Several sites are covering an incident affecting Raspberry Pi OS deployments since last week. Quietly, without disclosure or warning, a package added a Microsoft repository and OpenPGP key to the system. The latter effectively gives the former full root access, in principle, to the whole system. The former checks in with Microsoft's servers any time APT refreshes its cache.
$ grep -i pretty /etc/os-release
PRETTY_NAME="Raspbian GNU/Linux 10 (buster)"How to know if you're affected/infected already:
$ cat /etc/apt/sources.list.d/vscode.list
### THIS FILE IS AUTOMATICALLY CONFIGURED ###
# You may comment out this entry, but any other modifications may be lost.
deb [arch=amd64,arm64,armhf] http://packages.microsoft.com/repos/code
stable main
Issue has been taken with both what has been done and how it has been deployed. The official explanation is, for now, that resource hog Visual Studio was to be made available by default on the Raspberry Pi for development for their first entry into microcontrollers, the Raspberry Pi Pico. This is in spite of the established presence of many light weight editors and IDEs alredy[sic] available through vetted repositories. Not to mention the package could have been added to the established, vetted repositories. Threads on the topic over at the Raspberry Pi Forum are quickly locked by moderators and then deleted.
(Score: 3, Insightful) by Mojibake Tengu on Friday February 05 2021, @05:31AM (4 children)
Go FreeBSD, young man.
https://www.freebsd.org/where/ [freebsd.org]
Respect Authorities. Know your social status. Woke responsibly.
(Score: 1) by engblom on Friday February 05 2021, @06:30AM (2 children)
Some weeks ago when I checked out FreeBSD for RPi, I noticed they do not have any ready aarch64 images for RPi3/4.
(Score: 3, Interesting) by Mojibake Tengu on Friday February 05 2021, @08:20AM
YMMV, I observe 12.2 for RPi3, and heard about work progress in current on sdio/wifi for 4.
Anyway, what the Raspbian team did is
pure betrayaldishonorable.Trust is a non-renewable resource.
Respect Authorities. Know your social status. Woke responsibly.
(Score: 2) by jimtheowl on Friday February 05 2021, @01:07PM
What is slightly inconvenient is that there are typically no pre-built packages. The ports tree makes it easy to build sources, but it is advisable to get an external drive to do so.
(Score: 0) by Anonymous Coward on Friday February 05 2021, @11:35AM
Or a purer version of Raspbian:
https://raspi.debian.net/ [debian.net]
It's just debian, without the fruity smell...