Stories
Slash Boxes
Comments

SoylentNews is people

posted by Fnord666 on Friday February 05 2021, @03:23AM   Printer-friendly
from the we-don't-trust-m$ dept.

Several sites are covering an incident affecting Raspberry Pi OS deployments since last week. Quietly, without disclosure or warning, a package added a Microsoft repository and OpenPGP key to the system. The latter effectively gives the former full root access, in principle, to the whole system. The former checks in with Microsoft's servers any time APT refreshes its cache.

$ grep -i pretty /etc/os-release
PRETTY_NAME="Raspbian GNU/Linux 10 (buster)"

How to know if you're affected/infected already:

$ cat /etc/apt/sources.list.d/vscode.list
### THIS FILE IS AUTOMATICALLY CONFIGURED ###
# You may comment out this entry, but any other modifications may be lost.
deb [arch=amd64,arm64,armhf] http://packages.microsoft.com/repos/code
stable main

Issue has been taken with both what has been done and how it has been deployed. The official explanation is, for now, that resource hog Visual Studio was to be made available by default on the Raspberry Pi for development for their first entry into microcontrollers, the Raspberry Pi Pico. This is in spite of the established presence of many light weight editors and IDEs alredy[sic] available through vetted repositories. Not to mention the package could have been added to the established, vetted repositories. Threads on the topic over at the Raspberry Pi Forum are quickly locked by moderators and then deleted.


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 3, Insightful) by Anonymous Coward on Friday February 05 2021, @04:27AM (3 children)

    by Anonymous Coward on Friday February 05 2021, @04:27AM (#1109186)

    You know it's quality when dissenting posts get locked and deleted.

    I believe that's how the Arch Linux forums introduced systemd.

    Starting Score:    0  points
    Moderation   +3  
       Flamebait=1, Insightful=4, Total=5
    Extra 'Insightful' Modifier   0  

    Total Score:   3  
  • (Score: 2, Insightful) by Eratosthenes on Friday February 05 2021, @07:18AM (2 children)

    by Eratosthenes (13959) on Friday February 05 2021, @07:18AM (#1109226) Journal

    Raspberry Pi has never really been an open-source operation. They only used free software, until they got big enough to attract the major sharks, like Microsoft. So now, we will have an ARM version of Windows? Even though it has been repeatedly proven that such cannot be? And then, we will license, and incense, and recapitulate, the Windo$e operating system, or no education will take place. Raspberry was a sucker plant? A Siren? An open source honey pot? Say it ain't so, Raspberry Foundation! Those poor bastards!!! Will be reduced to taking pictures of snowflakes, in a year or two.

    • (Score: 2) by hendrikboom on Friday February 05 2021, @08:56PM

      by hendrikboom (1125) Subscriber Badge on Friday February 05 2021, @08:56PM (#1109412) Homepage Journal

      Isn't there already an ARM version of Windows?
      And isn't it as locked-down as Microsoft can make it?

    • (Score: 4, Insightful) by everdred on Friday February 05 2021, @11:42PM

      by everdred (110) on Friday February 05 2021, @11:42PM (#1109451) Journal

      Sort of reminds me of the OLPC project, when they started shipping Windows XP machines.