Linux

Microsoft repo secretly installed on all Raspberry Pi’s Linux OS

Raspberry Pi is a little useful computer for learning programming and building projects. It comes with Debian Linux based modified operating system called Raspbian. It is the most widely installed OS on RPi. In a recent update, the Raspberry Pi OS installed a Microsoft apt repository on all machines running Raspberry Pi OS without the person’s or admin’s knowledge. Every time a Raspbian device is updated by having this repo, it will ping a Microsoft server. Microsoft telemetry has a bad reputation in the Linux community. Let us see why and how this matters to Linux users.

Microsoft repo secretly installed on all Raspberry Pi’s Linux OS

Let us find out what this repo contains:
ssh pi@192.168.2.180
Here is how we can confirm it:

lsb_release -a
ls -l /etc/apt/sources.list.d/
ls -l /etc/apt/trusted.gpg.d/
cat /etc/apt/sources.list.d/vscode.list

Let see what Microsoft repo secretly installed without your knowledge on Raspberry PI contains:

curl -s http://packages.microsoft.com/repos/code/dists/stable/main/binary-arm64/Packages 
| grep "^Package: " 
| cut -d" " -f2 
| sort -u


It seems that it contains VS Code IDE for your Raspberry Pi. Now keep in mind this is a server with a lite image, and there is no need to install this on my old RPi 2. Naturally, it made many Linux users unhappy. To make matters worse, the official Raspberry Pi forums admins quickly locked down and deleted the topic threads, claiming it was “Microsoft bashing.”

Why is this bad news?

It seems RPi foundation officially recommends MS IDE, and hence this was included Raspberry Pi OS. They should keep this to GUI image for kids or anyone who wish to to learn Python and other stuff using VS Code. Most Linux geeks and power users use RPi as a git server or adblocker and so on as a headless server. There is always a trust issue when unwanted software repo configured and gpg keys are installed secretly, which is the main issue. What other problems Linux users may face:

  1. By using forced MS repo on my RPi 2, MS controls the software I install. For example, when I run `apt install app,` I will get an app distributed and modified by MS. Maybe they will not do anything evil, but I don’t want anything to do with them.
  2. Hardcore Linux users like me (or anyone who works in infosec/IT) will never trust Microsoft or Raspberry Pi OS to install such a repo secretly.
  3. Microsoft may collect more info about RPi and Linux users as many try to reduce their digital footprint such as your IP address and build a profile about you.
  4. Every apt-get update command pingback to MS repo.
  5. If you or any family members logged into the MS ecosystem such as Github, Bing, Office/Live, they could identify and track you when using same shared public IP at home.

If you are okay with this, then stop reading and go back to your life. Nothing is wrong with that. But, if you are not okay with such a change. Here are some options for you.

1. Stop using Raspbian

This is the best possible solution. I will probably switch to plain Debian for RPi 2. Other operating system includes:

2. Block Microsoft VSCode if you still want to use Raspbian OS

Edit your /etc/hosts on RPI (or add that domain to your Pi-Hole)
sudo vim /etc/hosts
Add the following line:
0.0.0.0 packages.microsoft.com
Save and close the file in vim. Put Debian package on hold so that it will not install further updates:
sudo apt-mark hold raspberrypi-sys-mods
Delete Microsoft’s GPG key using the rm command:
sudo rm -vf /etc/apt/trusted.gpg.d/microsoft.gpg
Make sure new keys cannot be installed:
sudo touch /etc/apt/trusted.gpg.d/microsoft.gpg
Next, write protect that file on Linux using the chattr command:
sudo chattr +i /etc/apt/trusted.gpg.d/microsoft.gpg
lsattr /etc/apt/trusted.gpg.d/microsoft.gpg

3. Use VSCode safety, especially when your kids are using it

VSCode has telemetry too, use a version of VSCode with telemetry removed:

Free/Libre open source software binaries of VSCode with all telemetry removed

Someone notified me about vscodium-deb-rpm-repo.

Summing up

Truth to be told, RPis is not 100% opensource. Like Intel and AMD CPU/GPU, it comes with a binary closed source firmware too. However, that doesn’t mean, install unwanted software repo and gpg keys secretly on your device without your knowledge. That is what malware does, and hence Linux and the opensource community are upset. I hope they will fix it. Check out Reddit thread with many more suggestions. RPis/OS maintainer should have published a blog post about such a notable change, and doing so without informing RPis users is not great. What do you think? Let us know in the comment section below.

Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Back to top button
%d bloggers like this:

Adblock Detected

Please consider supporting us by disabling your ad blocker