Several sites are covering an incident affecting Raspberry Pi OS deployments since last week. Quietly, without disclosure or warning, a package added a Microsoft repository and OpenPGP key to the system. The latter effectively gives the former full root access, in principle, to the whole system. The former checks in with Microsoft's servers any time APT refreshes its cache.
$ grep -i pretty /etc/os-release
PRETTY_NAME="Raspbian GNU/Linux 10 (buster)"How to know if you're affected/infected already:
$ cat /etc/apt/sources.list.d/vscode.list
### THIS FILE IS AUTOMATICALLY CONFIGURED ###
# You may comment out this entry, but any other modifications may be lost.
deb [arch=amd64,arm64,armhf] http://packages.microsoft.com/repos/code
stable main
Issue has been taken with both what has been done and how it has been deployed. The official explanation is, for now, that resource hog Visual Studio was to be made available by default on the Raspberry Pi for development for their first entry into microcontrollers, the Raspberry Pi Pico. This is in spite of the established presence of many light weight editors and IDEs alredy[sic] available through vetted repositories. Not to mention the package could have been added to the established, vetted repositories. Threads on the topic over at the Raspberry Pi Forum are quickly locked by moderators and then deleted.
(Score: 3, Disagree) by dltaylor on Saturday February 06 2021, @05:15AM (3 children)
I don't think is is necessary to attribute this fiasco to malice. It might have just been stupidity (either assigning an engineer who doesn't understand the question, or just an engineer who really doesn't know how to do this).
Step 1: create a package to add the Microsoft repo and keys
If it is appropriately named and commented, no one can complain that they didn't know.
Step 2: make the Microsoft package a dependency for installing the vscode package
The installer of choice will inform the administrator the dependency exists, and offer to install it first.
Now they need a step 3: update raspberrypi-sys-mods package to REMOVE the Microsoft back door.
(Score: 4, Insightful) by Arik on Saturday February 06 2021, @05:40PM (2 children)
If laughter is the best medicine, who are the best doctors?
(Score: 2) by canopic jug on Sunday February 07 2021, @08:15AM (1 child)
Occam's Razor says malice, especially in the context of the responses (not) given by RPF. to-date
Money is not free speech. Elections should not be auctions.
(Score: 3, Informative) by takyon on Saturday February 13 2021, @11:36PM
The discussion continues in this unlocked thread [raspberrypi.org] and the comments of the latest blog post [raspberrypi.org].
[SIG] 10/28/2017: Soylent Upgrade v14 [soylentnews.org]