rpi!123
Posts: 11
Joined: Fri Feb 05, 2021 3:47 pm

Re: Microsoft GPG key suggestion

Sat Feb 06, 2021 2:00 pm

Below is the code I have used

Code: Select all


sudo rm -vf /etc/apt/sources.list.d/vscode.list
sudo touch /etc/apt/sources.list.d/vscode.list
sudo chattr +i /etc/apt/sources.list.d/vscode.list
cat /etc/apt/sources.list.d/vscode.list

sudo vi /etc/hosts
# Add line: 
0.0.0.0		packages.microsoft.com

# To remove the gpg keys...
sudo apt-mark hold raspberrypi-sys.mods
sudo chattr -i /etc/apt/trusted.gpg.d/microsoft.gpg
sudo rm -vf /etc/apt/trusted.gpg.d/microsoft.gpg
sudo touch /etc/apt/trusted.gpg.d/microsoft.gpg
sudo chattr +i /etc/apt/trusted.gpg.d/microsoft.gpg
sudo lsattr /etc/apt/trusted.gpg.d/microsoft.gpg

Last edited by rpi!123 on Tue Feb 23, 2021 2:55 pm, edited 1 time in total.
--- Creativity on closed source is for the company
--- Creativity on opensource is for the community

phil995511
Posts: 43
Joined: Wed May 08, 2019 2:02 pm

Re: Microsoft GPG key suggestion

Sat Feb 06, 2021 2:20 pm

Please remove the Microsoft deposit in Raspbian OS.

It is not desirable to use proprietary software with a Linux Distribution !!

This poses ethical as well as potentially security issues.

Regards.
RPi 4 with 4 Gb of RAM @ arm_freq=2000 / over_voltage=5 / gpu_mem=192 + FLIRC case for Raspberry Pi 4 (CPU @ 69 ° C max) + Beta frimware (pieeprom-2020-06-03.bin) for USB3 SSD booting + SSD Samsung 850 Pro 1To + Raspian OS 64 Bits Beta

fruitoftheloom
Posts: 27226
Joined: Tue Mar 25, 2014 12:40 pm

Re: Microsoft GPG key suggestion

Sat Feb 06, 2021 2:48 pm

phil995511 wrote:
Sat Feb 06, 2021 2:20 pm
Please remove the Microsoft deposit in Raspbian OS.

It is not desirable to use proprietary software with a Linux Distribution !!

This poses ethical as well as potentially security issues.

Regards.

Baloney, Poppycock & Balderdash :roll:
Take what I advise as advice not the utopian holy grail, and it is gratis !!

GlowInTheDark
Posts: 2094
Joined: Sat Nov 09, 2019 12:14 pm

Re: Microsoft GPG key suggestion

Sat Feb 06, 2021 2:54 pm

Please remove the Microsoft deposit in Raspbian OS.
Please re-read my previous posts on this and similar threads. The Unix/Linux philosophy is "You can fix it for yourself - and that's all that matters." You should not care what other people do.
Poster of inconvenient truths.

Back from a short, unplanned vacation. Did you miss me?

rpi!123
Posts: 11
Joined: Fri Feb 05, 2021 3:47 pm

Re: Microsoft GPG key suggestion

Sat Feb 06, 2021 3:17 pm

When there is a security vulnerability in your device caused by the Operating System and when any Cognitive Services or any Spyware AI is on the other end to take advantage of data harvesting your personal data to make profits overriding your privacy then should be more careful.

Its not like saying inject something into your device without your consent and you can remove it later. Rather you would not have any AI Spyware in the first place if your consent was important. The question is who owns the device or the infrastructure and who is in control ?

Rather than every personal device getting converted into extended arms of any AI Spyware its better to ask the owners of the device first ?
Ask the paying customers of the product first ? Informing them as a professional vendor ?
--- Creativity on closed source is for the company
--- Creativity on opensource is for the community

BrageP
Posts: 3
Joined: Mon Oct 28, 2019 6:07 pm

Re: Microsoft GPG key suggestion

Sat Feb 06, 2021 3:37 pm

LTolledo wrote:
Fri Feb 05, 2021 11:59 pm
just as DougieLawson mentioned... smartphones are much nastier....

so... if you are a regular/avid smartphone user (or any modern phone for that matter).... and "complaining" (aggressively/violently) here about the GPG thingy.... doesn't that make you a hypocrite? ;)
The nastiness of smartphones is just red herring and appeal to hypocrisy. It has nothing to do with the topic at hand, nor does it refute the legitimate concerns that have been brought up.

The point is that this is a stupid and bad attitude. You don't simply add a repository without alerting the user because the user types "apt upgrade", essentially giving root to a third party without question or announcement. The fact that the developers are defending it, instead of apologizing, tells everything I need to know.

This has seriously undermined my trust in the developers, so my Raspberry Pi will be using Debian from this day.

Thanks, it was fun for a while.

Johnny Mnemonic
Posts: 3
Joined: Sun Jan 31, 2021 7:39 pm

Where's the definitive explanation and instruction?

Sat Feb 06, 2021 4:58 pm

I get some people are crispy about this, even I was like whaaat?
But I want to speak directly to this and not get into a MS bashing thread (the last two were locked lol)

What does this repo do? Add the place where I can get everything if I want to download Visual Studio Code?
-I just got my Pico and want to figure this out?

When I install Visual Studio Code and run it does it really "Phone Home" and send information about me and my system?
-I think Visual Studio Code can be a powerful tool and If I have to use it to play with my Pico, sending my info to Microsoft about me and my machine might be a deal breaker.

If someone wants to remove the Repo (and whatever the GPG key is), how do they do that?
-and if I want to use Visual Studio Code can I stop it from "Phoning Home" can I do that and how?

I just want answers so I can go back to Playing with my stuff-any help is apriciated.
Moderators, can we sticky a guide to the MS Repo thing? These threads are getting heated and redundant-let's get some answers out there for us.
Thanks for any help ya'll can give.

ejolson
Posts: 8581
Joined: Tue Mar 18, 2014 11:47 am

Re: Microsoft GPG key suggestion

Sat Feb 06, 2021 5:11 pm

BrageP wrote:
Sat Feb 06, 2021 3:37 pm
LTolledo wrote:
Fri Feb 05, 2021 11:59 pm
just as DougieLawson mentioned... smartphones are much nastier....

so... if you are a regular/avid smartphone user (or any modern phone for that matter).... and "complaining" (aggressively/violently) here about the GPG thingy.... doesn't that make you a hypocrite? ;)
The nastiness of smartphones is just red herring and appeal to hypocrisy. It has nothing to do with the topic at hand, nor does it refute the legitimate concerns that have been brought up.

The point is that this is a stupid and bad attitude. You don't simply add a repository without alerting the user because the user types "apt upgrade", essentially giving root to a third party without question or announcement. The fact that the developers are defending it, instead of apologizing, tells everything I need to know.

This has seriously undermined my trust in the developers, so my Raspberry Pi will be using Debian from this day.

Thanks, it was fun for a while.
For me the statement that the VS Code repository will be set to have a negative priority was a very solid response. On this forum it's important to keep in mind the difference between engineers who are not affiliated with Raspberry Pi, people who are but expressing personal opinion and those who are stating official policy.

In my opinion, one of the unique aspects of Raspberry Pi is that the company allows the engineers to talk with the customers. If you are used to only interacting with sales and public relations folk wearing suits, this can be confusing.

Back on topic, in my opinion the problem is adding an extra repository run by a third party and not Microsoft. For example, Wolfram Mathematica is available in the standard repository and likely constitutes a similar of not larger body of proprietary code. Why couldn't VS Code simply be included in a similar way?
Last edited by ejolson on Sat Feb 06, 2021 5:13 pm, edited 2 times in total.

thradtke
Posts: 724
Joined: Wed May 16, 2012 5:16 am
Location: Germany / EL

Re: Microsoft GPG key suggestionv

Sat Feb 06, 2021 5:12 pm

Yes, you can switch telemetry off. Google it.
Rocket Scientist.

jamesh
Raspberry Pi Engineer & Forum Moderator
Raspberry Pi Engineer & Forum Moderator
Posts: 30111
Joined: Sat Jul 30, 2011 7:41 pm

Re: Where's the definitive explanation and instruction?

Sat Feb 06, 2021 5:31 pm

Johnny Mnemonic wrote:
Sat Feb 06, 2021 4:58 pm
I get some people are crispy about this, even I was like whaaat?
But I want to speak directly to this and not get into a MS bashing thread (the last two were locked lol)

What does this repo do? Add the place where I can get everything if I want to download Visual Studio Code?
-I just got my Pico and want to figure this out?

When I install Visual Studio Code and run it does it really "Phone Home" and send information about me and my system?
-I think Visual Studio Code can be a powerful tool and If I have to use it to play with my Pico, sending my info to Microsoft about me and my machine might be a deal breaker.

If someone wants to remove the Repo (and whatever the GPG key is), how do they do that?
-and if I want to use Visual Studio Code can I stop it from "Phoning Home" can I do that and how?

I just want answers so I can go back to Playing with my stuff-any help is apriciated.
Moderators, can we sticky a guide to the MS Repo thing? These threads are getting heated and redundant-let's get some answers out there for us.
Thanks for any help ya'll can give.
It's just a line in the repo list that tells the apt system to also search the MS repo when it looks for updates. This repo is for VSCode, the purpose is to make it as easy as possible for people to install VSCode for use with the Pico SDK. VSCode is not in the standard repos, so this is a way of making it easily accessible. The alternative is for people to download the deb or similar from the MS website and install it manually which is not really a beginners task.

Information on what VSCode does with telemetry and how it can be disabled can be found here https://code.visualstudio.com/docs/getstarted/telemetry

Note, that VSCode itself is NOT installed by the change being discussed, its just a change in the repo list that makes it easier to download.
Principal Software Engineer at Raspberry Pi (Trading) Ltd.
Working in the Applications Team.

ejolson
Posts: 8581
Joined: Tue Mar 18, 2014 11:47 am

Re: Microsoft GPG key suggestionv

Sat Feb 06, 2021 5:32 pm

thradtke wrote:
Sat Feb 06, 2021 5:12 pm
Yes, you can switch telemetry off. Google it.
After checking, it would appear that every time you run apt update it tells Microsoft that you did apt update. Thus, they know who has a Pi and how often they install security patches. The problem, is not that Microsoft will abuse this information but that a criminal organisation could abuse Microsoft to get the information. Then all bets are off regarding the consequences.

It would be much better to place VS Code in the standard repository with everything else. On the other hand, by setting the priority to be negative, at least standard packages in Raspberry Pi OS won't be overwritten by accident.

I'm in favour of installing binary packages from only one source. The point is not that one source is any more trustworthy than another, but the statistical fact that two doubles the chances of things going wrong. It's clear other people don't share this concern, so all I can do is hope the next generation of teachers do a better job teaching elementary probably and statistics as well as computer science.

jamesh
Raspberry Pi Engineer & Forum Moderator
Raspberry Pi Engineer & Forum Moderator
Posts: 30111
Joined: Sat Jul 30, 2011 7:41 pm

Re: Microsoft GPG key suggestionv

Sat Feb 06, 2021 5:38 pm

ejolson wrote:
Sat Feb 06, 2021 5:32 pm
thradtke wrote:
Sat Feb 06, 2021 5:12 pm
Yes, you can switch telemetry off. Google it.
After checking, it would appear that every time you run apt update it tells Microsoft that you did apt update. Thus, they know who has a Pi and how often they install security patches. The problem, is not that Microsoft will abuse this information but that a criminal organisation could abuse Microsoft to get the information. Then all bets are off regarding the consequences.

It would be much better to place VS Code in the standard repository with everything else. On the other hand, by setting the priority to be negative, at least standard packages in Raspberry Pi OS won't be overwritten by accident.

I'm in favour of installing binary packages from only one source. The point is not that one source is any more trustworthy than another, but the statistical fact that two doubles the chances of things going wrong. It's clear other people don't share this concern, so all I can do is hope the next generation of teachers do a better job teaching elementary probably and statistics not to mention computer science than mine.
I think your opinion that two repos double the chances of things going wrong is flawed as it does not take in to account the security of the repo's being added. MS repos are extremely secure (i.e. they can afford the best in security), where iambob.repo could be anything. TBH, I'd guess that the security on the MS repo is probably better than on ours. So statistics could argue that on average adding it makes you more secure....
Principal Software Engineer at Raspberry Pi (Trading) Ltd.
Working in the Applications Team.

User avatar
rpdom
Posts: 19267
Joined: Sun May 06, 2012 5:17 am
Location: Chelmsford, Essex, UK

Re: Microsoft GPG key suggestion

Sat Feb 06, 2021 5:41 pm

I've put a fair bit of thought into this.

I can appreciate the RPT point of view.

I'm not going to MS bash.

The repo allows the installation of VSCode in an easy and compatible manner. That is fine. I have no wish to install vscode, but can understand that others do and will.

The main things I have issues with (and I'm trying to be constructive here) are:

Ideally there should have been a configuration box to say "Do you want to add $foo repo to your list? This will allow you to install vscode easily to Pico development". Say "Yes" and it gets installed, "No" and it doesn't. Also a flag would be set to adhere to that choice in future (maybe popping up the message again if anything changes).

The sources.list entry adds too many architectures. This is not necessary. The install script should detect the arch of the system involved and add for armhf, arm64, i386 or amd64 only. Not a blanket add as that can mess things up (and involved downloading lists that aren't appropriate for the system.
Unreadable squiggle

rpi!123
Posts: 11
Joined: Fri Feb 05, 2021 3:47 pm

Re: Microsoft GPG key suggestion

Sat Feb 06, 2021 6:53 pm

[quote]
MS repos are extremely secure (i.e. they can afford the best in security)
[/quote]

Secure for My Device / Secure for Microsoft ?
Best security afforded for who actually ?
Is my consent important here ?

clivem
Posts: 114
Joined: Sun Aug 03, 2014 11:18 am

Re: Microsoft GPG key suggestionv

Sat Feb 06, 2021 7:02 pm

thradtke wrote:
Sat Feb 06, 2021 5:12 pm
Yes, you can switch telemetry off. Google it.

MICROSOFT SOFTWARE LICENSE TERMS

The software may collect information about you and your use of the software, and send that to Microsoft. Microsoft may use this information to provide services and improve our products and services. You may opt-out of many of these scenarios, but not all, as described in the product documentation........

cleverca22
Posts: 4897
Joined: Sat Aug 18, 2012 2:33 pm

Re: Microsoft GPG key suggestionv

Sat Feb 06, 2021 7:06 pm

clivem wrote:
Sat Feb 06, 2021 7:02 pm
thradtke wrote:
Sat Feb 06, 2021 5:12 pm
Yes, you can switch telemetry off. Google it.

MICROSOFT SOFTWARE LICENSE TERMS

The software may collect information about you and your use of the software, and send that to Microsoft. Microsoft may use this information to provide services and improve our products and services. You may opt-out of many of these scenarios, but not all, as described in the product documentation........
that only counts if you choose to install vscode
if you dont install it, then it cant run!

fruitoftheloom
Posts: 27226
Joined: Tue Mar 25, 2014 12:40 pm

Re: Microsoft GPG key suggestionv

Sat Feb 06, 2021 7:08 pm

clivem wrote:
Sat Feb 06, 2021 7:02 pm
thradtke wrote:
Sat Feb 06, 2021 5:12 pm
Yes, you can switch telemetry off. Google it.

MICROSOFT SOFTWARE LICENSE TERMS

The software may collect information about you and your use of the software, and send that to Microsoft. Microsoft may use this information to provide services and improve our products and services. You may opt-out of many of these scenarios, but not all, as described in the product documentation........

Well yes but you are not running VS Code Software, apt update just updates the list of available software and if you have a software package installed which a newer version is available it will inform.

Tosh :roll:
Take what I advise as advice not the utopian holy grail, and it is gratis !!

clivem
Posts: 114
Joined: Sun Aug 03, 2014 11:18 am

Re: Microsoft GPG key suggestionv

Sat Feb 06, 2021 7:11 pm

cleverca22 wrote:
Sat Feb 06, 2021 7:06 pm
clivem wrote:
Sat Feb 06, 2021 7:02 pm
thradtke wrote:
Sat Feb 06, 2021 5:12 pm
Yes, you can switch telemetry off. Google it.
MICROSOFT SOFTWARE LICENSE TERMS

The software may collect information about you and your use of the software, and send that to Microsoft. Microsoft may use this information to provide services and improve our products and services. You may opt-out of many of these scenarios, but not all, as described in the product documentation........
that only counts if you choose to install vscode
if you dont install it, then it cant run!
Johnny Mnemonic wrote:
Sat Feb 06, 2021 4:58 pm
-and if I want to use Visual Studio Code can I stop it from "Phoning Home" can I do that and how?
The guy asked if he could stop it phoning home if he used it. Someone replied to say that telemetry can be turned off. Yes, it can, but not all!

asavah
Posts: 384
Joined: Thu Aug 14, 2014 12:49 am

Re: Microsoft GPG key suggestion

Sat Feb 06, 2021 7:14 pm

Personally I don't care about MS or vscode.
I'm not even running raspbian/raspios on my pies.

However given the controversy produced by the decision of _silently_ including ms repos I can advice the following:

Make ms repos opt-in via raspi-config.
It's an extra step for beginners, yes, but I think this should provide a compromise for both bands.

And extra advice:
AFAIK some european courts already ruled that software telemetry is in violation of GDPR.
Given that vscode runs on raspios and is the recommended IDE for pico-sdk some people may file a GDPR complaint against RPT/RPF.
Consult your legal team.

fruitoftheloom
Posts: 27226
Joined: Tue Mar 25, 2014 12:40 pm

Re: Microsoft GPG key suggestion

Sat Feb 06, 2021 7:27 pm

asavah wrote:
Sat Feb 06, 2021 7:14 pm
Personally I don't care about MS or vscode.
I'm not even running raspbian/raspios on my pies.

However given the controversy produced by the decision of _silently_ including ms repos I can advice the following:

Make ms repos opt-in via raspi-config.
It's an extra step for beginners, yes, but I think this should provide a compromise for both bands.

And extra advice:
AFAIK some european courts already ruled that software telemetry is in violation of GDPR.
Given that vscode runs on raspios and is the recommended IDE for pico-sdk some people may file a GDPR complaint against RPT/RPF.
Consult your legal team.

The UK is not part of the European Union.
Take what I advise as advice not the utopian holy grail, and it is gratis !!

asavah
Posts: 384
Joined: Thu Aug 14, 2014 12:49 am

Re: Microsoft GPG key suggestion

Sat Feb 06, 2021 7:39 pm

fruitoftheloom wrote:
Sat Feb 06, 2021 7:27 pm
asavah wrote:
Sat Feb 06, 2021 7:14 pm
Personally I don't care about MS or vscode.
I'm not even running raspbian/raspios on my pies.

However given the controversy produced by the decision of _silently_ including ms repos I can advice the following:

Make ms repos opt-in via raspi-config.
It's an extra step for beginners, yes, but I think this should provide a compromise for both bands.

And extra advice:
AFAIK some european courts already ruled that software telemetry is in violation of GDPR.
Given that vscode runs on raspios and is the recommended IDE for pico-sdk some people may file a GDPR complaint against RPT/RPF.
Consult your legal team.

The UK is not part of the European Union.
RPF/RPT sells their products on EU territory, european customers are protected by european and local country laws.
Edit: many yankee sites ask for cookie consent GDPR bullshit if they detect that you are coming from EU.

fruitoftheloom
Posts: 27226
Joined: Tue Mar 25, 2014 12:40 pm

Re: Microsoft GPG key suggestion

Sat Feb 06, 2021 7:48 pm

asavah wrote:
Sat Feb 06, 2021 7:39 pm
fruitoftheloom wrote:
Sat Feb 06, 2021 7:27 pm
asavah wrote:
Sat Feb 06, 2021 7:14 pm
Personally I don't care about MS or vscode.
I'm not even running raspbian/raspios on my pies.

However given the controversy produced by the decision of _silently_ including ms repos I can advice the following:

Make ms repos opt-in via raspi-config.
It's an extra step for beginners, yes, but I think this should provide a compromise for both bands.

And extra advice:
AFAIK some european courts already ruled that software telemetry is in violation of GDPR.
Given that vscode runs on raspios and is the recommended IDE for pico-sdk some people may file a GDPR complaint against RPT/RPF.
Consult your legal team.

The UK is not part of the European Union.
RPF/RPT sells their products on EU territory, european customers are protected by european and local country laws.
Edit: many yankee sites ask for cookie consent GDPR bullshit if they detect that you are coming from EU.

All these posts reminds me of "whack-a-mole" and get more ludicrous.

It is good to see that despite a few click bait websites, the end of the world by adding the repositories has not happened.
Take what I advise as advice not the utopian holy grail, and it is gratis !!

Celtus
Posts: 23
Joined: Thu Sep 13, 2012 1:22 pm

Re: Microsoft GPG key suggestion

Sat Feb 06, 2021 7:55 pm

I have been using and advocating Raspberry Pi for many years. Overall, I am always amazed at what a wonderful platform it is. I will continue to use and enjoy the boards, I hope, for many more years.

I believe that the level of discontent we see here is partly due to the fact that the repo is for Microsoft, a company which many in the foss communities have little love for.

All that said, I do feel it is inappropriate to install keys and sources for an entirely new and unrelated piece of software as a somewhat 'silent' change. Yes, I do now realize there was a comment. I did my updates with ansible, and was none the wiser until I read of the change elsewhere.

A previous post suggested that a raspi-config option was a better approach. I could not agree more. I'll be writing additions to my ansible play to pull out the key and list with every update going forward. Needless to say, my raspi kubes will not be running vscode, so no loss here.

This was rolled out poorly, I'm afraid. Hopefully lessons will be learned. Thanks all for a great platform. Please be careful not to let things like this give it negative publicity.

trowels
Posts: 1
Joined: Sat Feb 06, 2021 7:25 pm

Re: Microsoft GPG key suggestion

Sat Feb 06, 2021 7:55 pm

I'm disappointed by the response by the pi folks. I didn't have the highest level of trust in raspbian but I figured it was good enough to use for non-critical systems. I'm not fond of the foundation adding third parties willy-nilly into the circle of trust for packaging - that's my opinion, and no level of derogatory labeling by leadership is gonna change that, sorry.

But again, the most disappointing thing has been the treatment of those bringing up their concerns. It's not like those with concerns were particularly well-written, but the sentiment is certainly there.

(BTW, I'm a newly-registered user that's voicing my displeasure and am not that "same person registering multiple accounts" as has been accused.)

W. H. Heydt
Posts: 15395
Joined: Fri Mar 09, 2012 7:36 pm
Location: Vallejo, CA (US)

Re: Microsoft GPG key suggestion

Sat Feb 06, 2021 8:13 pm

phil995511 wrote:
Sat Feb 06, 2021 2:20 pm
Please remove the Microsoft deposit in Raspbian OS.

It is not desirable to use proprietary software with a Linux Distribution !!

This poses ethical as well as potentially security issues.

Regards.
So...you want to ditch Wolfram/Mathematica and--rather important--the binary blob required to boot a Pi in the first place? Looks like a short-sighted attitude to me.

If you don't want to run VSCode, then don't install it. If you object to having apt check an MS-hosted repository, delete it from your systems. Just don't try to tell everyone else what to do with their systems, just because you're FOSS purist. (And that is something disclaimed by the RPF right from the beginning.)

Return to “General discussion”