Microsoft repositories found in the Raspberry Pi OS sources

Ratna

Hi Nicolas, do you envisage any consequences from the Microsoft repository (and signing key) debacle of the Raspberry Pi OS? Luckily the current MoodleBox is from November 2020. So I safely assume that MB not phoning Microsoft nor accepting software from there repository automatically. How about the future? I am already testing Ubuntu for my RPi projects.

For those, who haven't heard the news, here are some pointers:

https://www.cyberciti.biz/linux-news/heads-up-microsoft-repo-secretly-installed-on-all-raspberry-pis-linux-os/
also reported on /. https://slashdot.org/story/21/02/06/2020248/raspberry-pi-os-accused-of-phoning-home-to-microsoft
a community view https://odysee.com/@TheLinuxGamer:f/Microsoft-infiltrates-Raspberry-Pi-OS:a
and from somebody who understands technology and politics https://odysee.com/@Lunduke:e/RaspberryPiMicrosoftRepo:8

Nicolas

First of all, I would not say that this was "secretly" added as some of your links suggests: this was clearly indicated in the logs and in the commit history, which I happen to read both regularly 😀 See also this article from ArsTechnica.

But the Raspberry Foundation should have maybe communicated more and/or better…

As for the MoodleBox: there's absolutely no consequence, since no Microsoft software is installed, unless the user asks for it, and there's no risk some other software can overwrite legitimate software, since the repository has been given a low priority (see this commit). Moreover, there's no "phone home" to MS. So you should not worry too much IMHO.

Anyway, since MoodleBox is a headless system and VScode is not needed on it, the address and the GPG key of the MS repo won't be present in future versions of the MoodleBox image (just like in all the previous images).

PS. One can remove manually the key and address from any Pi by entering this command in your MoodleBox (at your own risk, don't blame me if you brick your system):

rm -f /etc/apt/sources.list.d/vscode.list /etc/apt/trusted.gpg.d/microsoft.gpg

Ratna

Nicolas I know the details of the issue. And I know how to remove the Microsoft traces from Rasperry Pi OS. My question was an official statement from you whether you remove those traces from MoodleBox when you package it. Your clear answer is Yes. That is sufficient for me.

Nicolas

Ratna I know how to remove the Microsoft traces from Rasperry Pi OS

Yes, I'm sure this is the case.

In addition to answer your concerns, my above post is also intended to give people on this forum a bit of context of the situation and a easy mean to do themselves the "remove" operation, without having to look around.

Nicolas

As always, it's possible to follow the development on the MoodleBox repository on GitHub.

Nicolas

MS repo were removed from Raspberry future images.

Just launch sudo apt-get update && sudo apt-get upgrade -y to have them removed it you've them installed.

Ratna

Nicolas Such is the power of Open Source, resp. its community!

Nevertheless I don't like the Raspberry Pi commander's first reaction to the incident: https://twitter.com/EbenUpton/status/1357058711873871872.

Have to forget, the good things vastly overweigh this misstep.