Microsoft GPG key suggestion

[fruitoftheloom]

As i still find it difficult to believe ...

These points have all been made before. To my mind they have all been address adequately:

This source list change does not install any closed source software. At least not without the intent of the user.

Having the key does not mean you have to use it .

If you do use it I hear a change is in place to ensure it cannot mess with the rest of the operating system packages.

If it really bugs anyone it is very easy to remove anyway.

Contrast to the previous situation where the easiest and often suggested way to get vscode onto a Pi was to add a key for a "head_melted" repository and install the deb from there. Who the hell is head_melted and why would anyone trust any of that? What we have now is a much better situation in that respect.

The Pi Foundation has been up front since the very beginning about the fact that the Pi, hardware and software, is not exclusively open source. See Mathematica for example.

We don't much care what is said on reddit. That is a social media swamp where grumpy people like to throw mud everywhere. Meanwhile, this morning I did a quick google search for terms such as "vscode pgp key Microsoft raspberry pi" and such to see what the action was. Almost nothing, crickets...

Apart from Mathematica there is also RealVNC and no one complained about that either.

[Ry_Darcy]

Using one's search machine of choice using this string - Microsoft raspberry pi, reveals a somewhat different result.


Ry

[Heater]

Using one's search machine of choice using this string - Microsoft raspberry pi, reveals a somewhat different result.

Yeah, it turns up a few more now.

Meh.

The great thing about all this little brouhaha is that I now know how to build my own vscode from sources. Which is nice.

[PiMy]

These points have all been made before. To my mind they have all been address adequately:

How can you even remotely say this key points have been addressed? They have not been addressed in any way.

Having the key does not mean you have to use it .

Raspberry Pi never got a mandate to enforce our trust in Microsoft, regardless of Raspberry Pi relationship with Microsoft. And in the end it's not Raspberry Pi prerogative to install third party repositories on our computers without our consent or knowledge. It's a common knowledge such things can only exists as an opt-in option. Raspberry Pi did a wrong thing here, fix it and lets move on. Don't make a war out of it if it was a honest mistake.

We don't much care what is said on reddit.

Ignorance is a bliss, but this is something that won't go away, regardless of the bubble one lives in. If not tomorrow it will get settled on the long run. This is not just about "necessary evil" any more, this is just plain old evil.

The great thing about all this little brouhaha is that I now know how to build my own vscode from sources. Which is nice.

And other people using Raspberry Pi computers would therefore had too hard of a time to install VS Code if that is what they believe should be used to get the job done? Exactly, the answer is NO.

P.S. I am not misrepresenting the facts in any way if i say Raspberry Pi abused their power to install third party repositories on people computers without their consent or knowledge. After the fact Raspberry Pi started acting like a liaison for Microsoft, ridiculing the people expressing concerns claiming we should just all trust Microsoft and be one big happy family. Promoting nonfree software when a viable free software alternative exists ... Trust is on the line here, don't throw it away recklessly, once that is gone it is hard to get it back.

[Heater]

How can you even remotely say this key points have been addressed? They have not been addressed in any way.

Because all the points I articulated above have been resolved in statements I have read in this and other threads here on the subject. Sorry I am not going to go back and read them all again to find links for you.

Raspberry Pi never got a mandate to enforce our trust in Microsoft,

I don't believe they do that. No one is forcing anyone to install that vscode package.

Ignorance is a bliss, but this is something that won't go away, regardless of the bubble one lives in. If not tomorrow it will get settled on the long run. This is not just about "necessary evil" any more, this is just plain old evil.

Please don't be calling me ignorant. Personal attack are not useful. I have read both sides of the argument extensively now. I am far from blissful.

Calling this "evil" is way over the top. "Ill advised" perhaps.

If this is such a big deal how come no one has complained about the installation of Mathematica and others for all these years?

[Celtus]

Sorry, struggling to remember: Was mathmatica added as a separate repo with a gpg key of it's own added to the trust chain? I don't remember that. Serious question - I really don't recall.

[ejolson]

How can you even remotely say this key points have been addressed? They have not been addressed in any way.

Because all the points I articulated above have been resolved in statements I have read in this and other threads here on the subject. Sorry I am not going to go back and read them all again to find links for you.

Raspberry Pi never got a mandate to enforce our trust in Microsoft,

I don't believe they do that. No one is forcing anyone to install that vscode package.

Ignorance is a bliss, but this is something that won't go away, regardless of the bubble one lives in. If not tomorrow it will get settled on the long run. This is not just about "necessary evil" any more, this is just plain old evil.

Please don't be calling me ignorant. Personal attack are not useful. I have read both sides of the argument extensively now. I am far from blissful.

Calling this "evil" is way over the top. "Ill advised" perhaps.

If this is such a big deal how come no one has complained about the installation of Mathematica and others for all these years?

I think it's automatically adding a third party repository to systems that could be running in a production environment which has raised eyebrows.

Suppose company X was a competitor of Microsoft and had a company policy that no Microsoft products could be installed or used behind the corporate firewall. Since executives demand only the best, each has a Pi 400 on their desktop. Then a repository appears that starts checking for updates on a server at Microsoft.

What Eben must have meant is that the engineers at Raspberry Pi use VS Code to develop stuff. I can imagine it works better than Eclipse, but that's a different story. Google is known to use lots of open source software; however, in each case they host their own version of the public repository internally for security.

If you are a valuable target, you need to take greater precautions than others. If any customer is a valuable target, then greater precautions are also needed. It's notable that Microsoft used SolarWinds to improve their security; however, one of the software engineers at SolarWinds had their development environment hacked by a criminal organisation targeting some of SolarWinds' more important customers.

The point here is that the supply chain is a big problem in computer security. Just to prove my tin hat is properly styled, what if the new repository added to the desktop computers at company X checked the IP numbers and fed one of those Pi 400's a version of sshd with a new backdoor?

Fantasy aside, automatically installing a third party repository as an update to other people's production systems seems to have been both original and perhaps not such a good idea. At the same time, automatically removing it might be even more likely to cause trouble.

[W. H. Heydt]

I think this horse died about 5 pages back.

[ejolson]

I think this horse died about 5 pages back.

The way I see it, the horse died before the thread started and the job now is to figure out how to properly bury it. In particular, now that the problem is well understood, what remains is to see how the problem will be resolved.

While it is easy to suggest a customized version of Code-OSS be added to the main repository and the extra repository which has caused concern be removed, what actually happens is up to the Raspberry Pi company. I can see advantages to being able to say, we listened to customers and changed things. I also see advantages to staying the course.

[gsh]

The reason I left the message (about four or five pages ago) is to tell people that we are doing something, but haven't yet decided exactly what we're doing from the many options (some of them require us to get approval externally first, some don't).

We have now changed the priority of the Microsoft repo so they wouldn't be able to install a package over ours.

We haven't yet removed the repo from the lite version because we think we'll have a better solution in the next couple of days.

We're not ignoring the community, but making sure that the solution we come up with will tick as many of the boxes as possible (you can't please all the people all the time)

Gordon

[Celtus]

...what actually happens is up to the Raspberry Pi company. I can see advantages to being able to say, we listened to customers and changed things. I also see advantages to staying the course.

Totally agree, however, I still feel that changes should be in named packages and rolled out with apt properly. I hope post-install hooks are not to be used in this way again.

I also appreciate the update from Gordon - Thank you!

[fruitoftheloom]

...what actually happens is up to the Raspberry Pi company. I can see advantages to being able to say, we listened to customers and changed things. I also see advantages to staying the course.

Totally agree, however, I still feel that changes should be in named packages and rolled out with apt properly. I hope post-install hooks are not to be used in this way again.

I also appreciate the update from Gordon - Thank you!

It would be a positive outcome if the software is in the Raspberry Pi repositories, as other non open source software is already.

[Heater]

It would be a positive outcome if the software is in the Raspberry Pi repositories, as other non open source software is already.

Indeed it would.

Seems to be fraught with difficulty and a lot of extra work though.

One cannot just take the MS deb and stick in ones own repository. What with it being laden with MS trademark, and other restrictively licensed stuff.

That means one has to build ones own vscode from the available sources and make that available in ones repository.

But that means no access to the extensions "market place" maintained by MS. Which would make life inconvenient for users.

Which would mean maintaining all those extensions, at least the ones that are liberally licensed, in packages as well. Or running an alternative "extension marketplace".

But none of that is satisfactory. In the same way that having node.js in the apt repos is not satisfactory, the node core and all the hundreds of modules are always way out of date. And it's a lot of work.

[fruitoftheloom]

.
https://arstechnica.com/gadgets/2021/02 ... vil-secret

[Ry_Darcy]

Hello all,

let the Raspberry kiddies then learn an IDE that is unique to Linux - with all of its imperfections. What is wrong with that?
As an old IBM Mainframer (since 1976), I tend to agree with the people who are protesting with this insidious microsoft injection. Things are bad enough already with google et al already. (small caps intentional).

As to why the RPT/F found it necessary to try something under the radar is beyond my remit, I have do idea. Bit of Brexit here shoot one's own legs off?

As an aside, I love this little board (max 15W power consumption), for my retirement. All I want to do is pay my bills, look at the news etc.


Regards,


Ry.

PS Not yet a fogey.

[Heater]

let the Raspberry kiddies then learn an IDE that is unique to Linux - with all of its imperfections. What is wrong with that?

Speaking as a "Raspberry kiddy" that is moving into his second childhood, I would say that there is nothing wrong with that. On the other hand vscode is my tool of choice now a days. It really is a neat piece of work and it works wherever I land, on Windows, Mac and Linux.

As an old IBM Mainframer (since 1976), I tend to agree with the people who are protesting with this insidious microsoft injection.

I see no "injection" of anything. Insidious or otherwise. I'm not sure what bearing being a mainframer has on anything.

As to why the RPT/F found it necessary to try something under the radar is beyond my remit, I have do idea.

Hardly "under the radar". You can't really think they hoped nobody would notice.

[clivem]

https://arstechnica.com/gadgets/2021/02 ... vil-secret

"Fierce advocate of FOSS" proclaims, "No, it’s not an evil secret"! You just couldn't make it up!

And on Wikipedia.... The great "Microsoft Repository Controversy".

Because Visual Studio Code can only be downloaded from a Microsoft server,[8] Raspberry Pi OS' raspberrypi-sys-mods package created the files enabling a Microsoft repository without prompting the user and with the source code held back for nearly two weeks.[9] This means Microsoft has access to every updated Pi computer running Raspberry Pi OS with rights to install any package, run any program, or edit any file without prompting the user.[10] A lesser issue that has bothered some users is that on every run of apt update, the Raspbery Pi will send a request to packages.microsoft.com and thereby reveals the IP address for potential use in tracking or marketing efforts.

Then that paragraph gets deleted in entirety from the RPI OS page. Then it gets re-instated. Then the guy who deleted it the first time around, replaces the paragraph with.... Raspberry Pi OS' raspberrypi-sys-mods package added a Microsoft URL in the sources.list used by apt to allow Visual Studio Code to be downloaded and installed, which led to criticism from some users as it was done without user consent.

But winner of the prize.... Microsoft themselves.

After the brouhaha and negative news stories appeared, they dropped the links to the Visual Studio Code on Raspberry Pi web page which proclaimed that "Visual Studio Code is officially distributed via the Raspberry Pi OS (previously called Raspbian) APT repository." and commented it out of their sitemap. LOL Take out recent update

[ejolson]

As an old IBM Mainframer (since 1976), I tend to agree with the people...

Though slightly off topic, I remembered how xedit used to work on a 3270 display terminal and all the other program editors I've used. Apparently Linux has a built-in console driver that allows one to run ned and similar screen based editors.

https://www.ibm.com/support/knowledgece ... _3270.html

I wonder why VS Code is so much better for programming the Pico.

Though further off topic, I've been looking for some screenshots of cpwatch running on an IBM 4341 or similar system and to my astonishment haven't been able to find any. This is a monitor that indicates CPU usage, paging rate and other metrics on a mainframe. Somehow I want to see that program again. I think it's nostalgia.

If you have cpwatch on an emulator, I'd greatly appreciate it if you could cycle through the different displays and upload the images somewhere.

Back on topic, I'm glad to hear the priority has been set so the VS Code repository can't replace standard packages. What's the current state of Minecraft these days?

[r3d4]

if I want to use Visual Studio Code can I stop it from "Phoning Home" can I do that and how?

0) https://en.wikipedia.org/wiki/Hosts_(file)

1) ...

apparently !

...
we are not talking about "Visual Studio", this is all about "Visual Studio Code". A totally different product. https://code.visualstudio.com

VS Code is massively popular ...
Why? Because it's open source, ..

For example I use VS Code to develop Rust for the Pi and use the "rust-analyser" plugin. Extensions like that offer most of what one wants from a full up IDE.

.. the source is available
if someone was *REALY* bored , commenting out or removing the ETcode *it appears* could be another option!.

making sure that the solution we come up with will tick as many of the boxes as possible (you can't please all the people all the time)

.. read the above * ( brackets ) and thunk

if they can fork the source , at least they can `try` and please themselves

[PiUser_235]

Guys, just registered here to reply in this topic. I've been using Raspberry Pi computers since version 1, still have that one in my car as Bluetooth receiver. I love your products. I use several of them in my home for automation. I have bought about 40 Pis over the years, for my friends, their kids, donated to school.

But what you did there has completely ruined my trust in you. You installed Microsoft non-free repository in all my Pi computers, with GPG key, without my consent, without any changelog. Trust and security is paramount. I don't understand why my CCTV camera with Raspberry Pi, totally headless will from now on ask Microsoft server for updates, where its not even possible to run their non-free software on headless Raspberry Pi anyway. And another thing I don't use this software so I never needed their closed source repo in the first place.

As soon as I discovered this I told all my friends about it. I am done with you guys, I will move to other Operating System as you are not trustworthy. You did this now, you will do it again, money corrupts. I don't know how much Microsoft has paid you. But know this, you won't be getting any more money off me.

[Heater]

I don't understand why my CCTV camera with Raspberry Pi, totally headless will from now on ask Microsoft server for updates, where its not even possible to run their non-free software on headless Raspberry Pi anyway.

I don't really have a dog in this fight but can I turn that question around? Why shouldn't the source lists contain packages that one does not install?

The regular sources don't know or care if your system is headless or not, lite or full, or what packages you may or may not have installed. They only fetch what is available. It's up to you if you install any of that or not.

Why would one expect any other sources list to be different?

Anyway, in what way did this stop your CCTV application from working? In what way did it compromise it's security? Did anything bad actually happen at all?

And another thing I don't use this software so I never needed their closed source repo in the first place.

Similarly. There are tens of thousands of packages I don't use from the regular sources. Why should this one be different? Just don't install anything from it.

As soon as I discovered this I told all my friends about it. I am done with you guys, I will move to other Operating System as you are not trustworthy. You did this now, you will do it again, money corrupts. I don't know how much Microsoft has paid you. But know this, you won't be getting any more money off me.

I think this is an overly harsh judgement for what I regard as a simple faux pas. It's embarrassing for the Foundation but fixable.

[Celtus]

I think this is an overly harsh judgement for what I regard as a simple faux pas. It's embarrassing for the Foundation but fixable.

I couldn't agree more. The Raspberry Pi is a fantastic hardware platform. The developer who made these changes, and please pardon me for being so blunt, simply made some mistakes. First, to use post-install instead of creating a package, then echoing text into a file instead of deploying properly. This does not indicate malice, merely inexperience and/or lack of understanding of package management. Perhaps code review should have been done, or if it was, should have been done better.

I don't believe for a moment that the foundation wanted this conversation. The right thing to do now is to clean up sys-mods by removing this, repackaging it as it's own package, reassuring the user base that a lesson has been learned, and getting back to making wonderful machines.

[clivem]

But what you did there has completely ruined my trust in you. You installed Microsoft non-free repository in all my Pi computers, with GPG key, without my consent, without any changelog.

Without your consent.... That's fair, but without any changelog? Nope! It was documented in the raspberrypi-sys-mods package changelog...

Code: Select all

raspberrypi-sys-mods (20210208) buster; urgency=medium

  * Stop-gap measure to address one of the main concerns about 3rd party repos
    - Prevent VS Code repo from potentially overriding system packages
    - Only allow installation of known packages (code-*)

 -- Serge Schneider <serge@raspberrypi.com>  Mon, 08 Feb 2021 12:37:18 +0000

raspberrypi-sys-mods (20210125) buster; urgency=medium

  * Add Microsoft's VS Code repo on upgrade

 -- Serge Schneider <serge@raspberrypi.com>  Mon, 25 Jan 2021 16:03:24 +0000
 

[Heater]

The right thing to do now is to clean up sys-mods by removing this, repackaging it as it's own package,...

That would be great.

As I noted before, this seems to be not so easy. VSCode by itself, as it would be built from its source repo, is pretty much just and editor, an empty shell of what people expect.

A lot of the value of VSCode is in all the thousands of user contributed extensions for doing all kind of things with all kinds of source and text. That turns the bare editor into a custom IDE for your "thing". For example I use the "rust-analyser" extension for my Rust projects, providing code completions, API documentation and so on.

But those extensions are not available from the MS "Extension Marketplace" for a VSCode built from the open source repo.

That means all this thousands of extensions would have to be packaged for PiOS as well. Not something anyone wants to do.

Or that means pulling packages from an open source extensions service. But that brings us back to the worries about external connections to suspect servers we had in the first place.

And this I think is why the faux pas came to be in the first place.

[Celtus]

Sorry, I should have been clearer. I'm not suggesting to repackage vscode. I'm suggesting that a package should be created that deploys the sources and key. I should have been more precise.