Stories
Slash Boxes
Comments

SoylentNews is people

posted by Fnord666 on Friday February 05, @03:23AM   Printer-friendly [Skip to comment(s)]
from the we-don't-trust-m$ dept.

Several sites are covering an incident affecting Raspberry Pi OS deployments since last week. Quietly, without disclosure or warning, a package added a Microsoft repository and OpenPGP key to the system. The latter effectively gives the former full root access, in principle, to the whole system. The former checks in with Microsoft's servers any time APT refreshes its cache.

$ grep -i pretty /etc/os-release
PRETTY_NAME="Raspbian GNU/Linux 10 (buster)"

How to know if you're affected/infected already:

$ cat /etc/apt/sources.list.d/vscode.list
### THIS FILE IS AUTOMATICALLY CONFIGURED ###
# You may comment out this entry, but any other modifications may be lost.
deb [arch=amd64,arm64,armhf] http://packages.microsoft.com/repos/code
stable main

Issue has been taken with both what has been done and how it has been deployed. The official explanation is, for now, that resource hog Visual Studio was to be made available by default on the Raspberry Pi for development for their first entry into microcontrollers, the Raspberry Pi Pico. This is in spite of the established presence of many light weight editors and IDEs alredy[sic] available through vetted repositories. Not to mention the package could have been added to the established, vetted repositories. Threads on the topic over at the Raspberry Pi Forum are quickly locked by moderators and then deleted.


Original Submission

Related Stories

The Ongoing Raspberry Pi Fiasco 85 comments

Developer Gavin L Rebeiro has posted[*see note below] a five-part article series at Techrights on how to deal with the ongoing Raspberry Pi fiasco by salvaging existing hardware with a replacement operating system.

He covers the background, the technical principles, some methods for mitigation, proposes using NetBSD in place of the GNU/Linux, Raspberry Pi OS. Finally, he walks through installation of NetBSD.

This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
(1)
  • (Score: 5, Insightful) by dwilson on Friday February 05, @04:09AM (31 children)

    by dwilson (2599) on Friday February 05, @04:09AM (#1109175)

    Quietly, without disclosure or warning, a package added a Microsoft repository and OpenPGP key to the system.

    Yeah, that's shady as hell.

    The latter effectively gives the former full root access, in principle, to the whole system.

    Um.. what? To use an apt repository, you generally add a public gpg key to the keyring, so the automated apt system can verify packages are untampered with. Anyone using a debian-based distro has done this hundreds of times. How is that granting anything root access?

    The former checks in with Microsoft's servers any time APT refreshes its cache.

    Otherwise known as polling the upstream repository during 'apt-get update' to see if there are any changes to download? ie, working as intended, just like every other repo in the system?

    Don't get me wrong, I hate microsoft more than the next guy, but based on the information provided in the summery this is mountain-out-of-molehill if ever I've seen it.

    --
    - D
    • (Score: 0) by Anonymous Coward on Friday February 05, @04:16AM (6 children)

      by Anonymous Coward on Friday February 05, @04:16AM (#1109179)

      I concur with what you've said, but there is just this much animosity towards Microsoft from many people. There were a lot of new linux migrants due to how Win10 was pushed out.

      • (Score: 1, Insightful) by Anonymous Coward on Friday February 05, @04:53AM

        by Anonymous Coward on Friday February 05, @04:53AM (#1109195)

        You also have to get away from systemd.

        1.) Embrace
        2.) systemd
        3.) Extinguish

      • (Score: 1, Insightful) by Anonymous Coward on Friday February 05, @11:28AM

        by Anonymous Coward on Friday February 05, @11:28AM (#1109260)

        I share your animosity, but let's face it: Windows 10 was first released +5 years ago. Most people can barely remember what meme they consumed 3 minutes ago, let alone remember how Win10 was shoved down throats.

      • (Score: 1, Disagree) by driverless on Friday February 05, @11:44AM (2 children)

        by driverless (4770) on Friday February 05, @11:44AM (#1109263)

        The Techrights article linked above is a particularly extreme example of this:

        SEVERAL years ago the thugs from Microsoft marked the Raspberry Pi Foundation for death or defection, as they had done OLPC a decade earlier. Microsoft is a cult that does not tolerate anything that’s not Microsoft. Those who seriously think that Microsoft “loves Linux” are deeply deluded or bribed/misled by (or like) the Linux Foundation.

        Yeah, that's definitely a rational, reasonable report on the situation. Excuse me one moment while I wipe the spittle from the person shouting that at me on a street corner off my face.

        As a counterpoint, others like the Hothardware one are a lot more reasonable.

        • (Score: 0) by Anonymous Coward on Friday February 05, @04:05PM

          by Anonymous Coward on Friday February 05, @04:05PM (#1109333)

          Glad to here your so cool about it. Hey I've got some repo keys I'd like to install on your machine. Since your so non-chalant, what email address should I send them to?

        • (Score: 2) by Azuma Hazuki on Saturday February 06, @01:34AM

          by Azuma Hazuki (5086) on Saturday February 06, @01:34AM (#1109473) Journal

          They're not wrong though. The leopard, as Nanny Ogg says, does not change his shorts. MS has always been about emrbace/extend/extinguish. They "love" Linux the way a pimp "loves" little girls.

          --
          I am "that girl" your mother warned you about...
      • (Score: 4, Insightful) by r_a_trip on Friday February 05, @12:40PM

        by r_a_trip (5276) on Friday February 05, @12:40PM (#1109271)

        Don't forget us veterans who lived under MS with monopoly power and an iron fist on the computing world. I trust these clowns as far as I can see them. This is a company founded by people who would probably sell their own mother for organ harvesting if it made them some bucks.

    • (Score: 5, Informative) by Anonymous Coward on Friday February 05, @04:20AM (5 children)

      by Anonymous Coward on Friday February 05, @04:20AM (#1109182)

      Um.. what? To use an apt repository, you generally add a public gpg key to the keyring, so the automated apt system can verify packages are untampered with. Anyone using a debian-based distro has done this hundreds of times. How is that granting anything root access?

      Because Microsoft can force an update package that will be picked up automatically. For example, they can sign an updated kernel, advertise it on their repo and have the update be pushed automatically with a regular apt upgrade.

      For once none of this is Microsoft's fault but rather it's a fundamental design failure in APT. Trust should never be an all-or-nothing matter as it is right now with Debian package system, updates from a different signer should require an explicit user permission to install.

      • (Score: 5, Informative) by Anonymous Coward on Friday February 05, @06:49AM (4 children)

        by Anonymous Coward on Friday February 05, @06:49AM (#1109215)

        or once none of this is Microsoft's fault but rather it's a fundamental design failure in APT. Trust should never be an all-or-nothing matter as it is right now with Debian package system, updates from a different signer should require an explicit user permission to install.

        You can pin packages to particular repos, so you can prevent anything except that one MS malware package from being able to be installed from MS repos*. This feature has existed for decades.

        It is rare that Debian systems use 3rd party repos except local repos controlled by the user (using 3rd party repos defeats the point of a distribution where the packages are curated by the maintainers and trustworthy). But, apt is quite capable, and can handle this use case.

        No package will be installed / upgraded from malware.microsoft.com unless you manually force it except, the package microsoft-vscode will auto upgrade from malware.microsoft.com unless a package of the same name is available from the main repo. Change Pin-Priority to change the policy to your liking. See 'man apt_preferences'

        /etc/apt/preferences.d/microsoft-malware:

        Package: *
        Pin: origin malware.microsoft.com
        Pin-Priority: 1

        Package: microsoft-vscode
        Pin: origin malware.microsoft.com
        Pin-Priority: 500

        Apt is extremely capable. If you find yourself wishing that apt could do X, it is quite probable that reading the docs you will find that apt already can do X.

        Unless rasbian included a preference file like above, then I think that the criticism is warranted. Even if you think MS is fantastic and great, least privilege is safer, and not restricting what MS repo can install only adds risk.

        *Usually pinning is used to safely mix stable, backports, testing, unstable and/or experimental packages on the same system, but you have to use common sense when doing this e.g., anything that pulls in glibc from unstable on a stable base system is not something that you can safely mix into your stable system even with pinning.

        • (Score: 0) by Anonymous Coward on Friday February 05, @07:03AM (2 children)

          by Anonymous Coward on Friday February 05, @07:03AM (#1109219)

          Thank you for the calm and informative post.

          Would mod you up if I could.

          Though I would denylist Package: * from origin malware.microsoft.com, myself.

          • (Score: 1) by jurov on Friday February 05, @01:44PM (1 child)

            by jurov (6250) on Friday February 05, @01:44PM (#1109287)

            it says "you have 10 points" so I selected "Informative", clicked Moderate..and nothing happened.

            How it is supposed to work?

            • (Score: 2) by maxwell demon on Friday February 05, @01:55PM

              by maxwell demon (1608) on Friday February 05, @01:55PM (#1109294) Journal

              If the post is already at the maximum moderation (+5), then you cannot add another moderation. I can't tell whether that is what happened to you (no way to tell what the post's moderation status was at the time you tried to moderate), but it would be my guess.

              --
              The Tao of math: The numbers you can count are not the real numbers.
        • (Score: 0) by Anonymous Coward on Friday February 05, @11:22PM

          by Anonymous Coward on Friday February 05, @11:22PM (#1109448)

          Informative post but one quibble. It is common to have a couple of repos for the odd package. The Debian Multimedia repo was almost mandatory for years because of licensing and patent problems. Small repos with SAS / RAID controller proprietary tools. SOme guy's personal repo with a testing version of a package you need. Etc.

          And yes this is a good wake up call that any repo can override any base package with the default configuration. Some bad actor seizes any minor repo and they can inject a tainted base package like glibc or libssl into every machine that uses the repo. It is time for the defaults to be made safe.

    • (Score: 3, Informative) by RedGreen on Friday February 05, @04:24AM (6 children)

      by RedGreen (888) on Friday February 05, @04:24AM (#1109184)

      They are ignorant assholes with a piss poor attitude towards their users. I just got banned from their for saying it was my GD computer and it is none of their business doing anything to it without my permission. They cannot even bothered to do proper development, this below in Debian gets a package sent back to the maintainer, them being told, hey clown we do proper development here we need your changes listed.

      root@raspberrypi:/home/seeder1# apt changelog raspberrypi-bootloader
      E: Failed to fetch changelog:/raspberrypi-firmware.changelog Changelog unavailable for raspberrypi-firmware=1.20210201-1

      Now you going to install that, slimy pieces of shit already upgraded it once with my knowledge or permission already.

      --
      "I modded down, down, down, and the flames went higher." -- Sven Olsen
      • (Score: 2) by RedGreen on Friday February 05, @04:27AM

        by RedGreen (888) on Friday February 05, @04:27AM (#1109185)

        without my knowledge. that should be

        --
        "I modded down, down, down, and the flames went higher." -- Sven Olsen
      • (Score: 2, Insightful) by Eratosthenes on Friday February 05, @07:36AM (4 children)

        by Eratosthenes (13959) on Friday February 05, @07:36AM (#1109230) Journal

        The lack of a USB boot is a tell. This platform will not end well. Who the hell does only proprietary bootloaders?

        --
        Ἀριθμητικὴ εἰσαγωγή
        • (Score: 2) by RedGreen on Friday February 05, @10:20AM (2 children)

          by RedGreen (888) on Friday February 05, @10:20AM (#1109249)

          It boots from usb the morons have upgraded the firmware to allow it, flaky as hell for some. Just like the rest of the effort by them clowns. I have managed to solve the morons doing whatever the hell they want with my machine with Ubuntu on my SSD. I use a chainload the sd card boots the machine and the OS runs from the SSD. Tomorrow I try a Debian install out with a debootstrap method I am just reading about now.

          root@zeus-pi:~# uname -a
          Linux zeus-pi 5.8.0-1013-raspi #16-Ubuntu SMP PREEMPT Thu Jan 14 06:28:38 UTC 2021 aarch64 aarch64 aarch64 GNU/Linux

          --
          "I modded down, down, down, and the flames went higher." -- Sven Olsen
          • (Score: 0) by Anonymous Coward on Friday February 05, @12:37PM (1 child)

            by Anonymous Coward on Friday February 05, @12:37PM (#1109270)

            Why don't you just go to a competitor? There are many with broad OS support and raspi-compatible GPIO.

            • (Score: 2) by RedGreen on Friday February 05, @01:16PM

              by RedGreen (888) on Friday February 05, @01:16PM (#1109279)

              "Why don't you just go to a competitor? There are many with broad OS support and raspi-compatible GPIO."

              Oh yeah if ever needing another little machine, it will be cold day in hell before they get my cash again.

              --
              "I modded down, down, down, and the flames went higher." -- Sven Olsen
        • (Score: 0) by Anonymous Coward on Friday February 05, @07:44PM

          by Anonymous Coward on Friday February 05, @07:44PM (#1109392)

          How does this get an "insightful"?

          usb boot is often used as an attack vector.

          If you look through this thread, it makes SN look like slashdot did when SN forked it. At least half of the posts here are astroturfing.

    • (Score: 5, Informative) by canopic jug on Friday February 05, @04:51AM (3 children)

      by canopic jug (3949) Subscriber Badge on Friday February 05, @04:51AM (#1109194) Journal

      The files are supposedly added by a post-installation script in one package, thus avoiding being listed in any of the package manifests. Give it a try:

      $ ls -1 /etc/apt/trusted.gpg.d/microsoft.gpg /etc/apt/sources.list.d/vscode.list
      /etc/apt/sources.list.d/vscode.list
      /etc/apt/trusted.gpg.d/microsoft.gpg

      $ dpkg -S /etc/apt/trusted.gpg.d/microsoft.gpg
      dpkg-query: no path found matching pattern /etc/apt/trusted.gpg.d/microsoft.gpg

      $ dpkg -S /etc/apt/sources.list.d/vscode.list
      dpkg-query: no path found matching pattern /etc/apt/sources.list.d/vscode.list

      Try to guess which package is responsible for those two added files? None are listed. Someone went out of their way to obfuscate the origins of the two files. So, yes, shady as hell.

      Then there is the question of why the Visual Studio source code could not have been added upstream to the normal Debain repositories. That would have been the expected approach should they have had any good intentions with this move, especially given the past and current history of the company involved.

      So, yes, again, shady as hell.

      Also, normally radical licensing, behavior, or privacy changes require at least a click-through agreement to pretend to notify the end users. That didn't happen.

      So, yes, yet again, shady as hell.

      --
      Money is not free speech. Elections should not be auctions.
      • (Score: 3, Interesting) by sjames on Friday February 05, @06:34AM (2 children)

        by sjames (2882) on Friday February 05, @06:34AM (#1109212) Journal

        Then there is the question of why the Visual Studio source code could not have been added upstream to the normal Debain repositories. That would have been the expected approach should they have had any good intentions with this move, especially given the past and current history of the company involved.

        Possibly because it would have then been marked clearly as nonfree.

        • (Score: 2) by dwilson on Friday February 05, @02:17PM (1 child)

          by dwilson (2599) on Friday February 05, @02:17PM (#1109302)

          Another reason could be that putting anything in a Debian managed, or even down-stream distro-managed ie by Raspbian, puts your software entirely at the mercy of whomever is elected as package maintainer. Best case, the in-repo package is one to many versions behind your current stable release. Worst case, the maintainer abandons the package and it hangs in limbo for many years, getting more and more out-dated and causing no end of headaches for the users. I've seen that happen many times.

          Personally, I absolutely roll my own repositories for any software I maintain, for any distribution I care to maintain it on. That's generally Gentoo and Debian-based systems. If a distro wants to add it to their own managed repos, that's wonderful. ...but I'm still maintaining my own repos.

          --
          - D
          • (Score: 2) by sjames on Friday February 05, @03:36PM

            by sjames (2882) on Friday February 05, @03:36PM (#1109324) Journal

            But I'll bet you don't then sneak your repo into people's configurations.

    • (Score: 5, Insightful) by sjames on Friday February 05, @06:06AM (3 children)

      by sjames (2882) on Friday February 05, @06:06AM (#1109208) Journal

      Once you get your repo slipped in by any means, you are on the honor system not to add a package that grants you root access to everything. That's why some bristle at the repo being added so quietly.

      • (Score: 4, Insightful) by Arik on Friday February 05, @06:51AM (2 children)

        by Arik (4543) on Friday February 05, @06:51AM (#1109216) Journal
        "Once you get your repo slipped in by any means, you are on the honor system not to add a package that grants you root access to everything. That's why some bristle at the repo being added so quietly."

        And this is also why you should never accept automatic updates, period.

        Once you do, then all someone has to do is either takeover, or impersonate, your upstream and you are pwned.

        It's far too insecure a design to be used for anything but a plush toy, and a good argument can be made against even that exception.
        --
        - Sig not found. Self destruct initiated. Please clear the area.
        • (Score: 0) by Anonymous Coward on Friday February 05, @09:05AM (1 child)

          by Anonymous Coward on Friday February 05, @09:05AM (#1109244)

          All packages are signed to protect against impersonation attacks. This of course does not protect you when your actual upstream has been subverted, as happened here.

          • (Score: 2) by Arik on Saturday February 06, @08:41AM

            by Arik (4543) on Saturday February 06, @08:41AM (#1109575) Journal
            "All packages are signed to protect against impersonation attacks."

            Translation: it's not easy to impersonate.

            Yep, didn't say it was.

            I said:

            If the attacker can either (a) compromise upstream or (b) impersonate the upstream, AND you've got automatic updates, THEN you are completely pwned.

            That's it, you're not even disagreeing.

            Given time, upstream will eventually be compromised.

            Given time, upstream will eventually be impersonated.

            Automatic updates are therefore utter insanity. QED.

            If they aren't signed by Thorvalds or Volkerding, I ain't taking them. Even if they are, I'm asking questions first. Nothing installs automagically. If anything does, then you've failed as an admin, you need to fdisk and reïnstall and learn from your mistakes.

            --
            - Sig not found. Self destruct initiated. Please clear the area.
    • (Score: 2) by aristarchus on Friday February 05, @06:55AM

      by aristarchus (2645) on Friday February 05, @06:55AM (#1109217) Journal

      but based on the information provided in the summery

      Based on the information provided, Winter is coming. Or, at least, autumn with an Eternal September. Why is Microsoft always presaged with typos and misspellings? Are they all illiterate coding bastards?

      --
      A pair of ragged claws, scuttling across the floors of silent seas.
    • (Score: 0) by Anonymous Coward on Friday February 05, @04:03PM

      by Anonymous Coward on Friday February 05, @04:03PM (#1109331)

      "Um.. what? To use an apt repository, you generally add a public gpg key to the keyring, so the automated apt system can verify packages are untampered with. Anyone using a debian-based distro has done this hundreds of times. How is that granting anything root access?"

      suid root dumbass.

    • (Score: 2) by hendrikboom on Friday February 05, @08:59PM

      Last time I looked at Visual Studio, there was an installer instead of a deb.
      I did not trust Microsoft then to run an installer on my system.
      I still don't.

      -- hendrik

  • (Score: 3, Interesting) by Anonymous Coward on Friday February 05, @04:18AM (3 children)

    by Anonymous Coward on Friday February 05, @04:18AM (#1109180)
    • (Score: 3, Insightful) by RedGreen on Friday February 05, @04:31AM

      by RedGreen (888) on Friday February 05, @04:31AM (#1109187)

      And they banned the users for very little said, I certainly stood up for my right to have my GD property left being alone not some idiot putting his garbage on it. Commented on how the defenders of the disgusting behaviour were always there to defend the indefensible, as is always the case on the internet. The forces wanting to spread misery have many allies amongst us.

      --
      "I modded down, down, down, and the flames went higher." -- Sven Olsen
    • (Score: 0) by Anonymous Coward on Friday February 05, @07:07AM (1 child)

      by Anonymous Coward on Friday February 05, @07:07AM (#1109222)

      Forums are (temporarily) shut while this mess blows over. Sez each of those links:

      We are currently experiencing high traffic.
      We'll be back shortly.

      • (Score: 0) by Anonymous Coward on Friday February 05, @07:12AM

        by Anonymous Coward on Friday February 05, @07:12AM (#1109223)

        Not as of 5 minutes later.

  • (Score: 3, Insightful) by Anonymous Coward on Friday February 05, @04:27AM (3 children)

    by Anonymous Coward on Friday February 05, @04:27AM (#1109186)

    You know it's quality when dissenting posts get locked and deleted.

    I believe that's how the Arch Linux forums introduced systemd.

    • (Score: 2, Insightful) by Eratosthenes on Friday February 05, @07:18AM (2 children)

      by Eratosthenes (13959) on Friday February 05, @07:18AM (#1109226) Journal

      Raspberry Pi has never really been an open-source operation. They only used free software, until they got big enough to attract the major sharks, like Microsoft. So now, we will have an ARM version of Windows? Even though it has been repeatedly proven that such cannot be? And then, we will license, and incense, and recapitulate, the Windo$e operating system, or no education will take place. Raspberry was a sucker plant? A Siren? An open source honey pot? Say it ain't so, Raspberry Foundation! Those poor bastards!!! Will be reduced to taking pictures of snowflakes, in a year or two.

      --
      Ἀριθμητικὴ εἰσαγωγή
  • (Score: 5, Insightful) by canopic jug on Friday February 05, @04:42AM (1 child)

    by canopic jug (3949) Subscriber Badge on Friday February 05, @04:42AM (#1109190) Journal

    Like with their takeover of GitHub, this action provides a comprensive geographical survey of their competitor(s). With this "update" M$ gets a full overview of how many active, updated Raspberry Pi running Raspberry Pi OS (formerly Raspbian) there are and where they are located.

    Then there are the surveillance considations caused by Visual Studio itself. It contains substantial amounts of telemetry and this move may well put the Raspberry Pi Foundation on the wrond side of the GDPR even if the servers are inside Europe. And, of course, Brexit will have complicated that substantially.

    --
    Money is not free speech. Elections should not be auctions.
    • (Score: -1, Troll) by Anonymous Coward on Friday February 05, @04:57AM

      by Anonymous Coward on Friday February 05, @04:57AM (#1109196)

      this move may well put the Raspberry Pi Foundation on the wrond side of the GDPR even if the servers are inside Europe. And, of course, Brexit will have complicated that substantially.

      You may be right to be paranoid, but are veering off into fantasy territory there.

  • (Score: 3, Informative) by deimios on Friday February 05, @05:06AM (5 children)

    by deimios (201) Subscriber Badge on Friday February 05, @05:06AM (#1109199) Journal

    "resource hog Visual Studio Code" - Not to defend it but those who call it a resource hog haven't worked with Eclipse, Netbeans and Visual Studio.

    Sure it is a resource hog compared to vim but let's not go overboard.

    Also this whole thing stinks, why did they go specifically with the MS build on MS servers? There are plenty of community builds like VSCodium that work just as fine.

    • (Score: 5, Funny) by leon_the_cat on Friday February 05, @06:12AM

      by leon_the_cat (10052) on Friday February 05, @06:12AM (#1109210) Journal

      I tried eclipse about 10 years ago. Still waiting for it to load.

    • (Score: 5, Interesting) by lte on Friday February 05, @07:06AM

      by lte (7062) on Friday February 05, @07:06AM (#1109221)

      Microsoft forbids you from using the C# debugger (vsdbg) with anything other than VS, VS for macOS, and their build of VSCode. So if you wish to write .NET Core applications it's your only real choice as MS push a notification asking you to install their C# extension upon opening a .cs file. There is a Samsung debugger but I'm not sure if there is support for it in VSCode.

      With their current push of ".NET runs on anything!" I wouldn't be surprised if it's down to that. Fun fact: the .NET runtime also sends telemetry by default, at least on macOS and Linux.

    • (Score: 1) by exa on Friday February 05, @08:12AM

      by exa (9931) on Friday February 05, @08:12AM (#1109232)

      Apologist.

    • (Score: 3, Interesting) by jimtheowl on Friday February 05, @02:15PM

      by jimtheowl (5929) on Friday February 05, @02:15PM (#1109300)
      I have worked with all of the above and still call it a resource hog. Depending on the use case, a better comparison than vim might be Qt Creator.

      https://www.qt.io/product/development-tools [www.qt.io]
    • (Score: 1, Interesting) by Anonymous Coward on Friday February 05, @08:35PM

      by Anonymous Coward on Friday February 05, @08:35PM (#1109400)

      "There are plenty of community builds like VSCodium that work just as fine."

      It probably doesn't work fine for the type of sycophantic whores who would push this change to begin with (plugins and such?). PHW (pointy headed whores) are infiltrating and ruining all of linux. Not just arm/broadcom/nvidia sucking bitches. Look at what the PHW's are doing to gnome 40 (version jump is gay too) while all the new gamer users cheer them on..

  • (Score: 3, Insightful) by Mojibake Tengu on Friday February 05, @05:31AM (4 children)

    by Mojibake Tengu (8598) on Friday February 05, @05:31AM (#1109204) Journal

    Go FreeBSD, young man.

    https://www.freebsd.org/where/ [freebsd.org]

    --
    The edge of 太玄 cannot be defined, for it is beyond every aspect of design
    • (Score: 1) by engblom on Friday February 05, @06:30AM (2 children)

      by engblom (556) on Friday February 05, @06:30AM (#1109211)

      Some weeks ago when I checked out FreeBSD for RPi, I noticed they do not have any ready aarch64 images for RPi3/4.

      • (Score: 3, Interesting) by Mojibake Tengu on Friday February 05, @08:20AM

        by Mojibake Tengu (8598) on Friday February 05, @08:20AM (#1109236) Journal

        YMMV, I observe 12.2 for RPi3, and heard about work progress in current on sdio/wifi for 4.

        Anyway, what the Raspbian team did is pure betrayal dishonorable.
        Trust is a non-renewable resource.

        --
        The edge of 太玄 cannot be defined, for it is beyond every aspect of design
      • (Score: 2) by jimtheowl on Friday February 05, @01:07PM

        by jimtheowl (5929) on Friday February 05, @01:07PM (#1109277)
        It is there now; I just downloaded a 416MB SD card image and burned it with the dd utility.

        What is slightly inconvenient is that there are typically no pre-built packages. The ports tree makes it easy to build sources, but it is advisable to get an external drive to do so.
    • (Score: 0) by Anonymous Coward on Friday February 05, @11:35AM

      by Anonymous Coward on Friday February 05, @11:35AM (#1109262)

      Or a purer version of Raspbian:
      https://raspi.debian.net/ [debian.net]

      It's just debian, without the fruity smell...

  • (Score: 5, Insightful) by PinkyGigglebrain on Friday February 05, @06:38AM

    by PinkyGigglebrain (4458) on Friday February 05, @06:38AM (#1109213)

    Embrace: completed
    Extend: in process
    Extinguish: to be scheduled

    --
    "Beware those who would deny you Knowledge, For in their hearts they dream themselves your Master."
  • (Score: 2, Interesting) by exa on Friday February 05, @08:15AM

    by exa (9931) on Friday February 05, @08:15AM (#1109234)

    On a slightly positive note, this might push Debian folks to add some simple&reasonable config-meddling functionality right into `dpkg`. Lintian is literally screaming at maintainers not to install put custom stuff to /etc/apt, why not push the warning that the package sucks much closer to the users?

  • (Score: 2) by Tokolosh on Friday February 05, @03:12PM (6 children)

    by Tokolosh (585) on Friday February 05, @03:12PM (#1109316)

    pi@raspberrypi:~ $ grep -i pretty /etc/os-release
    PRETTY_NAME="Raspbian GNU/Linux 10 (buster)"
    pi@raspberrypi:~ $ cat /etc/apt/sources.list.d/vscode.list
    cat: /etc/apt/sources.list.d/vscode.list: No such file or directory

    Newbie here - what do I make of this?

    • (Score: 4, Informative) by canopic jug on Friday February 05, @05:27PM (5 children)

      by canopic jug (3949) Subscriber Badge on Friday February 05, @05:27PM (#1109357) Journal

      If you are running Raspberry Pi OS "buster", then it is probable that you haven't updated the systm for a while. If you block the files first, then they won't get injected into your system.

      sudo rm /etc/apt/sources.list.d/vscode.list
      sudo touch /etc/apt/sources.list.d/vscode.list
      sudo chmod 444 /etc/apt/sources.list.d/vscode.list
      sudo chattr +i /etc/apt/sources.list.d/vscode.list

      sudo rm /etc/apt/trusted.gpg.d/microsoft.gpg
      sudo touch /etc/apt/trusted.gpg.d/microsoft.gpg
      sudo chmod 444 /etc/apt/trusted.gpg.d/microsoft.gpg
      sudo chattr +i /etc/apt/trusted.gpg.d/microsoft.gpg

      Otherwise, they'll probably show up next time you do an update.

      --
      Money is not free speech. Elections should not be auctions.
      • (Score: 2) by Tokolosh on Friday February 05, @11:30PM (3 children)

        by Tokolosh (585) on Friday February 05, @11:30PM (#1109450)

        Thank you very much. I ran your commands, see below. My understanding is that I have created an immutable microsoft gpg file, which prevents their repo being added.

        pi@raspberrypi:~ $ sudo rm /etc/apt/sources.list.d/vscode.list
        rm: cannot remove '/etc/apt/sources.list.d/vscode.list': No such file or directory
        pi@raspberrypi:~ $ sudo rm /etc/apt/sources.list.d/vscode.list
        rm: cannot remove '/etc/apt/sources.list.d/vscode.list': No such file or directory
        pi@raspberrypi:~ $ sudo chmod 444 /etc/apt/sources.list.d/vscode.list
        chmod: cannot access '/etc/apt/sources.list.d/vscode.list': No such file or directory
        pi@raspberrypi:~ $ sudo chattr +i /etc/apt/sources.list.d/vscode.list
        chattr: No such file or directory while trying to stat /etc/apt/sources.list.d/vscode.list
        pi@raspberrypi:~ $ sudo rm /etc/apt/trusted.gpg.d/microsoft.gpg
        rm: cannot remove '/etc/apt/trusted.gpg.d/microsoft.gpg': No such file or directory
        pi@raspberrypi:~ $ sudo touch /etc/apt/trusted.gpg.d/microsoft.gpg
        pi@raspberrypi:~ $ sudo chmod 444 /etc/apt/trusted.gpg.d/microsoft.gpg
        pi@raspberrypi:~ $ sudo chattr +i /etc/apt/trusted.gpg.d/microsoft.gpg

        • (Score: 3, Informative) by MadTinfoilHatter on Saturday February 06, @04:26AM (1 child)

          by MadTinfoilHatter (4635) on Saturday February 06, @04:26AM (#1109507)

          Thank you very much. I ran your commands, see below. My understanding is that I have created an immutable microsoft gpg file, which prevents their repo being added.

          The idea was to create immutable versions of empty (and therefore harmless) versions of microsoft.gpg and vscode.list so that any process that tries to add or modify these files will fail.

          pi@raspberrypi:~ $ sudo rm /etc/apt/sources.list.d/vscode.list
          rm: cannot remove '/etc/apt/sources.list.d/vscode.list': No such file or directory
          pi@raspberrypi:~ $ sudo rm /etc/apt/sources.list.d/vscode.list
          rm: cannot remove '/etc/apt/sources.list.d/vscode.list': No such file or directory
          pi@raspberrypi:~ $ sudo chmod 444 /etc/apt/sources.list.d/vscode.list
          chmod: cannot access '/etc/apt/sources.list.d/vscode.list': No such file or directory
          pi@raspberrypi:~ $ sudo chattr +i /etc/apt/sources.list.d/vscode.list
          chattr: No such file or directory while trying to stat /etc/apt/sources.list.d/vscode.list

          However here you went wrong. You copy-pasted the rm command twice, and missed the touch command, causing the last two commands to also have no effect. You should repeat the whole procedure (including rm) for vscode.list just to be safe. The only command that should possibly fail with an error message is the rm one (if you weren't infected when running the commands). The rest should go through with no comment as was the case for microsoft.gpg.

          • (Score: 2) by Tokolosh on Saturday February 06, @02:34PM

            by Tokolosh (585) on Saturday February 06, @02:34PM (#1109641)

            Thanks, and to unauthorized, too, for spotting my mistake.

        • (Score: 3, Informative) by unauthorized on Saturday February 06, @05:23AM

          by unauthorized (3776) on Saturday February 06, @05:23AM (#1109532)

          Your understanding is correct but your second command is wrong, you did rm (remove file) twice instead of using touch to create a blank file. Redo the first set of four commands and you'll be good. Only the first one should yield a "no such file" error.

      • (Score: 2) by Tokolosh on Saturday February 06, @02:33AM

        by Tokolosh (585) on Saturday February 06, @02:33AM (#1109487)

        Follow-up. Ran update and upgrade, and now I have vscode.list with the offending MS repo. I trust that your vaccination will keep me from infection.

  • (Score: 0) by Anonymous Coward on Friday February 05, @03:51PM (2 children)

    by Anonymous Coward on Friday February 05, @03:51PM (#1109327)

    If you give third party root access to hardware that you do not own without consent from the owner, that is the very definition of computer intrusion. Criminal charges should be filed.

    I recognize that there is a possibility that they were not even aware of this, and that the push came from Debian. Name them in the complaint. They have deep pockets after all.

    The correct way for raspbian to respond to this is to roll back the update their corporate charter to prohibit future collusion without corporate dissolution. Then stop basing your disto on Debian. That was just dumb to begin with. If it snuck through from Debian, those guys have always been reckless opportunists on the jock of whoever was willing to pay them.

    • (Score: 0) by Anonymous Coward on Friday February 05, @04:10PM

      by Anonymous Coward on Friday February 05, @04:10PM (#1109335)

      The thing is, all of the astroturfing out there is being logged by the site hosts. If any of those astroturfers can be shown to have been paid, then that is evidence of premeditation. This is actually a hell of a lawsuit, and it is going to make some attorneys very rich.

    • (Score: 0) by Anonymous Coward on Sunday February 07, @02:03AM

      by Anonymous Coward on Sunday February 07, @02:03AM (#1109842)

      Anonymous Australian here.
      Just wanted to point out that if you want a jurisdiction where computer crimes carry overblown sentences, you might want to ensure charges are filed in Australia.

      Unauthorised access to a computer system with alteration of files carries something like a 10 year mandatory minimum sentence.

      Some hacker back in the '60's managed to get into a bank's computer - by dialing up a random phone number - which then spat out all valid credit card details (including expiry dates and current limits).
      Judge thought that the sky might fall because of computer crimes perpetrated on banks, and so made an extreme precedent specifically to act as a deterrent.

      Would love to see the fallout effects from having some MSFT manager thrown into a cell for such a crime. MSFT's corporate culture is already all about arse-covering, so I imagine it would have quite a salutory effect.

  • (Score: 3, Informative) by hopp on Friday February 05, @04:29PM (1 child)

    by hopp (2833) on Friday February 05, @04:29PM (#1109338)

    You could try Devuan if you don't like the change and aren't a fan of systemd.
    https://arm-files.devuan.org [devuan.org]

    Of course NetBSD and FreeBSD have pretty decent support too.

    • (Score: 2, Interesting) by Anonymous Coward on Friday February 05, @07:51PM

      by Anonymous Coward on Friday February 05, @07:51PM (#1109393)

      It would be nice to see some of the hardware vendors come out and chat about all this.

      If your a foss project, you really should have anti-eee clauses in your corporate charter, and there needs to be a registry of projects that are so configured. Maybe a next project for Stallman?

  • (Score: 0) by Anonymous Coward on Friday February 05, @10:47PM (1 child)

    by Anonymous Coward on Friday February 05, @10:47PM (#1109441)

    Closed-source software has been included with RPIOS/Raspbian before. Mathematica, proprietary blobs for the GPU, whatever. They're probably still using lots of proprietary blobs by default. Last time I cared about RPi, about two years ago, there were open drivers for most things but they didn't work as well and you still had to use a proprietary blob to boot. I think work is being done on that last one, not sure of the progress. Those were distributed by the Pi Foundation, which, I guess, is more trusted. But those GPU blobs had better-than-root access already (since the Broadcom CPU used is really an ARM coprocessor bolted onto the side of a GPU).

    It seems like the way to address this is for Microsoft's repository to be used only for delivering VSCode and not for anything else on the system. Pretty sure apt can already do that.

    You can always run your own OS. Nobody forces you to use theirs (outside of the boot process). There are other distributions. I used Gentoo and it was better than Raspbian (though of course, I had to set up a cross-compiler on a real PC to build it).

    • (Score: 0) by Anonymous Coward on Wednesday February 10, @01:27AM

      by Anonymous Coward on Wednesday February 10, @01:27AM (#1110958)

      Unfortunately that whole firmware project died back in the Pi2/3 era when the primary developer/reverse engineer discovered that the ARM Trustzone implementation on the Pi was flawed due to either lack of or incorrect implementation of the Trustzone requirements. Since they wanted it to test out Trustzone on it lost their interest and dedication to the project which died in either '18 or '19, I forget when. There may have been a few updates since but there was been practically no development that I saw.

      Unfortunately this covers most hardware and open source projects today, so unless you're really lucky, expect even your unsigned hardware to remain 50-80 percent reversed, with no one to make that last sprint to 99 or 100 percent.

  • (Score: 0) by Anonymous Coward on Saturday February 06, @01:48AM

    by Anonymous Coward on Saturday February 06, @01:48AM (#1109479)

    https://onion.debian.org/ [debian.org]

    In particular, once you have the apt-transport-tor package installed, the following entries should work in your sources list for a Debian system:

    deb tor+http://vwakviie2ienjx6t.onion/debian buster main
    deb tor+http://vwakviie2ienjx6t.onion/debian buster-updates main
    deb tor+http://sgvtcaew4bxjd7ln.onion/debian-security buster/updates main

    #deb tor+http://vwakviie2ienjx6t.onion/debian buster-backports main

  • (Score: 2) by RedGreen on Saturday February 06, @03:06AM

    by RedGreen (888) on Saturday February 06, @03:06AM (#1109493)

    Does pure Debian ever run good on this puppy took the image from 20201112 for the Pi 4 booted it up and copied to my SSD and it works just great. Half the load at least of the command line Pi OS install I had. And I would think like I always have with Debian we have adults in charge of the development, some may be aholes but they have or are are being weeded out. Should have downloaded that from the start, oh well live and learn...

    root@buster-raspi:~# uname -a
    Linux buster-raspi 5.9.0-0.bpo.5-arm64 #1 SMP Debian 5.9.15-1~bpo10+1 (2020-12-31) aarch64 GNU/Linux

    --
    "I modded down, down, down, and the flames went higher." -- Sven Olsen
  • (Score: 3, Disagree) by dltaylor on Saturday February 06, @05:15AM (3 children)

    by dltaylor (4693) on Saturday February 06, @05:15AM (#1109529)

    I don't think is is necessary to attribute this fiasco to malice. It might have just been stupidity (either assigning an engineer who doesn't understand the question, or just an engineer who really doesn't know how to do this).

    Step 1: create a package to add the Microsoft repo and keys

    If it is appropriately named and commented, no one can complain that they didn't know.

    Step 2: make the Microsoft package a dependency for installing the vscode package

    The installer of choice will inform the administrator the dependency exists, and offer to install it first.

    Now they need a step 3: update raspberrypi-sys-mods package to REMOVE the Microsoft back door.

    • (Score: 4, Insightful) by Arik on Saturday February 06, @05:40PM (2 children)

      by Arik (4543) on Saturday February 06, @05:40PM (#1109694) Journal
      If the person who added the package wasn't acting from malice, then someone is waaaaay above their level of competence. This wasn't just a minor mistake; they just irreversibly doxed everyone that updated without precautions; essentially their entire userbase.
      --
      - Sig not found. Self destruct initiated. Please clear the area.
(1)