GlowInTheDark
Posts: 1540
Joined: Sat Nov 09, 2019 12:14 pm

Re: Microsoft GPG key suggestion

Fri Feb 05, 2021 3:09 pm

I don't understand what all the hubbub is. All you have to do is find the "vscode.list" file in /etc/sources.list.d and read it. It clearly says that you can comment the single line in there out and all will be well. Re-run apt-get update, and all is well.

This advice from me is in line with the general Unix/Linux philosophy of "You can fix it for yourself; that's all that matters". Other people can do as they please.

I agree that it did kind of sneak in there with the most recent "apt-get upgrade" (or installing a fresh recent version), but that's the way Unix/Linux is. You've got to stay on top of things.
GitD's list of things that are not ready for prime time:
1) IPv6
2) 64 bit OSes
3) USB 3
4) Bluetooth

Loves Linux; loves to dance.

thradtke
Posts: 680
Joined: Wed May 16, 2012 5:16 am
Location: Germany / EL

Re: Microsoft GPG key suggestion

Fri Feb 05, 2021 3:16 pm

GlowInTheDark wrote:
Fri Feb 05, 2021 3:09 pm
All you have to do is find the "vscode.list" file in /etc/sources.list.d and read it. It clearly says that you can comment the single line in there out and all will be well. Re-run apt-get update, and all is well.
If things can be settled by down-prioritizing (is that a word?) the MS repo, all is well. Remember, as small as that risk might be, there a students and noobs like me in front of their Pi's.
Last edited by thradtke on Fri Feb 05, 2021 8:20 pm, edited 1 time in total.
Rocket Scientist.

GlowInTheDark
Posts: 1540
Joined: Sat Nov 09, 2019 12:14 pm

Re: Microsoft GPG key suggestion

Fri Feb 05, 2021 3:52 pm

I think that most of the people in this thread, like me, don't want anything to do with MS and their repos.

So, just commenting it out is best.
GitD's list of things that are not ready for prime time:
1) IPv6
2) 64 bit OSes
3) USB 3
4) Bluetooth

Loves Linux; loves to dance.

stubright
Posts: 145
Joined: Sat Dec 24, 2011 11:12 pm

Re: Microsoft GPG key suggestion

Fri Feb 05, 2021 3:59 pm

GlowInTheDark wrote:
Fri Feb 05, 2021 3:52 pm
I think that most of the people in this thread, like me, don't want anything to do with MS and their repos.

So, just commenting it out is best.
Maybe people should stop using linux then!
https://www.zdnet.com/article/top-five- ... microsoft/

fruitoftheloom
Posts: 26223
Joined: Tue Mar 25, 2014 12:40 pm
Location: Delightful Dorset

Re: Microsoft GPG key suggestion

Fri Feb 05, 2021 4:06 pm

stubright wrote:
Fri Feb 05, 2021 3:59 pm
GlowInTheDark wrote:
Fri Feb 05, 2021 3:52 pm
I think that most of the people in this thread, like me, don't want anything to do with MS and their repos.

So, just commenting it out is best.
Maybe people should stop using linux then!
https://www.zdnet.com/article/top-five- ... microsoft/

So that equally applies to GitHub so what Operating System can I run on my hardware which is not touched by Microsoft ?
The information is out there....you just have to let it in.

My other Linux machines: ChromeBox
https://www.aliexpress.com/item/32966393971.html
& Stone Desktop Intel CoreDuo circa 2010

Heater
Posts: 17814
Joined: Tue Jul 17, 2012 3:02 pm

Re: Microsoft GPG key suggestion

Fri Feb 05, 2021 4:06 pm

GlowInTheDark wrote:
Fri Feb 05, 2021 3:52 pm
I think that most of the people in this thread, like me, don't want anything to do with MS and their repos.
Hmm... in this thread perhaps, elsewhere, meh, who notices or cares?

As a long time user of Linux and Free and Open Source software, and a long time advocate of not becoming dependent on closed source software, from the likes of MS or whoever, I have to say:

I think VS Code is brilliant. It is my default editor now a days. It's open source, it's cross platform, it does most of what one would from complex IDEs but remains clean and simple to use.

We now have a repo to make installing VS Code super simple. Brilliant!
Last edited by Heater on Fri Feb 05, 2021 4:10 pm, edited 1 time in total.
Memory in C++ is a leaky abstraction .

User avatar
pi-anazazi
Posts: 939
Joined: Fri Feb 13, 2015 9:22 pm
Location: EU

Re: Microsoft GPG key suggestion

Fri Feb 05, 2021 4:10 pm

Excellent example of CIA handbook "How to make any useful discussion futile".

Everything has been said but not everyone has said it.
Kind regards

anazazi

Heater
Posts: 17814
Joined: Tue Jul 17, 2012 3:02 pm

Re: Microsoft GPG key suggestion

Fri Feb 05, 2021 4:15 pm

pi-anazazi wrote:
Fri Feb 05, 2021 4:10 pm
Excellent example of CIA handbook "How to make any useful discussion futile".

Everything has been said but not everyone has said it.
What? Everything useful that can be said about this has been said. What has been said is still here on the forum for the record.
Memory in C++ is a leaky abstraction .

User avatar
DougieLawson
Posts: 41020
Joined: Sun Jun 16, 2013 11:19 pm
Location: A small cave in deepest darkest Basingstoke, UK
Contact: Website Twitter

Re: Microsoft GPG key suggestion

Fri Feb 05, 2021 5:18 pm

GlowInTheDark wrote:
Fri Feb 05, 2021 3:52 pm
I think that most of the people in this thread, like me, don't want anything to do with MS and their repos.
You'd better stop using Github in that case.

I can't understand why the tin-foil had brigade are so twitchy about this. Maybe Bill Gates' 5G microchip vaccine injections have been "switched to overload"*. Microsoft have had a complete about-face with their support of Linux and the world of open source.




* with apologies to Geldorf and The Boomtown Rats.
Any language using left-hand whitespace for syntax is ridiculous

Any DMs sent on Twitter will be answered next month.
Fake doctors - are all on my foes list.

Any requirement to use a crystal ball or mind reading will result in me ignoring your question.

jamesh
Raspberry Pi Engineer & Forum Moderator
Raspberry Pi Engineer & Forum Moderator
Posts: 28362
Joined: Sat Jul 30, 2011 7:41 pm

Re: Microsoft GPG key suggestion

Fri Feb 05, 2021 5:23 pm

DougieLawson wrote:
Fri Feb 05, 2021 5:18 pm
* with apologies to Geldorf and The Boomtown Rats.
Saw then in 2018, expected little, came away in awe. Great band.
Principal Software Engineer at Raspberry Pi (Trading) Ltd.
Contrary to popular belief, humorous signatures are allowed.
I've been saying "Mucho" to my Spanish friend a lot more lately. It means a lot to him.

ejolson
Posts: 6898
Joined: Tue Mar 18, 2014 11:47 am

Re: Microsoft GPG key suggestion

Fri Feb 05, 2021 6:08 pm

ShiftPlusOne wrote:
Fri Feb 05, 2021 12:57 pm
Pete_Stevens wrote:
Fri Feb 05, 2021 12:42 pm

I don't think apt supports it, but in an ideal world you could install the key and a file containing the packages you're allowed to install with it, so an MS supplied package coudln't replace a Raspbian one.
By pinning the repo priority to -1 for the whole repo and increasing the priority just for the code packages, its effectively accomplishing the same thing. We haven't done that yet, but it seems like a good idea.
Is there any news about setting the repo priority to -1 so standard packages don't accidentally get overridden?

The SolarWinds supply chain compromise that affected Microsoft Corporation and the US Government appears to have been so deep people still don't trust the affected systems. My understanding is, given the presumed levels of funding and support enjoyed by the hackers, that many believe an advanced persistent threat has been installed in the firmware of critical systems that could be activated at any inconvenient time in the future. Since the digital systems may be compromised, US Courts dealing with matters of national security have switched back to paper.

The point here is while Microsoft would not intentionally do something to tarnish their image, anything which increases the attack surface for a third party bent on mischief could result in consequences for the Pi that are negative.

Please post back if and when the priority of the vscode repository has been set so that packages in the standard repository can't be replaced by anything that accidentally appears in there.
Last edited by ejolson on Fri Feb 05, 2021 6:12 pm, edited 1 time in total.

cleverca22
Posts: 3267
Joined: Sat Aug 18, 2012 2:33 pm

Re: Microsoft GPG key suggestion

Fri Feb 05, 2021 6:12 pm

DougieLawson wrote:
Fri Feb 05, 2021 5:18 pm
I can't understand why the tin-foil had brigade are so twitchy about this. Maybe Bill Gates' 5G microchip vaccine injections have been "switched to overload"*. Microsoft have had a complete about-face with their support of Linux and the world of open source.
i have to wonder, is it really an entire tin-foil hat brigade, or is it just one user creating a dozen forum accounts?
could a moderator maybe check the IP behind each of the threads?

fruitoftheloom
Posts: 26223
Joined: Tue Mar 25, 2014 12:40 pm
Location: Delightful Dorset

Re: Microsoft GPG key suggestion

Fri Feb 05, 2021 6:20 pm

ejolson wrote:
Fri Feb 05, 2021 6:08 pm
ShiftPlusOne wrote:
Fri Feb 05, 2021 12:57 pm
Pete_Stevens wrote:
Fri Feb 05, 2021 12:42 pm

I don't think apt supports it, but in an ideal world you could install the key and a file containing the packages you're allowed to install with it, so an MS supplied package coudln't replace a Raspbian one.
By pinning the repo priority to -1 for the whole repo and increasing the priority just for the code packages, its effectively accomplishing the same thing. We haven't done that yet, but it seems like a good idea.
Is there any news about setting the repo priority to -1 so standard packages don't accidentally get overridden?

viewtopic.php?f=63&t=302590&start=25#p1813690
The information is out there....you just have to let it in.

My other Linux machines: ChromeBox
https://www.aliexpress.com/item/32966393971.html
& Stone Desktop Intel CoreDuo circa 2010

ejolson
Posts: 6898
Joined: Tue Mar 18, 2014 11:47 am

Re: Microsoft GPG key suggestion

Fri Feb 05, 2021 6:34 pm

cleverca22 wrote:
Fri Feb 05, 2021 6:12 pm
DougieLawson wrote:
Fri Feb 05, 2021 5:18 pm
I can't understand why the tin-foil had brigade are so twitchy about this. Maybe Bill Gates' 5G microchip vaccine injections have been "switched to overload"*. Microsoft have had a complete about-face with their support of Linux and the world of open source.
i have to wonder, is it really an entire tin-foil hat brigade, or is it just one user creating a dozen forum accounts?
could a moderator maybe check the IP behind each of the threads?
As a hat-carrying member of the brigade, and to make clear what might not have been so clear in my previous post, the difficulty is not that Microsoft would hack the Raspberry Pi but that a third party would hack a supplier of Microsoft (already done on an astonishingly large scale last year) and then hack the Pi.

Given the way targeted sophistication is coupled with blundering distraction by the cyber-forces of foreign governments, the malware which constitutes the real threat is almost never found. At the same time, being part of the distraction can still be pretty damaging for a company. The goal then is to avoid both.

At any rate, it's good to hear this problem is being addressed and under control.

raart
Posts: 1
Joined: Fri Feb 05, 2021 5:42 pm

Re: Microsoft GPG key suggestion

Fri Feb 05, 2021 7:40 pm

cleverca22 wrote:
Fri Feb 05, 2021 2:55 pm
Pete_Stevens wrote:
Fri Feb 05, 2021 12:42 pm
When you do an update, your system will check to see if there are any updates at Microsoft which means they could log that you've done an update.
my understanding is that when you "apt-get update", it downloads an index of every package on the given server
they have no idea what packages you have installed, until you try to download a given .deb (during apt-get upgrade), and only if they are already hosting that file to begin with
This might be the actual technical situation, therefore remember that things evolve and they have put one foot in now.

jamesh
Raspberry Pi Engineer & Forum Moderator
Raspberry Pi Engineer & Forum Moderator
Posts: 28362
Joined: Sat Jul 30, 2011 7:41 pm

Re: Microsoft GPG key suggestion

Fri Feb 05, 2021 8:41 pm

raart wrote:
Fri Feb 05, 2021 7:40 pm
cleverca22 wrote:
Fri Feb 05, 2021 2:55 pm
Pete_Stevens wrote:
Fri Feb 05, 2021 12:42 pm
When you do an update, your system will check to see if there are any updates at Microsoft which means they could log that you've done an update.
my understanding is that when you "apt-get update", it downloads an index of every package on the given server
they have no idea what packages you have installed, until you try to download a given .deb (during apt-get upgrade), and only if they are already hosting that file to begin with
This might be the actual technical situation, therefore remember that things evolve and they have put one foot in now.
Oooh, The Okey Cokey.
Principal Software Engineer at Raspberry Pi (Trading) Ltd.
Contrary to popular belief, humorous signatures are allowed.
I've been saying "Mucho" to my Spanish friend a lot more lately. It means a lot to him.

stubright
Posts: 145
Joined: Sat Dec 24, 2011 11:12 pm

Re: Microsoft GPG key suggestion

Fri Feb 05, 2021 8:59 pm

fruitoftheloom wrote:
Fri Feb 05, 2021 4:06 pm
so what Operating System can I run on my hardware which is not touched by Microsoft ?
Image
But don't quote me on that.

gsh
Raspberry Pi Engineer & Forum Moderator
Raspberry Pi Engineer & Forum Moderator
Posts: 1691
Joined: Sat Sep 10, 2011 11:43 am

Re: Microsoft GPG key suggestion

Fri Feb 05, 2021 9:00 pm

We're aware that some people have concerns about the addition of a Microsoft-operated repository, and Microsoft GPG key, in a recent update to Raspberry Pi OS. This is there solely to enable people (particularly beginners) to easily install the excellent Visual Studio Code, the preferred C development environment for our new Raspberry Pi Pico board and Raspberry Pi RP2040 microcontroller. This update doesn't install Visual Studio Code: it makes installing it a one-liner (sudo apt install code).

This change has two practical results:

a) An apt update will now result in a request to Microsoft's server. You could brand this "telemetry" if you want, but it's pretty thin gruel.
b) In principle Microsoft could add packages to their repository which override packages in our repository. While it is unthinkable that Microsoft would do this deliberately or maliciously, we are making some changes to our repo setup this weekend which will prevent this from happening by accident. We may make further changes over the next few weeks that address both this, and (a).

The second item brings us to an important point about trust. When you use any software that you haven't written yourself, you are trusting not just the person you got the software from, but also that person's judgment about who they trust: their employees, contractors, suppliers, partners, etc. If you use Raspberry Pi OS, you are trusting that we make good decisions about who to trust. In this case, to support our goal of delivering a better experience to our users, we have made the decision to trust Microsoft. We don't think this is an unreasonable decision, but can understand that some people disagree.

(Also note, this is a cross-posting to relevant threads I know, I'm sorry!)
--
Gordon Hollingworth PhD
Raspberry Pi - Director of Software Engineering

mob-i-l
Posts: 355
Joined: Sat Dec 29, 2012 2:45 am
Location: Lund, Skåne/Scania, Sweden
Contact: Website Facebook Twitter YouTube

Re: Microsoft GPG key suggestion

Fri Feb 05, 2021 9:24 pm

IMHO this approach would have been better: instructions to install Microsoft key + repo. Alternatively there could be a package to install Microsoft key + repo. This would have the added benefit of being easy to uninstall/purge. Now you have to edit files.

The checking of extra repositories slow down the update on e.g. a Raspberry Pi Zero WH where you probably can't install VSCode anyway. Also there are three Microsoft repos added: armhf, arm64, and amd64. This is strange because only armhf could be used on 32-bit Raspberry Pi OS.

The Microsoft repos are installed also on Debian with Raspberry Pi Desktop on an x86-32 laptop (Eee PC 1001HA) even though none of them are useful with its CPU.

On x86-32 (i686, or in Debian terminology i386) laptop they add no useful repos AFAIK:

Code: Select all

$ sudo apt update
Läs:1 http://archive.raspberrypi.org/debian buster InRelease [32,8 kB]
Läs:2 http://security.debian.org buster/updates InRelease [65,4 kB]                                                                                          
Bra:3 http://ftp.debian.org/debian buster InRelease                                                                                                           
Läs:4 http://packages.microsoft.com/repos/code stable InRelease [10,4 kB]
Läs:5 http://ftp.debian.org/debian buster-updates InRelease [51,9 kB]
Läs:6 http://packages.microsoft.com/repos/code stable/main amd64 Packages [11,5 kB]
Läs:7 http://packages.microsoft.com/repos/code stable/main arm64 Packages [12,2 kB]
Läs:8 http://packages.microsoft.com/repos/code stable/main armhf Packages [12,0 kB]
Have Pi0&1A&1B&1B+&2B&3B&4B w/ rasPiOS. Started w/ BASIC on ABC80&ZX81 then Forth, Z80… https://scratch.mit.edu/users/mobluse/ https://github.com/mobluse/ https://twitter.com/mobluse/ https://YouTube.com/MOBiL4u/

User avatar
r3d4
Posts: 993
Joined: Sat Jul 30, 2011 8:21 am
Location: ./

Re: Microsoft GPG key suggestion

Fri Feb 05, 2021 11:04 pm

Pete_Stevens wrote:
Thu Feb 04, 2021 10:29 pm
you implicitly trust Microsoft anyway through Github
an interesting assertion
on which i wish to cast aspersion
:lol:
i thought it was the tool that the "hub" *( web :roll: wrapper ) is built around , not the/that company TBH ... but could be wrong about this or that.


with the above in mind
( especially WRT the notions of
"trust" -**how ever one might wish it defined 0:
elsewhere in this thread )
probably the most concerning element this -imho-
is failing to maintain / update the repo

as mentioned before
viewtopic.php?p=1810576#p1810576
MichaIng wrote: MichaIng » 01 Feb 2021 21:05
There is not even a related commit in the sources, this is completely unacceptable: https://github.com/RPi-Distro/raspberrypi-sys-mods

Really, I got worried that something happened to our sources, saw our users affected and was quite worried until I checked the package download to find it present there as well. Please, when doing such changes, do a commit to the repository and add a changelog so that we know what is going on.




this also hopefully gives some
*Food For Thought*

:arrow: viewtopic.php?p=1808660#p1808660
scruss wrote: Post by scruss » 30 Jan 2021 16:43
I'm not so bothered about the adding of a repo: it doesn't do anything unless you install the unhelpfully-named code package.

What is more of an issue for me is that Visual Studio Code "phones home", sharing system metrics with Microsoft, unless you manually tell it not to. This is how you do that:
Disable telemetry reporting
From File > Preferences > Settings (macOS: Code > Preferences > Settings), search for telemetry, and uncheck the Telemetry: Enable Telemetry setting. This will silence all telemetry events from VS Code going forward. Telemetry information may have been collected and sent up until the point when you disable the setting.
:? give me sane defaults or give me .. all of you data are belong to :o MS.


I have spoken.

User avatar
jahboater
Posts: 6820
Joined: Wed Feb 04, 2015 6:38 pm
Location: Wonderful West Dorset

Re: Microsoft GPG key suggestion

Fri Feb 05, 2021 11:13 pm

stubright wrote:
Fri Feb 05, 2021 8:59 pm
fruitoftheloom wrote:
Fri Feb 05, 2021 4:06 pm
so what Operating System can I run on my hardware which is not touched by Microsoft ?
Image
But don't quote me on that.
There used to be a download option for Plan 9 on this site. Seems to have gone now.
Pi4 8GB (Raspberry Pi OS 64-bit), Pi4 4GB, Pi4 2GB, Pi1 Rev 1 256MB, Pi Zero


User avatar
r3d4
Posts: 993
Joined: Sat Jul 30, 2011 8:21 am
Location: ./

Re: Microsoft GPG key suggestion

Fri Feb 05, 2021 11:23 pm

jahboater wrote:
Fri Feb 05, 2021 11:13 pm
There used to be a download option for Plan 9 on this site. Seems to have gone now.
just ftr
found mentions one has links off site
:arrow: https://www.raspberrypi.org/blog/tag/plan-9/

stubright
Posts: 145
Joined: Sat Dec 24, 2011 11:12 pm

Re: Microsoft GPG key suggestion

Fri Feb 05, 2021 11:44 pm

r3d4 wrote:
Fri Feb 05, 2021 11:23 pm
jahboater wrote:
Fri Feb 05, 2021 11:13 pm
There used to be a download option for Plan 9 on this site. Seems to have gone now.
just ftr
found mentions one has links off site
:arrow: https://www.raspberrypi.org/blog/tag/plan-9/
There's some reasonably up to date info here
viewtopic.php?t=210855
with a link to pi3b files.
I tried it for about ten minutes many years ago just out of curiosity, my curiosity was killed after that.

LTolledo
Posts: 5002
Joined: Sat Mar 17, 2018 7:29 am
Location: Anime Heartland

Re: Microsoft GPG key suggestion

Fri Feb 05, 2021 11:59 pm

just as DougieLawson mentioned... smartphones are much nastier....

so... if you are a regular/avid smartphone user (or any modern phone for that matter).... and "complaining" (aggressively/violently) here about the GPG thingy.... doesn't that make you a hypocrite? ;)
"Don't come to me with 'issues' for I don't know how to deal with those
Come to me with 'problems' and I'll help you find solutions"

Some people be like:
"Help me! Am drowning! But dont you dare touch me nor come near me!"

Return to “General discussion”