Several sites are covering an incident affecting Raspberry Pi OS deployments since last week. Quietly, without disclosure or warning, a package added a Microsoft repository and OpenPGP key to the system. The latter effectively gives the former full root access, in principle, to the whole system. The former checks in with Microsoft's servers any time APT refreshes its cache.
$ grep -i pretty /etc/os-release
PRETTY_NAME="Raspbian GNU/Linux 10 (buster)"How to know if you're affected/infected already:
$ cat /etc/apt/sources.list.d/vscode.list
### THIS FILE IS AUTOMATICALLY CONFIGURED ###
# You may comment out this entry, but any other modifications may be lost.
deb [arch=amd64,arm64,armhf] http://packages.microsoft.com/repos/code
stable main
Issue has been taken with both what has been done and how it has been deployed. The official explanation is, for now, that resource hog Visual Studio was to be made available by default on the Raspberry Pi for development for their first entry into microcontrollers, the Raspberry Pi Pico. This is in spite of the established presence of many light weight editors and IDEs alredy[sic] available through vetted repositories. Not to mention the package could have been added to the established, vetted repositories. Threads on the topic over at the Raspberry Pi Forum are quickly locked by moderators and then deleted.
(Score: 3, Informative) by MadTinfoilHatter on Saturday February 06 2021, @04:26AM (1 child)
The idea was to create immutable versions of empty (and therefore harmless) versions of microsoft.gpg and vscode.list so that any process that tries to add or modify these files will fail.
However here you went wrong. You copy-pasted the rm command twice, and missed the touch command, causing the last two commands to also have no effect. You should repeat the whole procedure (including rm) for vscode.list just to be safe. The only command that should possibly fail with an error message is the rm one (if you weren't infected when running the commands). The rest should go through with no comment as was the case for microsoft.gpg.
(Score: 2) by Tokolosh on Saturday February 06 2021, @02:34PM
Thanks, and to unauthorized, too, for spotting my mistake.