SoylentNews is people
SoylentNews
Several sites are covering an incident affecting Raspberry Pi OS deployments since last week. Quietly, without disclosure or warning, a package added a Microsoft repository and OpenPGP key to the system. The latter effectively gives the former full root access, in principle, to the whole system. The former checks in with Microsoft's servers any time APT refreshes its cache.
$ grep -i pretty /etc/os-release
PRETTY_NAME="Raspbian GNU/Linux 10 (buster)"How to know if you're affected/infected already:
$ cat /etc/apt/sources.list.d/vscode.list
### THIS FILE IS AUTOMATICALLY CONFIGURED ###
# You may comment out this entry, but any other modifications may be lost.
deb [arch=amd64,arm64,armhf] http://packages.microsoft.com/repos/code
stable main
Issue has been taken with both what has been done and how it has been deployed. The official explanation is, for now, that resource hog Visual Studio was to be made available by default on the Raspberry Pi for development for their first entry into microcontrollers, the Raspberry Pi Pico. This is in spite of the established presence of many light weight editors and IDEs alredy[sic] available through vetted repositories. Not to mention the package could have been added to the established, vetted repositories. Threads on the topic over at the Raspberry Pi Forum are quickly locked by moderators and then deleted.
- TechRights. Raspberry Pi (at Least Raspbian GNU/Linux and/or Raspberry Pi Foundation) Appears to Have Been Infiltrated by Microsoft and There Are Severe Consequences
- TechRights. Raspberry Pi Foundation is Trying to Cover Up Its Deal With the Devil by Censoring Its Own Customers
- CyberCity. Heads up: Microsoft repo secretly installed on all Raspberry Pi's Linux OS
- Hot Hardware. Raspberry Pi Users Mortified As Microsoft Repository That Phones Home Is Added To Pi OS
- The Linux Gamer. Microsoft INFILTRATES Raspberry Pi OS
(Score: 0) by Anonymous Coward on Friday February 05 2021, @10:47PM (1 child)
Closed-source software has been included with RPIOS/Raspbian before. Mathematica, proprietary blobs for the GPU, whatever. They're probably still using lots of proprietary blobs by default. Last time I cared about RPi, about two years ago, there were open drivers for most things but they didn't work as well and you still had to use a proprietary blob to boot. I think work is being done on that last one, not sure of the progress. Those were distributed by the Pi Foundation, which, I guess, is more trusted. But those GPU blobs had better-than-root access already (since the Broadcom CPU used is really an ARM coprocessor bolted onto the side of a GPU).
It seems like the way to address this is for Microsoft's repository to be used only for delivering VSCode and not for anything else on the system. Pretty sure apt can already do that.
You can always run your own OS. Nobody forces you to use theirs (outside of the boot process). There are other distributions. I used Gentoo and it was better than Raspbian (though of course, I had to set up a cross-compiler on a real PC to build it).
(Score: 0) by Anonymous Coward on Wednesday February 10 2021, @01:27AM
Unfortunately that whole firmware project died back in the Pi2/3 era when the primary developer/reverse engineer discovered that the ARM Trustzone implementation on the Pi was flawed due to either lack of or incorrect implementation of the Trustzone requirements. Since they wanted it to test out Trustzone on it lost their interest and dedication to the project which died in either '18 or '19, I forget when. There may have been a few updates since but there was been practically no development that I saw.
Unfortunately this covers most hardware and open source projects today, so unless you're really lucky, expect even your unsigned hardware to remain 50-80 percent reversed, with no one to make that last sprint to 99 or 100 percent.