Several days ago the news was released that as part of a recent update in Raspberry OS, the Raspberry Pi Foundation installed a Microsoft repository on all single board computers that trusted it, without the knowledge of their owners.
The maneuver has not gone unnoticed within the community of Linux that is stepping up to oppose lack of transparency and telemetry and Raspberry Pi board users are discussing including a call to the Microsoft repository on Raspberry Pi OS, plus the addition of a Microsoft GPG key for reliable package installation.
The Microsoft repository is added by the raspberrypi-sys-mods package, which includes operating system specific scripts and settings.
The configuration of /etc/apt/sources.list.d is modified by the post-inst script and is used to configure the VSCode development environment. The main claims are related to the fact that the Microsoft repository and key were added without warning users.
The idea behind adding the Microsoft apt repository is to make it easier to use the Visual Studio Code development environment.
Officially it's because they support Microsoft's IDE (!), But you'll get it even if you installed it from a clear image and use your Pi without a head without a GUI. This means that every time you do an "apt update" on your Pi, you are pinging a Microsoft server.
They also install the Microsoft GPG key that is used to sign packages from that repository. This can potentially lead to a scenario where an update pulls a dependency from the Microsoft repository and the system would automatically trust that package.
The repository installation is done silently, without user consent, and the Raspberry Foundation did not prepare users for such a change through a dedicated blog post.
Annoyed users comment that eThis behavior is dangerous for two reasons:
First, whenever the repositories information is updated when installing or updating packages, the package manager polls all connected repositories, that is, eThe Microsoft server accumulates information about the IP addresses of all users Raspberry Pi operating system, which can be used to create a user profile.
A similar profile can be used, for example, for targeted advertising when logging into Microsoft services from the same IP.
Second, the Microsoft repository is connected as fully trustworthy, despite the fact that it is not under the control of the Raspberry Pi operating system developers and users were not asked for confirmation to add the Microsoft GPG key. If Microsoft's infrastructure is compromised through such a repository, fake updates can be distributed to replace standard packages or replace dependencies.
He even goes on to say that
This is the way you do things all the time "for similar problems" without informing the owners of your line of single board computers. »Users have recalled the tensions between Linux and Microsoft over telemetry.
Finally, it is noted that the Raspbian distribution supported by the community is not affected by the problem, the change is only added to Raspberry Pi OS, a variant of Raspbian maintained by Raspberry Pi Foundations.
Another approach is to block Visual Studio Code if you want to continue using Raspberry Pi OS. Visual Studio Code is equipped with telemetry options, so many users find Visual Studio Codium more suitable.
To eliminate access to Microsoft servers in the Raspberry Pi operating system, simply comment the content of the /etc/apt/sources.list.d/vscode.list file and delete the / etc / apt / trusted key. gpg.d / microsoft.gpg.
Also, "127.0.0.1 packages.microsoft.com" can be added to / etc / hosts to block requests.
Finally, if you are interested in knowing more about it, you can consult the following link.