SoylentNews is people
SoylentNews
Several sites are covering an incident affecting Raspberry Pi OS deployments since last week. Quietly, without disclosure or warning, a package added a Microsoft repository and OpenPGP key to the system. The latter effectively gives the former full root access, in principle, to the whole system. The former checks in with Microsoft's servers any time APT refreshes its cache.
$ grep -i pretty /etc/os-release
PRETTY_NAME="Raspbian GNU/Linux 10 (buster)"How to know if you're affected/infected already:
$ cat /etc/apt/sources.list.d/vscode.list
### THIS FILE IS AUTOMATICALLY CONFIGURED ###
# You may comment out this entry, but any other modifications may be lost.
deb [arch=amd64,arm64,armhf] http://packages.microsoft.com/repos/code
stable main
Issue has been taken with both what has been done and how it has been deployed. The official explanation is, for now, that resource hog Visual Studio was to be made available by default on the Raspberry Pi for development for their first entry into microcontrollers, the Raspberry Pi Pico. This is in spite of the established presence of many light weight editors and IDEs alredy[sic] available through vetted repositories. Not to mention the package could have been added to the established, vetted repositories. Threads on the topic over at the Raspberry Pi Forum are quickly locked by moderators and then deleted.
- TechRights. Raspberry Pi (at Least Raspbian GNU/Linux and/or Raspberry Pi Foundation) Appears to Have Been Infiltrated by Microsoft and There Are Severe Consequences
- TechRights. Raspberry Pi Foundation is Trying to Cover Up Its Deal With the Devil by Censoring Its Own Customers
- CyberCity. Heads up: Microsoft repo secretly installed on all Raspberry Pi's Linux OS
- Hot Hardware. Raspberry Pi Users Mortified As Microsoft Repository That Phones Home Is Added To Pi OS
- The Linux Gamer. Microsoft INFILTRATES Raspberry Pi OS
(Score: 5, Insightful) by dwilson on Friday February 05 2021, @04:09AM (31 children)
Yeah, that's shady as hell.
Um.. what? To use an apt repository, you generally add a public gpg key to the keyring, so the automated apt system can verify packages are untampered with. Anyone using a debian-based distro has done this hundreds of times. How is that granting anything root access?
Otherwise known as polling the upstream repository during 'apt-get update' to see if there are any changes to download? ie, working as intended, just like every other repo in the system?
Don't get me wrong, I hate microsoft more than the next guy, but based on the information provided in the summery this is mountain-out-of-molehill if ever I've seen it.
- D
(Score: 0) by Anonymous Coward on Friday February 05 2021, @04:16AM (6 children)
I concur with what you've said, but there is just this much animosity towards Microsoft from many people. There were a lot of new linux migrants due to how Win10 was pushed out.
(Score: 1, Insightful) by Anonymous Coward on Friday February 05 2021, @04:53AM
You also have to get away from systemd.
1.) Embrace
2.) systemd
3.) Extinguish
(Score: 1, Insightful) by Anonymous Coward on Friday February 05 2021, @11:28AM
I share your animosity, but let's face it: Windows 10 was first released +5 years ago. Most people can barely remember what meme they consumed 3 minutes ago, let alone remember how Win10 was shoved down throats.
(Score: 1, Disagree) by driverless on Friday February 05 2021, @11:44AM (2 children)
The Techrights article linked above is a particularly extreme example of this:
Yeah, that's definitely a rational, reasonable report on the situation. Excuse me one moment while I wipe the spittle from the person shouting that at me on a street corner off my face.
As a counterpoint, others like the Hothardware one are a lot more reasonable.
(Score: 0) by Anonymous Coward on Friday February 05 2021, @04:05PM
Glad to here your so cool about it. Hey I've got some repo keys I'd like to install on your machine. Since your so non-chalant, what email address should I send them to?
(Score: 2) by Azuma Hazuki on Saturday February 06 2021, @01:34AM
They're not wrong though. The leopard, as Nanny Ogg says, does not change his shorts. MS has always been about emrbace/extend/extinguish. They "love" Linux the way a pimp "loves" little girls.
I am "that girl" your mother warned you about...
(Score: 4, Insightful) by r_a_trip on Friday February 05 2021, @12:40PM
Don't forget us veterans who lived under MS with monopoly power and an iron fist on the computing world. I trust these clowns as far as I can see them. This is a company founded by people who would probably sell their own mother for organ harvesting if it made them some bucks.
(Score: 5, Informative) by Anonymous Coward on Friday February 05 2021, @04:20AM (5 children)
Because Microsoft can force an update package that will be picked up automatically. For example, they can sign an updated kernel, advertise it on their repo and have the update be pushed automatically with a regular apt upgrade.
For once none of this is Microsoft's fault but rather it's a fundamental design failure in APT. Trust should never be an all-or-nothing matter as it is right now with Debian package system, updates from a different signer should require an explicit user permission to install.
(Score: 5, Informative) by Anonymous Coward on Friday February 05 2021, @06:49AM (4 children)
You can pin packages to particular repos, so you can prevent anything except that one MS malware package from being able to be installed from MS repos*. This feature has existed for decades.
It is rare that Debian systems use 3rd party repos except local repos controlled by the user (using 3rd party repos defeats the point of a distribution where the packages are curated by the maintainers and trustworthy). But, apt is quite capable, and can handle this use case.
No package will be installed / upgraded from malware.microsoft.com unless you manually force it except, the package microsoft-vscode will auto upgrade from malware.microsoft.com unless a package of the same name is available from the main repo. Change Pin-Priority to change the policy to your liking. See 'man apt_preferences'
/etc/apt/preferences.d/microsoft-malware:
Package: *
Pin: origin malware.microsoft.com
Pin-Priority: 1
Package: microsoft-vscode
Pin: origin malware.microsoft.com
Pin-Priority: 500
Apt is extremely capable. If you find yourself wishing that apt could do X, it is quite probable that reading the docs you will find that apt already can do X.
Unless rasbian included a preference file like above, then I think that the criticism is warranted. Even if you think MS is fantastic and great, least privilege is safer, and not restricting what MS repo can install only adds risk.
*Usually pinning is used to safely mix stable, backports, testing, unstable and/or experimental packages on the same system, but you have to use common sense when doing this e.g., anything that pulls in glibc from unstable on a stable base system is not something that you can safely mix into your stable system even with pinning.
(Score: 0) by Anonymous Coward on Friday February 05 2021, @07:03AM (2 children)
Thank you for the calm and informative post.
Would mod you up if I could.
Though I would denylist Package: * from origin malware.microsoft.com, myself.
(Score: 1) by jurov on Friday February 05 2021, @01:44PM (1 child)
it says "you have 10 points" so I selected "Informative", clicked Moderate..and nothing happened.
How it is supposed to work?
(Score: 2) by maxwell demon on Friday February 05 2021, @01:55PM
If the post is already at the maximum moderation (+5), then you cannot add another moderation. I can't tell whether that is what happened to you (no way to tell what the post's moderation status was at the time you tried to moderate), but it would be my guess.
The Tao of math: The numbers you can count are not the real numbers.
(Score: 0) by Anonymous Coward on Friday February 05 2021, @11:22PM
Informative post but one quibble. It is common to have a couple of repos for the odd package. The Debian Multimedia repo was almost mandatory for years because of licensing and patent problems. Small repos with SAS / RAID controller proprietary tools. SOme guy's personal repo with a testing version of a package you need. Etc.
And yes this is a good wake up call that any repo can override any base package with the default configuration. Some bad actor seizes any minor repo and they can inject a tainted base package like glibc or libssl into every machine that uses the repo. It is time for the defaults to be made safe.
(Score: 3, Informative) by RedGreen on Friday February 05 2021, @04:24AM (6 children)
They are ignorant assholes with a piss poor attitude towards their users. I just got banned from their for saying it was my GD computer and it is none of their business doing anything to it without my permission. They cannot even bothered to do proper development, this below in Debian gets a package sent back to the maintainer, them being told, hey clown we do proper development here we need your changes listed.
root@raspberrypi:/home/seeder1# apt changelog raspberrypi-bootloader
E: Failed to fetch changelog:/raspberrypi-firmware.changelog Changelog unavailable for raspberrypi-firmware=1.20210201-1
Now you going to install that, slimy pieces of shit already upgraded it once with my knowledge or permission already.
"I modded down, down, down, and the flames went higher." -- Sven Olsen
(Score: 2) by RedGreen on Friday February 05 2021, @04:27AM
without my knowledge. that should be
"I modded down, down, down, and the flames went higher." -- Sven Olsen
(Score: 2, Insightful) by Eratosthenes on Friday February 05 2021, @07:36AM (4 children)
The lack of a USB boot is a tell. This platform will not end well. Who the hell does only proprietary bootloaders?
(Score: 2) by RedGreen on Friday February 05 2021, @10:20AM (2 children)
It boots from usb the morons have upgraded the firmware to allow it, flaky as hell for some. Just like the rest of the effort by them clowns. I have managed to solve the morons doing whatever the hell they want with my machine with Ubuntu on my SSD. I use a chainload the sd card boots the machine and the OS runs from the SSD. Tomorrow I try a Debian install out with a debootstrap method I am just reading about now.
root@zeus-pi:~# uname -a
Linux zeus-pi 5.8.0-1013-raspi #16-Ubuntu SMP PREEMPT Thu Jan 14 06:28:38 UTC 2021 aarch64 aarch64 aarch64 GNU/Linux
"I modded down, down, down, and the flames went higher." -- Sven Olsen
(Score: 0) by Anonymous Coward on Friday February 05 2021, @12:37PM (1 child)
Why don't you just go to a competitor? There are many with broad OS support and raspi-compatible GPIO.
(Score: 2) by RedGreen on Friday February 05 2021, @01:16PM
"Why don't you just go to a competitor? There are many with broad OS support and raspi-compatible GPIO."
Oh yeah if ever needing another little machine, it will be cold day in hell before they get my cash again.
"I modded down, down, down, and the flames went higher." -- Sven Olsen
(Score: 0) by Anonymous Coward on Friday February 05 2021, @07:44PM
How does this get an "insightful"?
usb boot is often used as an attack vector.
If you look through this thread, it makes SN look like slashdot did when SN forked it. At least half of the posts here are astroturfing.
(Score: 5, Informative) by canopic jug on Friday February 05 2021, @04:51AM (3 children)
The files are supposedly added by a post-installation script in one package, thus avoiding being listed in any of the package manifests. Give it a try:
Try to guess which package is responsible for those two added files? None are listed. Someone went out of their way to obfuscate the origins of the two files. So, yes, shady as hell.
Then there is the question of why the Visual Studio source code could not have been added upstream to the normal Debain repositories. That would have been the expected approach should they have had any good intentions with this move, especially given the past and current history of the company involved.
So, yes, again, shady as hell.
Also, normally radical licensing, behavior, or privacy changes require at least a click-through agreement to pretend to notify the end users. That didn't happen.
So, yes, yet again, shady as hell.
Money is not free speech. Elections should not be auctions.
(Score: 3, Interesting) by sjames on Friday February 05 2021, @06:34AM (2 children)
Possibly because it would have then been marked clearly as nonfree.
(Score: 2) by dwilson on Friday February 05 2021, @02:17PM (1 child)
Another reason could be that putting anything in a Debian managed, or even down-stream distro-managed ie by Raspbian, puts your software entirely at the mercy of whomever is elected as package maintainer. Best case, the in-repo package is one to many versions behind your current stable release. Worst case, the maintainer abandons the package and it hangs in limbo for many years, getting more and more out-dated and causing no end of headaches for the users. I've seen that happen many times.
Personally, I absolutely roll my own repositories for any software I maintain, for any distribution I care to maintain it on. That's generally Gentoo and Debian-based systems. If a distro wants to add it to their own managed repos, that's wonderful. ...but I'm still maintaining my own repos.
- D
(Score: 2) by sjames on Friday February 05 2021, @03:36PM
But I'll bet you don't then sneak your repo into people's configurations.
(Score: 5, Insightful) by sjames on Friday February 05 2021, @06:06AM (3 children)
Once you get your repo slipped in by any means, you are on the honor system not to add a package that grants you root access to everything. That's why some bristle at the repo being added so quietly.
(Score: 4, Insightful) by Arik on Friday February 05 2021, @06:51AM (2 children)
And this is also why you should never accept automatic updates, period.
Once you do, then all someone has to do is either takeover, or impersonate, your upstream and you are pwned.
It's far too insecure a design to be used for anything but a plush toy, and a good argument can be made against even that exception.
If laughter is the best medicine, who are the best doctors?
(Score: 0) by Anonymous Coward on Friday February 05 2021, @09:05AM (1 child)
All packages are signed to protect against impersonation attacks. This of course does not protect you when your actual upstream has been subverted, as happened here.
(Score: 2) by Arik on Saturday February 06 2021, @08:41AM
Translation: it's not easy to impersonate.
Yep, didn't say it was.
I said:
If the attacker can either (a) compromise upstream or (b) impersonate the upstream, AND you've got automatic updates, THEN you are completely pwned.
That's it, you're not even disagreeing.
Given time, upstream will eventually be compromised.
Given time, upstream will eventually be impersonated.
Automatic updates are therefore utter insanity. QED.
If they aren't signed by Thorvalds or Volkerding, I ain't taking them. Even if they are, I'm asking questions first. Nothing installs automagically. If anything does, then you've failed as an admin, you need to fdisk and reïnstall and learn from your mistakes.
If laughter is the best medicine, who are the best doctors?
(Score: 2) by aristarchus on Friday February 05 2021, @06:55AM
Based on the information provided, Winter is coming. Or, at least, autumn with an Eternal September. Why is Microsoft always presaged with typos and misspellings? Are they all illiterate coding bastards?
(Score: 0) by Anonymous Coward on Friday February 05 2021, @04:03PM
"Um.. what? To use an apt repository, you generally add a public gpg key to the keyring, so the automated apt system can verify packages are untampered with. Anyone using a debian-based distro has done this hundreds of times. How is that granting anything root access?"
suid root dumbass.
(Score: 2) by hendrikboom on Friday February 05 2021, @08:59PM
Last time I looked at Visual Studio, there was an installer instead of a deb.
I did not trust Microsoft then to run an installer on my system.
I still don't.
-- hendrik
(Score: 3, Interesting) by Anonymous Coward on Friday February 05 2021, @04:18AM (3 children)
https://www.raspberrypi.org/forums/viewtopic.php?f=63&t=301068 [raspberrypi.org]
https://www.raspberrypi.org/forums/viewtopic.php?f=63&t=302231 [raspberrypi.org]
https://www.raspberrypi.org/forums/viewtopic.php?f=29&t=302277 [raspberrypi.org]
https://www.raspberrypi.org/forums/viewtopic.php?f=63&t=302403 [raspberrypi.org]
https://www.raspberrypi.org/forums/viewtopic.php?f=63&t=302422 [raspberrypi.org]
https://www.raspberrypi.org/forums/viewtopic.php?f=63&t=302504 [raspberrypi.org]
https://www.raspberrypi.org/forums/viewtopic.php?f=63&t=302581 [raspberrypi.org]
https://www.raspberrypi.org/forums/viewtopic.php?f=63&t=302585 [raspberrypi.org]
https://www.raspberrypi.org/forums/viewtopic.php?f=63&t=302588 [raspberrypi.org]
https://www.raspberrypi.org/forums/viewtopic.php?f=63&t=302591 [raspberrypi.org]
They locked the first one and then all duplicate threads.
https://www.raspberrypi.org/forums/viewtopic.php?f=62&t=302070 [raspberrypi.org]
Coincidentally, the off-topic discussion forum is locked because of Russian bots.
(Score: 3, Insightful) by RedGreen on Friday February 05 2021, @04:31AM
And they banned the users for very little said, I certainly stood up for my right to have my GD property left being alone not some idiot putting his garbage on it. Commented on how the defenders of the disgusting behaviour were always there to defend the indefensible, as is always the case on the internet. The forces wanting to spread misery have many allies amongst us.
"I modded down, down, down, and the flames went higher." -- Sven Olsen
(Score: 0) by Anonymous Coward on Friday February 05 2021, @07:07AM (1 child)
Forums are (temporarily) shut while this mess blows over. Sez each of those links:
(Score: 0) by Anonymous Coward on Friday February 05 2021, @07:12AM
Not as of 5 minutes later.
(Score: 3, Insightful) by Anonymous Coward on Friday February 05 2021, @04:27AM (3 children)
You know it's quality when dissenting posts get locked and deleted.
I believe that's how the Arch Linux forums introduced systemd.
(Score: 2, Insightful) by Eratosthenes on Friday February 05 2021, @07:18AM (2 children)
Raspberry Pi has never really been an open-source operation. They only used free software, until they got big enough to attract the major sharks, like Microsoft. So now, we will have an ARM version of Windows? Even though it has been repeatedly proven that such cannot be? And then, we will license, and incense, and recapitulate, the Windo$e operating system, or no education will take place. Raspberry was a sucker plant? A Siren? An open source honey pot? Say it ain't so, Raspberry Foundation! Those poor bastards!!! Will be reduced to taking pictures of snowflakes, in a year or two.
(Score: 2) by hendrikboom on Friday February 05 2021, @08:56PM
Isn't there already an ARM version of Windows?
And isn't it as locked-down as Microsoft can make it?
(Score: 4, Insightful) by everdred on Friday February 05 2021, @11:42PM
Sort of reminds me of the OLPC project, when they started shipping Windows XP machines.
(Score: 5, Insightful) by canopic jug on Friday February 05 2021, @04:42AM (1 child)
Like with their takeover of GitHub, this action provides a comprensive geographical survey of their competitor(s). With this "update" M$ gets a full overview of how many active, updated Raspberry Pi running Raspberry Pi OS (formerly Raspbian) there are and where they are located.
Then there are the surveillance considations caused by Visual Studio itself. It contains substantial amounts of telemetry and this move may well put the Raspberry Pi Foundation on the wrond side of the GDPR even if the servers are inside Europe. And, of course, Brexit will have complicated that substantially.
Money is not free speech. Elections should not be auctions.
(Score: -1, Troll) by Anonymous Coward on Friday February 05 2021, @04:57AM
You may be right to be paranoid, but are veering off into fantasy territory there.
(Score: 3, Informative) by deimios on Friday February 05 2021, @05:06AM (5 children)
"resource hog Visual Studio Code" - Not to defend it but those who call it a resource hog haven't worked with Eclipse, Netbeans and Visual Studio.
Sure it is a resource hog compared to vim but let's not go overboard.
Also this whole thing stinks, why did they go specifically with the MS build on MS servers? There are plenty of community builds like VSCodium that work just as fine.
(Score: 5, Funny) by leon_the_cat on Friday February 05 2021, @06:12AM
I tried eclipse about 10 years ago. Still waiting for it to load.
(Score: 5, Interesting) by lte on Friday February 05 2021, @07:06AM
Microsoft forbids you from using the C# debugger (vsdbg) with anything other than VS, VS for macOS, and their build of VSCode. So if you wish to write .NET Core applications it's your only real choice as MS push a notification asking you to install their C# extension upon opening a .cs file. There is a Samsung debugger but I'm not sure if there is support for it in VSCode.
With their current push of ".NET runs on anything!" I wouldn't be surprised if it's down to that. Fun fact: the .NET runtime also sends telemetry by default, at least on macOS and Linux.
(Score: 1) by exa on Friday February 05 2021, @08:12AM
Apologist.
(Score: 3, Interesting) by jimtheowl on Friday February 05 2021, @02:15PM
https://www.qt.io/product/development-tools [www.qt.io]
(Score: 1, Interesting) by Anonymous Coward on Friday February 05 2021, @08:35PM
"There are plenty of community builds like VSCodium that work just as fine."
It probably doesn't work fine for the type of sycophantic whores who would push this change to begin with (plugins and such?). PHW (pointy headed whores) are infiltrating and ruining all of linux. Not just arm/broadcom/nvidia sucking bitches. Look at what the PHW's are doing to gnome 40 (version jump is gay too) while all the new gamer users cheer them on..
(Score: 3, Insightful) by Mojibake Tengu on Friday February 05 2021, @05:31AM (4 children)
Go FreeBSD, young man.
https://www.freebsd.org/where/ [freebsd.org]
Respect Authorities. Know your social status. Woke responsibly.
(Score: 1) by engblom on Friday February 05 2021, @06:30AM (2 children)
Some weeks ago when I checked out FreeBSD for RPi, I noticed they do not have any ready aarch64 images for RPi3/4.
(Score: 3, Interesting) by Mojibake Tengu on Friday February 05 2021, @08:20AM
YMMV, I observe 12.2 for RPi3, and heard about work progress in current on sdio/wifi for 4.
Anyway, what the Raspbian team did is
pure betrayaldishonorable.Trust is a non-renewable resource.
Respect Authorities. Know your social status. Woke responsibly.
(Score: 2) by jimtheowl on Friday February 05 2021, @01:07PM
What is slightly inconvenient is that there are typically no pre-built packages. The ports tree makes it easy to build sources, but it is advisable to get an external drive to do so.
(Score: 0) by Anonymous Coward on Friday February 05 2021, @11:35AM
Or a purer version of Raspbian:
https://raspi.debian.net/ [debian.net]
It's just debian, without the fruity smell...
(Score: 5, Insightful) by PinkyGigglebrain on Friday February 05 2021, @06:38AM
Embrace: completed
Extend: in process
Extinguish: to be scheduled
"Beware those who would deny you Knowledge, For in their hearts they dream themselves your Master."
(Score: 2, Interesting) by exa on Friday February 05 2021, @08:15AM
On a slightly positive note, this might push Debian folks to add some simple&reasonable config-meddling functionality right into `dpkg`. Lintian is literally screaming at maintainers not to install put custom stuff to /etc/apt, why not push the warning that the package sucks much closer to the users?
(Score: 2) by Tokolosh on Friday February 05 2021, @03:12PM (6 children)
pi@raspberrypi:~ $ grep -i pretty /etc/os-release
PRETTY_NAME="Raspbian GNU/Linux 10 (buster)"
pi@raspberrypi:~ $ cat /etc/apt/sources.list.d/vscode.list
cat: /etc/apt/sources.list.d/vscode.list: No such file or directory
Newbie here - what do I make of this?
(Score: 4, Informative) by canopic jug on Friday February 05 2021, @05:27PM (5 children)
If you are running Raspberry Pi OS "buster", then it is probable that you haven't updated the systm for a while. If you block the files first, then they won't get injected into your system.
Otherwise, they'll probably show up next time you do an update.
Money is not free speech. Elections should not be auctions.
(Score: 2) by Tokolosh on Friday February 05 2021, @11:30PM (3 children)
Thank you very much. I ran your commands, see below. My understanding is that I have created an immutable microsoft gpg file, which prevents their repo being added.
pi@raspberrypi:~ $ sudo rm /etc/apt/sources.list.d/vscode.list
rm: cannot remove '/etc/apt/sources.list.d/vscode.list': No such file or directory
pi@raspberrypi:~ $ sudo rm /etc/apt/sources.list.d/vscode.list
rm: cannot remove '/etc/apt/sources.list.d/vscode.list': No such file or directory
pi@raspberrypi:~ $ sudo chmod 444 /etc/apt/sources.list.d/vscode.list
chmod: cannot access '/etc/apt/sources.list.d/vscode.list': No such file or directory
pi@raspberrypi:~ $ sudo chattr +i /etc/apt/sources.list.d/vscode.list
chattr: No such file or directory while trying to stat /etc/apt/sources.list.d/vscode.list
pi@raspberrypi:~ $ sudo rm /etc/apt/trusted.gpg.d/microsoft.gpg
rm: cannot remove '/etc/apt/trusted.gpg.d/microsoft.gpg': No such file or directory
pi@raspberrypi:~ $ sudo touch /etc/apt/trusted.gpg.d/microsoft.gpg
pi@raspberrypi:~ $ sudo chmod 444 /etc/apt/trusted.gpg.d/microsoft.gpg
pi@raspberrypi:~ $ sudo chattr +i /etc/apt/trusted.gpg.d/microsoft.gpg
(Score: 3, Informative) by MadTinfoilHatter on Saturday February 06 2021, @04:26AM (1 child)
The idea was to create immutable versions of empty (and therefore harmless) versions of microsoft.gpg and vscode.list so that any process that tries to add or modify these files will fail.
However here you went wrong. You copy-pasted the rm command twice, and missed the touch command, causing the last two commands to also have no effect. You should repeat the whole procedure (including rm) for vscode.list just to be safe. The only command that should possibly fail with an error message is the rm one (if you weren't infected when running the commands). The rest should go through with no comment as was the case for microsoft.gpg.
(Score: 2) by Tokolosh on Saturday February 06 2021, @02:34PM
Thanks, and to unauthorized, too, for spotting my mistake.
(Score: 3, Informative) by unauthorized on Saturday February 06 2021, @05:23AM
Your understanding is correct but your second command is wrong, you did rm (remove file) twice instead of using touch to create a blank file. Redo the first set of four commands and you'll be good. Only the first one should yield a "no such file" error.
(Score: 2) by Tokolosh on Saturday February 06 2021, @02:33AM
Follow-up. Ran update and upgrade, and now I have vscode.list with the offending MS repo. I trust that your vaccination will keep me from infection.
(Score: 0) by Anonymous Coward on Friday February 05 2021, @03:51PM (2 children)
If you give third party root access to hardware that you do not own without consent from the owner, that is the very definition of computer intrusion. Criminal charges should be filed.
I recognize that there is a possibility that they were not even aware of this, and that the push came from Debian. Name them in the complaint. They have deep pockets after all.
The correct way for raspbian to respond to this is to roll back the update their corporate charter to prohibit future collusion without corporate dissolution. Then stop basing your disto on Debian. That was just dumb to begin with. If it snuck through from Debian, those guys have always been reckless opportunists on the jock of whoever was willing to pay them.
(Score: 0) by Anonymous Coward on Friday February 05 2021, @04:10PM
The thing is, all of the astroturfing out there is being logged by the site hosts. If any of those astroturfers can be shown to have been paid, then that is evidence of premeditation. This is actually a hell of a lawsuit, and it is going to make some attorneys very rich.
(Score: 0) by Anonymous Coward on Sunday February 07 2021, @02:03AM
Anonymous Australian here.
Just wanted to point out that if you want a jurisdiction where computer crimes carry overblown sentences, you might want to ensure charges are filed in Australia.
Unauthorised access to a computer system with alteration of files carries something like a 10 year mandatory minimum sentence.
Some hacker back in the '60's managed to get into a bank's computer - by dialing up a random phone number - which then spat out all valid credit card details (including expiry dates and current limits).
Judge thought that the sky might fall because of computer crimes perpetrated on banks, and so made an extreme precedent specifically to act as a deterrent.
Would love to see the fallout effects from having some MSFT manager thrown into a cell for such a crime. MSFT's corporate culture is already all about arse-covering, so I imagine it would have quite a salutory effect.
(Score: 3, Informative) by hopp on Friday February 05 2021, @04:29PM (1 child)
You could try Devuan if you don't like the change and aren't a fan of systemd.
https://arm-files.devuan.org [devuan.org]
Of course NetBSD and FreeBSD have pretty decent support too.
(Score: 2, Interesting) by Anonymous Coward on Friday February 05 2021, @07:51PM
It would be nice to see some of the hardware vendors come out and chat about all this.
If your a foss project, you really should have anti-eee clauses in your corporate charter, and there needs to be a registry of projects that are so configured. Maybe a next project for Stallman?
(Score: 0) by Anonymous Coward on Friday February 05 2021, @10:47PM (1 child)
Closed-source software has been included with RPIOS/Raspbian before. Mathematica, proprietary blobs for the GPU, whatever. They're probably still using lots of proprietary blobs by default. Last time I cared about RPi, about two years ago, there were open drivers for most things but they didn't work as well and you still had to use a proprietary blob to boot. I think work is being done on that last one, not sure of the progress. Those were distributed by the Pi Foundation, which, I guess, is more trusted. But those GPU blobs had better-than-root access already (since the Broadcom CPU used is really an ARM coprocessor bolted onto the side of a GPU).
It seems like the way to address this is for Microsoft's repository to be used only for delivering VSCode and not for anything else on the system. Pretty sure apt can already do that.
You can always run your own OS. Nobody forces you to use theirs (outside of the boot process). There are other distributions. I used Gentoo and it was better than Raspbian (though of course, I had to set up a cross-compiler on a real PC to build it).
(Score: 0) by Anonymous Coward on Wednesday February 10 2021, @01:27AM
Unfortunately that whole firmware project died back in the Pi2/3 era when the primary developer/reverse engineer discovered that the ARM Trustzone implementation on the Pi was flawed due to either lack of or incorrect implementation of the Trustzone requirements. Since they wanted it to test out Trustzone on it lost their interest and dedication to the project which died in either '18 or '19, I forget when. There may have been a few updates since but there was been practically no development that I saw.
Unfortunately this covers most hardware and open source projects today, so unless you're really lucky, expect even your unsigned hardware to remain 50-80 percent reversed, with no one to make that last sprint to 99 or 100 percent.
(Score: 0) by Anonymous Coward on Saturday February 06 2021, @01:48AM
https://onion.debian.org/ [debian.org]
(Score: 2) by RedGreen on Saturday February 06 2021, @03:06AM
Does pure Debian ever run good on this puppy took the image from 20201112 for the Pi 4 booted it up and copied to my SSD and it works just great. Half the load at least of the command line Pi OS install I had. And I would think like I always have with Debian we have adults in charge of the development, some may be aholes but they have or are are being weeded out. Should have downloaded that from the start, oh well live and learn...
root@buster-raspi:~# uname -a
Linux buster-raspi 5.9.0-0.bpo.5-arm64 #1 SMP Debian 5.9.15-1~bpo10+1 (2020-12-31) aarch64 GNU/Linux
"I modded down, down, down, and the flames went higher." -- Sven Olsen
(Score: 3, Disagree) by dltaylor on Saturday February 06 2021, @05:15AM (3 children)
I don't think is is necessary to attribute this fiasco to malice. It might have just been stupidity (either assigning an engineer who doesn't understand the question, or just an engineer who really doesn't know how to do this).
Step 1: create a package to add the Microsoft repo and keys
If it is appropriately named and commented, no one can complain that they didn't know.
Step 2: make the Microsoft package a dependency for installing the vscode package
The installer of choice will inform the administrator the dependency exists, and offer to install it first.
Now they need a step 3: update raspberrypi-sys-mods package to REMOVE the Microsoft back door.
(Score: 4, Insightful) by Arik on Saturday February 06 2021, @05:40PM (2 children)
If laughter is the best medicine, who are the best doctors?
(Score: 2) by canopic jug on Sunday February 07 2021, @08:15AM (1 child)
Occam's Razor says malice, especially in the context of the responses (not) given by RPF. to-date
Money is not free speech. Elections should not be auctions.
(Score: 3, Informative) by takyon on Saturday February 13 2021, @11:36PM
The discussion continues in this unlocked thread [raspberrypi.org] and the comments of the latest blog post [raspberrypi.org].
[SIG] 10/28/2017: Soylent Upgrade v14 [soylentnews.org]