted by Günter Born. He points out that "Microsoft telemetry has a bad reputation in the Linux community", and goes on to look at what is happening and what it could mean for Raspberry Pi owners.

There was, understandably, great interest in the news, and there was much discussion on the Raspberry Pi forums. People learning of the inclusion of the repo were appalled at not only the addition of "extra bloat" and the fact that there was "no announcement" and "the release notes are available AFTER install[ing]" the OS update.

Writing about the shocking and worrying findings, Gite points out some of the issues the installation of a Microsoft repo raises:

  1. By using forced MS repo on my RPi 2, MS controls the software I install. For example, when I run "apt install app", I will get an app distributed and modified by MS. Maybe they will not do anything evil, but I don't want anything to do with them.
  2. Hardcore Linux users like me (or anyone who works in infosec/IT) will never trust Microsoft or Raspberry Pi OS to install such a repo secretly.
  3. Microsoft may collect more info about RPi and Linux users as many try to reduce their digital footprint such as your IP address and build a profile about you.
  4. Every apt-get update command pingback to MS repo.
  5. If you or any family members logged into the MS ecosystem such as Github, Bing, Office/Live, they could identify and track you when using same shared public IP at home.

So what can you do if you are concerned about this revelation? You can, of course, install a completely different operating system on your Pi. But if you want to stick with this recommended and supported OS, Gite offers the following tips for blocking Microsoft VSCode:

Edit your /etc/hosts on RPI (or add that domain to your Pi-Hole)

sudo vim /etc/hosts

Add the following line:

0.0.0.0 packages.microsoft.com

Save and close the file in vim. Put Debian package on hold so that it will not install further updates:

sudo apt-mark hold raspberrypi-sys-mods

Delete Microsoft's GPG key using the rm command:

sudo rm -vf /etc/apt/trusted.gpg.d/microsoft.gpg

Make sure new keys cannot be installed:

sudo touch /etc/apt/trusted.gpg.d/microsoft.gpg

Next, write protect that file on Linux using the chattr command:

sudo chattr +i /etc/apt/trusted.gpg.d/microsoft.gpg

lsattr /etc/apt/trusted.gpg.d/microsoft.gpg

Image credit: Postmodern Studio / Shutterstock

© 1998-2021 BetaNews, Inc. All Rights Reserved. Privacy Policy - Cookie Policy.