Microsoft GPG key suggestion

[GlowInTheDark]

I don't understand what all the hubbub is. All you have to do is find the "vscode.list" file in /etc/sources.list.d and read it. It clearly says that you can comment the single line in there out and all will be well. Re-run apt-get update, and all is well.

This advice from me is in line with the general Unix/Linux philosophy of "You can fix it for yourself; that's all that matters". Other people can do as they please.

I agree that it did kind of sneak in there with the most recent "apt-get upgrade" (or installing a fresh recent version), but that's the way Unix/Linux is. You've got to stay on top of things.

[thradtke]

All you have to do is find the "vscode.list" file in /etc/sources.list.d and read it. It clearly says that you can comment the single line in there out and all will be well. Re-run apt-get update, and all is well.

If things can be settled by down-prioritizing (is that a word?) the MS repo, all is well. Remember, as small as that risk might be, there a students and noobs like me in front of their Pi's.

[GlowInTheDark]

I think that most of the people in this thread, like me, don't want anything to do with MS and their repos.

So, just commenting it out is best.

[stubright]

I think that most of the people in this thread, like me, don't want anything to do with MS and their repos.

So, just commenting it out is best.

Maybe people should stop using linux then!
https://www.zdnet.com/article/top-five- ... microsoft/

[fruitoftheloom]

I think that most of the people in this thread, like me, don't want anything to do with MS and their repos.

So, just commenting it out is best.

Maybe people should stop using linux then!
https://www.zdnet.com/article/top-five- ... microsoft/

So that equally applies to GitHub so what Operating System can I run on my hardware which is not touched by Microsoft ?

[Heater]

I think that most of the people in this thread, like me, don't want anything to do with MS and their repos.

Hmm... in this thread perhaps, elsewhere, meh, who notices or cares?

As a long time user of Linux and Free and Open Source software, and a long time advocate of not becoming dependent on closed source software, from the likes of MS or whoever, I have to say:

I think VS Code is brilliant. It is my default editor now a days. It's open source, it's cross platform, it does most of what one would from complex IDEs but remains clean and simple to use.

We now have a repo to make installing VS Code super simple. Brilliant!

[pi-anazazi]

Excellent example of CIA handbook "How to make any useful discussion futile".

Everything has been said but not everyone has said it.

[Heater]

Excellent example of CIA handbook "How to make any useful discussion futile".

Everything has been said but not everyone has said it.

What? Everything useful that can be said about this has been said. What has been said is still here on the forum for the record.

[DougieLawson]

I think that most of the people in this thread, like me, don't want anything to do with MS and their repos.

You'd better stop using Github in that case.

I can't understand why the tin-foil had brigade are so twitchy about this. Maybe Bill Gates' 5G microchip vaccine injections have been "switched to overload"*. Microsoft have had a complete about-face with their support of Linux and the world of open source.




* with apologies to Geldorf and The Boomtown Rats.

[jamesh]

* with apologies to Geldorf and The Boomtown Rats.

Saw then in 2018, expected little, came away in awe. Great band.

[ejolson]

I don't think apt supports it, but in an ideal world you could install the key and a file containing the packages you're allowed to install with it, so an MS supplied package coudln't replace a Raspbian one.

By pinning the repo priority to -1 for the whole repo and increasing the priority just for the code packages, its effectively accomplishing the same thing. We haven't done that yet, but it seems like a good idea.

Is there any news about setting the repo priority to -1 so standard packages don't accidentally get overridden?

The SolarWinds supply chain compromise that affected Microsoft Corporation and the US Government appears to have been so deep people still don't trust the affected systems. My understanding is, given the presumed levels of funding and support enjoyed by the hackers, that many believe an advanced persistent threat has been installed in the firmware of critical systems that could be activated at any inconvenient time in the future. Since the digital systems may be compromised, US Courts dealing with matters of national security have switched back to paper.

The point here is while Microsoft would not intentionally do something to tarnish their image, anything which increases the attack surface for a third party bent on mischief could result in consequences for the Pi that are negative.

Please post back if and when the priority of the vscode repository has been set so that packages in the standard repository can't be replaced by anything that accidentally appears in there.

[cleverca22]

I can't understand why the tin-foil had brigade are so twitchy about this. Maybe Bill Gates' 5G microchip vaccine injections have been "switched to overload"*. Microsoft have had a complete about-face with their support of Linux and the world of open source.

i have to wonder, is it really an entire tin-foil hat brigade, or is it just one user creating a dozen forum accounts?
could a moderator maybe check the IP behind each of the threads?

[fruitoftheloom]

I don't think apt supports it, but in an ideal world you could install the key and a file containing the packages you're allowed to install with it, so an MS supplied package coudln't replace a Raspbian one.

By pinning the repo priority to -1 for the whole repo and increasing the priority just for the code packages, its effectively accomplishing the same thing. We haven't done that yet, but it seems like a good idea.

Is there any news about setting the repo priority to -1 so standard packages don't accidentally get overridden?

viewtopic.php?f=63&t=302590&start=25#p1813690

[ejolson]

I can't understand why the tin-foil had brigade are so twitchy about this. Maybe Bill Gates' 5G microchip vaccine injections have been "switched to overload"*. Microsoft have had a complete about-face with their support of Linux and the world of open source.

i have to wonder, is it really an entire tin-foil hat brigade, or is it just one user creating a dozen forum accounts?
could a moderator maybe check the IP behind each of the threads?

As a hat-carrying member of the brigade, and to make clear what might not have been so clear in my previous post, the difficulty is not that Microsoft would hack the Raspberry Pi but that a third party would hack a supplier of Microsoft (already done on an astonishingly large scale last year) and then hack the Pi.

Given the way targeted sophistication is coupled with blundering distraction by the cyber-forces of foreign governments, the malware which constitutes the real threat is almost never found. At the same time, being part of the distraction can still be pretty damaging for a company. The goal then is to avoid both.

At any rate, it's good to hear this problem is being addressed and under control.

[raart]

When you do an update, your system will check to see if there are any updates at Microsoft which means they could log that you've done an update.

my understanding is that when you "apt-get update", it downloads an index of every package on the given server
they have no idea what packages you have installed, until you try to download a given .deb (during apt-get upgrade), and only if they are already hosting that file to begin with

This might be the actual technical situation, therefore remember that things evolve and they have put one foot in now.

[jamesh]

When you do an update, your system will check to see if there are any updates at Microsoft which means they could log that you've done an update.

my understanding is that when you "apt-get update", it downloads an index of every package on the given server
they have no idea what packages you have installed, until you try to download a given .deb (during apt-get upgrade), and only if they are already hosting that file to begin with

This might be the actual technical situation, therefore remember that things evolve and they have put one foot in now.

Oooh, The Okey Cokey.

[stubright]

so what Operating System can I run on my hardware which is not touched by Microsoft ?

But don't quote me on that.

[gsh]

We're aware that some people have concerns about the addition of a Microsoft-operated repository, and Microsoft GPG key, in a recent update to Raspberry Pi OS. This is there solely to enable people (particularly beginners) to easily install the excellent Visual Studio Code, the preferred C development environment for our new Raspberry Pi Pico board and Raspberry Pi RP2040 microcontroller. This update doesn't install Visual Studio Code: it makes installing it a one-liner (sudo apt install code).

This change has two practical results:

a) An apt update will now result in a request to Microsoft's server. You could brand this "telemetry" if you want, but it's pretty thin gruel.
b) In principle Microsoft could add packages to their repository which override packages in our repository. While it is unthinkable that Microsoft would do this deliberately or maliciously, we are making some changes to our repo setup this weekend which will prevent this from happening by accident. We may make further changes over the next few weeks that address both this, and (a).

The second item brings us to an important point about trust. When you use any software that you haven't written yourself, you are trusting not just the person you got the software from, but also that person's judgment about who they trust: their employees, contractors, suppliers, partners, etc. If you use Raspberry Pi OS, you are trusting that we make good decisions about who to trust. In this case, to support our goal of delivering a better experience to our users, we have made the decision to trust Microsoft. We don't think this is an unreasonable decision, but can understand that some people disagree.

(Also note, this is a cross-posting to relevant threads I know, I'm sorry!)

[mob-i-l]

IMHO this approach would have been better: instructions to install Microsoft key + repo. Alternatively there could be a package to install Microsoft key + repo. This would have the added benefit of being easy to uninstall/purge. Now you have to edit files.

The checking of extra repositories slow down the update on e.g. a Raspberry Pi Zero WH where you probably can't install VSCode anyway. Also there are three Microsoft repos added: armhf, arm64, and amd64. This is strange because only armhf could be used on 32-bit Raspberry Pi OS.

The Microsoft repos are installed also on Debian with Raspberry Pi Desktop on an x86-32 laptop (Eee PC 1001HA) even though none of them are useful with its CPU.

On x86-32 (i686, or in Debian terminology i386) laptop they add no useful repos AFAIK:

Code: Select all

$ sudo apt update
Läs:1 http://archive.raspberrypi.org/debian buster InRelease [32,8 kB]
Läs:2 http://security.debian.org buster/updates InRelease [65,4 kB]                                                                                          
Bra:3 http://ftp.debian.org/debian buster InRelease                                                                                                           
Läs:4 http://packages.microsoft.com/repos/code stable InRelease [10,4 kB]
Läs:5 http://ftp.debian.org/debian buster-updates InRelease [51,9 kB]
Läs:6 http://packages.microsoft.com/repos/code stable/main amd64 Packages [11,5 kB]
Läs:7 http://packages.microsoft.com/repos/code stable/main arm64 Packages [12,2 kB]
Läs:8 http://packages.microsoft.com/repos/code stable/main armhf Packages [12,0 kB]

[r3d4]

you implicitly trust Microsoft anyway through Github

an interesting assertion
on which i wish to cast aspersion

i thought it was the tool that the "hub" *( web wrapper ) is built around , not the/that company TBH ... but could be wrong about this or that.


with the above in mind
( especially WRT the notions of
"trust" -**how ever one might wish it defined 0:
elsewhere in this thread )
probably the most concerning element this -imho-
is failing to maintain / update the repo

as mentioned before
viewtopic.php?p=1810576#p1810576

MichaIng » 01 Feb 2021 21:05
There is not even a related commit in the sources, this is completely unacceptable: https://github.com/RPi-Distro/raspberrypi-sys-mods

Really, I got worried that something happened to our sources, saw our users affected and was quite worried until I checked the package download to find it present there as well. Please, when doing such changes, do a commit to the repository and add a changelog so that we know what is going on.

this also hopefully gives some
*Food For Thought*

viewtopic.php?p=1808660#p1808660

Post by scruss » 30 Jan 2021 16:43
I'm not so bothered about the adding of a repo: it doesn't do anything unless you install the unhelpfully-named code package.

What is more of an issue for me is that Visual Studio Code "phones home", sharing system metrics with Microsoft, unless you manually tell it not to. This is how you do that:

Disable telemetry reporting
From File > Preferences > Settings (macOS: Code > Preferences > Settings), search for telemetry, and uncheck the Telemetry: Enable Telemetry setting. This will silence all telemetry events from VS Code going forward. Telemetry information may have been collected and sent up until the point when you disable the setting.

give me sane defaults or give me .. all of you data are belong to MS.


I have spoken.

[jahboater]

so what Operating System can I run on my hardware which is not touched by Microsoft ?

But don't quote me on that.

There used to be a download option for Plan 9 on this site. Seems to have gone now.

[r3d4]

.
https://www.youtube.com/watch?v=LwxHaosKjgY

*
https://www.youtube.com/watch?v=z1BHrWCZrc8

[r3d4]

There used to be a download option for Plan 9 on this site. Seems to have gone now.

just ftr
found mentions one has links off site
https://www.raspberrypi.org/blog/tag/plan-9/

[stubright]

There used to be a download option for Plan 9 on this site. Seems to have gone now.

just ftr
found mentions one has links off site
https://www.raspberrypi.org/blog/tag/plan-9/

There's some reasonably up to date info here
viewtopic.php?t=210855
with a link to pi3b files.
I tried it for about ten minutes many years ago just out of curiosity, my curiosity was killed after that.

[LTolledo]

just as DougieLawson mentioned... smartphones are much nastier....

so... if you are a regular/avid smartphone user (or any modern phone for that matter).... and "complaining" (aggressively/violently) here about the GPG thingy.... doesn't that make you a hypocrite?