Stories
Slash Boxes
Comments

SoylentNews is people

Raspberry Pi Users Mortified as Microsoft Repository that Phones Home is Added to Pi OS

posted by Fnord666 on Friday February 05 2021, @03:23AM   Printer-friendly
from the we-don't-trust-m$ dept.

canopic jug writes:

Several sites are covering an incident affecting Raspberry Pi OS deployments since last week. Quietly, without disclosure or warning, a package added a Microsoft repository and OpenPGP key to the system. The latter effectively gives the former full root access, in principle, to the whole system. The former checks in with Microsoft's servers any time APT refreshes its cache.

$ grep -i pretty /etc/os-release
PRETTY_NAME="Raspbian GNU/Linux 10 (buster)"

How to know if you're affected/infected already:

$ cat /etc/apt/sources.list.d/vscode.list
### THIS FILE IS AUTOMATICALLY CONFIGURED ###
# You may comment out this entry, but any other modifications may be lost.
deb [arch=amd64,arm64,armhf] http://packages.microsoft.com/repos/code
stable main

Issue has been taken with both what has been done and how it has been deployed. The official explanation is, for now, that resource hog Visual Studio was to be made available by default on the Raspberry Pi for development for their first entry into microcontrollers, the Raspberry Pi Pico. This is in spite of the established presence of many light weight editors and IDEs alredy[sic] available through vetted repositories. Not to mention the package could have been added to the established, vetted repositories. Threads on the topic over at the Raspberry Pi Forum are quickly locked by moderators and then deleted.

Original Submission

 
This discussion has been archived. No new comments can be posted.
Raspberry Pi Users Mortified as Microsoft Repository that Phones Home is Added to Pi OS | Log In/Create an Account | Top | 75 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 3, Disagree) by dltaylor on Saturday February 06 2021, @05:15AM (3 children)

    by dltaylor (4693) on Saturday February 06 2021, @05:15AM (#1109529)

    I don't think is is necessary to attribute this fiasco to malice. It might have just been stupidity (either assigning an engineer who doesn't understand the question, or just an engineer who really doesn't know how to do this).

    Step 1: create a package to add the Microsoft repo and keys

    If it is appropriately named and commented, no one can complain that they didn't know.

    Step 2: make the Microsoft package a dependency for installing the vscode package

    The installer of choice will inform the administrator the dependency exists, and offer to install it first.

    Now they need a step 3: update raspberrypi-sys-mods package to REMOVE the Microsoft back door.

    Starting Score:    1  point
    Moderation   +1  
       Interesting=1, Disagree=1, Total=2
    Extra 'Disagree' Modifier   0  
    Karma-Bonus Modifier   +1  
    Total Score:   3  

  • (Score: 4, Insightful) by Arik on Saturday February 06 2021, @05:40PM (2 children)

    by Arik (4543) on Saturday February 06 2021, @05:40PM (#1109694) Journal
    If the person who added the package wasn't acting from malice, then someone is waaaaay above their level of competence. This wasn't just a minor mistake; they just irreversibly doxed everyone that updated without precautions; essentially their entire userbase.
    --
    If laughter is the best medicine, who are the best doctors?