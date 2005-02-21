from the we-don't-trust-m$ dept.
Several sites are covering an incident affecting Raspberry Pi OS deployments since last week. Quietly, without disclosure or warning, a package added a Microsoft repository and OpenPGP key to the system. The latter effectively gives the former full root access, in principle, to the whole system. The former checks in with Microsoft's servers any time APT refreshes its cache.
$ grep -i pretty /etc/os-release
PRETTY_NAME="Raspbian GNU/Linux 10 (buster)"
How to know if you're affected/infected already:
$ cat /etc/apt/sources.list.d/vscode.list
### THIS FILE IS AUTOMATICALLY CONFIGURED ###
# You may comment out this entry, but any other modifications may be lost.
deb [arch=amd64,arm64,armhf] http://packages.microsoft.com/repos/code
stable main
Issue has been taken with both what has been done and how it has been deployed. The official explanation is, for now, that resource hog Visual Studio was to be made available by default on the Raspberry Pi for development for their first entry into microcontrollers, the Raspberry Pi Pico. This is in spite of the established presence of many light weight editors and IDEs alredy available through vetted repositories. Not to mention the package could have been added to the established, vetted repositories. Threads on the topic over at the Raspberry Pi Forum are quickly locked by moderators and then deleted.
(Score: 2, Disagree) by dwilson on Friday February 05, @04:09AM (6 children)
Yeah, that's shady as hell.
Um.. what? To use an apt repository, you generally add a public gpg key to the keyring, so the automated apt system can verify packages are untampered with. Anyone using a debian-based distro has done this hundreds of times. How is that granting anything root access?
Otherwise known as polling the upstream repository during 'apt-get update' to see if there are any changes to download? ie, working as intended, just like every other repo in the system?
Don't get me wrong, I hate microsoft more than the next guy, but based on the information provided in the summery this is mountain-out-of-molehill if ever I've seen it.
- D
(Score: 0) by Anonymous Coward on Friday February 05, @04:16AM (1 child)
I concur with what you've said, but there is just this much animosity towards Microsoft from many people. There were a lot of new linux migrants due to how Win10 was pushed out.
(Score: 0) by Anonymous Coward on Friday February 05, @04:53AM
You also have to get away from systemd.
1.) Embrace
2.) systemd
3.) Extinguish
(Score: 1, Informative) by Anonymous Coward on Friday February 05, @04:20AM
Because Microsoft can force an update package that will be picked up automatically. For example, they can sign an updated kernel, advertise it on their repo and have the update be pushed automatically with a regular apt upgrade.
For once none of this is Microsoft's fault but rather it's a fundamental design failure in APT. Trust should never be an all-or-nothing matter as it is right now with Debian package system, updates from a different signer should require an explicit user permission to install.
(Score: 2) by RedGreen on Friday February 05, @04:24AM (1 child)
They are ignorant assholes with a piss poor attitude towards their users. I just got banned from their for saying it was my GD computer and it is none of their business doing anything to it without my permission. They cannot even bothered to do proper development, this below in Debian gets a package sent back to the maintainer, them being told, hey clown we do proper development here we need your changes listed.
root@raspberrypi:/home/seeder1# apt changelog raspberrypi-bootloader
E: Failed to fetch changelog:/raspberrypi-firmware.changelog Changelog unavailable for raspberrypi-firmware=1.20210201-1
Now you going to install that, slimy pieces of shit already upgraded it once with my knowledge or permission already.
"I modded down, down, down, and the flames went higher." -- Sven Olsen
(Score: 2) by RedGreen on Friday February 05, @04:27AM
without my knowledge. that should be
"I modded down, down, down, and the flames went higher." -- Sven Olsen
(Score: 3, Informative) by canopic jug on Friday February 05, @04:51AM
The files are supposedly added by a post-installation script in one package, thus avoiding being listed in any of the package manifests. Give it a try:
Try to guess which package is responsible for those two added files? None are listed. Someone went out of their way to obfuscate the origins of the two files. So, yes, shady as hell.
Then there is the question of why the Visual Studio source code could not have been added upstream to the normal Debain repositories. That would have been the expected approach should they have had any good intentions with this move, especially given the past and current history of the company involved.
So, yes, again, shady as hell.
Also, normally radical licensing, behavior, or privacy changes require at least a click-through agreement to pretend to notify the end users. That didn't happen.
So, yes, yet again, shady as hell.
Money is not free speech. Elections should not be auctions.
(Score: 1, Informative) by Anonymous Coward on Friday February 05, @04:18AM (1 child)
(Score: 2) by RedGreen on Friday February 05, @04:31AM
And they banned the users for very little said, I certainly stood up for my right to have my GD property left being alone not some idiot putting his garbage on it. Commented on how the defenders of the disgusting behaviour were always there to defend the indefensible, as is always the case on the internet. The forces wanting to spread misery have many allies amongst us.
"I modded down, down, down, and the flames went higher." -- Sven Olsen
(Score: 1, Insightful) by Anonymous Coward on Friday February 05, @04:27AM
You know it's quality when dissenting posts get locked and deleted.
I believe that's how the Arch Linux forums introduced systemd.
(Score: 2) by canopic jug on Friday February 05, @04:42AM (1 child)
Like with their takeover of GitHub, this action provides a comprensive geographical survey of their competitor(s). With this "update" M$ gets a full overview of how many active, updated Raspberry Pi running Raspberry Pi OS (formerly Raspbian) there are and where they are located.
Then there are the surveillance considations caused by Visual Studio itself. It contains substantial amounts of telemetry and this move may well put the Raspberry Pi Foundation on the wrond side of the GDPR even if the servers are inside Europe. And, of course, Brexit will have complicated that substantially.
Money is not free speech. Elections should not be auctions.
(Score: 0) by Anonymous Coward on Friday February 05, @04:57AM
You may be right to be paranoid, but are veering off into fantasy territory there.
(Score: 2) by deimios on Friday February 05, @05:06AM
"resource hog Visual Studio Code" - Not to defend it but those who call it a resource hog haven't worked with Eclipse, Netbeans and Visual Studio.
Sure it is a resource hog compared to vim but let's not go overboard.
Also this whole thing stinks, why did they go specifically with the MS build on MS servers? There are plenty of community builds like VSCodium that work just as fine.