SoylentNews is people
SoylentNews
Several sites are covering an incident affecting Raspberry Pi OS deployments since last week. Quietly, without disclosure or warning, a package added a Microsoft repository and OpenPGP key to the system. The latter effectively gives the former full root access, in principle, to the whole system. The former checks in with Microsoft's servers any time APT refreshes its cache.
$ grep -i pretty /etc/os-release
PRETTY_NAME="Raspbian GNU/Linux 10 (buster)"How to know if you're affected/infected already:
$ cat /etc/apt/sources.list.d/vscode.list
### THIS FILE IS AUTOMATICALLY CONFIGURED ###
# You may comment out this entry, but any other modifications may be lost.
deb [arch=amd64,arm64,armhf] http://packages.microsoft.com/repos/code
stable main
Issue has been taken with both what has been done and how it has been deployed. The official explanation is, for now, that resource hog Visual Studio was to be made available by default on the Raspberry Pi for development for their first entry into microcontrollers, the Raspberry Pi Pico. This is in spite of the established presence of many light weight editors and IDEs alredy[sic] available through vetted repositories. Not to mention the package could have been added to the established, vetted repositories. Threads on the topic over at the Raspberry Pi Forum are quickly locked by moderators and then deleted.
- TechRights. Raspberry Pi (at Least Raspbian GNU/Linux and/or Raspberry Pi Foundation) Appears to Have Been Infiltrated by Microsoft and There Are Severe Consequences
- TechRights. Raspberry Pi Foundation is Trying to Cover Up Its Deal With the Devil by Censoring Its Own Customers
- CyberCity. Heads up: Microsoft repo secretly installed on all Raspberry Pi's Linux OS
- Hot Hardware. Raspberry Pi Users Mortified As Microsoft Repository That Phones Home Is Added To Pi OS
- The Linux Gamer. Microsoft INFILTRATES Raspberry Pi OS
(Score: 2, Insightful) by Eratosthenes on Friday February 05 2021, @07:36AM (4 children)
The lack of a USB boot is a tell. This platform will not end well. Who the hell does only proprietary bootloaders?
(Score: 2) by RedGreen on Friday February 05 2021, @10:20AM (2 children)
It boots from usb the morons have upgraded the firmware to allow it, flaky as hell for some. Just like the rest of the effort by them clowns. I have managed to solve the morons doing whatever the hell they want with my machine with Ubuntu on my SSD. I use a chainload the sd card boots the machine and the OS runs from the SSD. Tomorrow I try a Debian install out with a debootstrap method I am just reading about now.
root@zeus-pi:~# uname -a
Linux zeus-pi 5.8.0-1013-raspi #16-Ubuntu SMP PREEMPT Thu Jan 14 06:28:38 UTC 2021 aarch64 aarch64 aarch64 GNU/Linux
"I modded down, down, down, and the flames went higher." -- Sven Olsen
(Score: 0) by Anonymous Coward on Friday February 05 2021, @12:37PM (1 child)
Why don't you just go to a competitor? There are many with broad OS support and raspi-compatible GPIO.
(Score: 2) by RedGreen on Friday February 05 2021, @01:16PM
"Why don't you just go to a competitor? There are many with broad OS support and raspi-compatible GPIO."
Oh yeah if ever needing another little machine, it will be cold day in hell before they get my cash again.
"I modded down, down, down, and the flames went higher." -- Sven Olsen
(Score: 0) by Anonymous Coward on Friday February 05 2021, @07:44PM
How does this get an "insightful"?
usb boot is often used as an attack vector.
If you look through this thread, it makes SN look like slashdot did when SN forked it. At least half of the posts here are astroturfing.