Microsoft repo secretly installed on all Raspberry Pi’s Linux OS

Topic

New Reply

[Alex5723]

https://www.cyberciti.biz/linux-news/heads-up-microsoft-repo-secretly-installed-on-all-raspberry-pis-linux-os/

Raspberry Pi is a little useful computer for learning programming and building projects. It comes with Debian Linux based modified operating system called Raspbian. It is the most widely installed OS on RPi. In a recent update, the Raspberry Pi OS installed a Microsoft apt repository on all machines running Raspberry Pi OS without the person’s or admin’s knowledge. Every time a Raspbian device is updated by having this repo, it will ping a Microsoft server. Microsoft telemetry has a bad reputation in the Linux community. Let us see why and how this matters to Linux users…

Günter Born has also picked this : https://borncity.com/win/2021/02/08/linux-os-secretly-installs-microsoft-repo-on-raspberry-pi/

..However, since Microsoft telemetry has a bad reputation in the Linux community, there was soon quite an uproar on the Raspberry Pi forum. Unfortunately, the story then got worse, as the admins of the official Raspberry Pi forum quickly locked and deleted the topic threads, claiming it was “Microsoft bashing”…

• This topic was modified 4 years, 1 month ago by Alex5723.

1 user thanked author for this post.

Cybertooth

Reply | Quote

Replies

? says:

thanks, Alex,

no Pi for me, raspberry or otherwise. don’t want to bash microsoft  anymore either, just run linux as long as i can before they are assimilated by the dark side…

Reply | Quote

Storm in a raspberry tea cup?

According to the blogger who wrote the article in Borncity: ” I’d say: This is an action that failed pretty much – although it seems that it was a bug, that has been corrected, as an anonymous reader posted on a comment on Vivek Gites blog post. And since some blog reader already use a Raspberry Pi, I didn’t want to withhold this from you. ”

(Now, if I saw someone bashing MS, I might not be lightning quick to jump in to stop it, as I’ll probably have other things to attend to.)

Ex-Windows user (Win. 98, XP, 7); since mid-2017 using also macOS. Presently on Monterey 12.15 & sometimes running also Linux (Mint).

MacBook Pro circa mid-2015, 15" display, with 16GB 1600 GHz DDR3 RAM, 1 TB SSD, a Haswell architecture Intel CPU with 4 Cores and 8 Threads model i7-4870HQ @ 2.50GHz.
Intel Iris Pro GPU with Built-in Bus, VRAM 1.5 GB, Display 2880 x 1800 Retina, 24-Bit color.
macOS Monterey; browsers: Waterfox "Current", Vivaldi and (now and then) Chrome; security apps. Intego AV

Reply | Quote

This is only of interest if you run Raspbian, which is not the officially supported Raspberry Pi OS

cheers, Paul

1 user thanked author for this post.

Alex5723

Reply | Quote

Third sentence at that link says, “Raspberry Pi OS (previously called Raspbian)” is our official supported operating system.

Are they not the same thing?

Reply | Quote

Not according to Raspbian.

Raspbian is not affiliated with the Raspberry Pi Foundation

cheers, Paul

Reply | Quote

Hmmmm, interesting. The Raspbian site also says the following about “Raspberry Pi foundation Raspbian Images“:

The Raspberry Pi Foundation has produced and released their own recommended image of Raspbian. Because this image and subsequent updates will be used by 100,000’s of Raspberry Pi users, it should be considered the best supported. However it should be remembered that this image is created by the raspberry Pi foundation not the Raspbian project and as such we don’t control what is in it. This image can be downloaded directly from the Raspberry Pi Website Downloads Page.

Both the Raspberry Pi Foundation and Raspbian seem to have intentionally avoided using the word “fork”, so sort of unclear if future “Raspberry Pi OS” development will be downstream from Raspbian, or if Raspberry Pi Foundation has decided to bring future development in-house for some reason?

Surprising, as stuff like this usually blows up in the open source community, but hadn’t heard anything about this other than mention of a name change (i.e., “Raspberry Pi OS (previously called Raspbian)”).

Reply | Quote

Alex5723 wrote:

Every time a Raspbian device is updated by having this repo, it will ping a Microsoft server.

And?

It’s not bad just because a Microsoft server is involved. Debian’s apt package manager (which is also used by Debian derivatives, like Ubuntu, Mint, PopOS, Neon, etc.) isn’t doing data collection on behalf of Microsoft. It’s merely asking for an updated list of the files offered by that repo. All the server knows is that someone somewhere wanted a list of files! It has to have your IP address to know where to send the file list, but what good does that plus the knowledge that someone requested a file list do for MS?

I understand being suspicious of Microsoft, but this is harmless. If you don’t want the repo installed on your Pi, delete it. It won’t result in any data being sent to Microsoft if you don’t, though.

I have a Microsoft repo enabled in my Neon PCs, FWIW. I use it to get the newest versions of Edge so I can evaluate it and see how it differs from Chromium. I don’t actually use Edge for anything beyond that, as that will result in disclosure of data to MS, but just having the repo enabled doesn’t mean anything. When I see that a new version of Edge is available, I decide whether or not I will allow it (thus far I have always allowed it, since watching the progress is the point), and apt handles it.

The Wireshark tests some have done with Edge show that it is very chatty with Microsoft servers, much as Chrome is with Google servers, so I would definitely think twice about using them for anything “real,” especially Chrome. As bad as MS has become with telemetry, they’ve got nothing on Google.

Do I believe that either Google or Microsoft would build a Trojan malware into their browser that would make it a risk just to have on my PC? I do not. That said, I keep Chrome proper off of my devices (phone included) out of principle, not because I think it’s going to do bad things to me even though I don’t use it.

Dell XPS 13/9310, i5-1135G7/16GB, KDE Neon 6.2
XPG Xenia 15, i7-9750H/32GB & GTX1660ti, Kubuntu 24.04
Acer Swift Go 14, i5-1335U/16GB, Kubuntu 24.04 (and Win 11)

Reply | Quote

Many people moving to Linux because they want nothing to do with Microsoft.
Sneakily installing a Microsoft app/components.. without notifying users is a long time Microsoft tactics.
I don’t know whos initiative this move was, Microsoft’s or Raspbian, but I do know that when such a behavior is found and there is an outcry, then it is a “bug” that get “fixed”.

Microsoft Edge has been sneakily installing apps without user permission

Microsoft Hears The Outrage And Pauses Sneaky Installation Of App Shortcuts On Windows 10 PCs

Microsoft Edge Accused of Sneakily Importing Firefox Data on Windows 10

…

Reply | Quote

And Edge is installed in Raspbian is it?

If you had read the article you would know it’s for the VS code repo, which makes sense in a development environment.

cheers, Paul

Reply | Quote

Alex5723 wrote:

Many people moving to Linux because they want nothing to do with Microsoft. Sneakily installing a Microsoft app/components.. without notifying users is a long time Microsoft tactics.

But it’s not installing a Microsoft app or components. It’s just installing the repository, which is nothing more than adding the URL of the repo to the apt sources (and the security key that goes with it, used to make sure the packages are the real ones from the repo and not altered ones that may have come from a “man in the middle” attack, for example) so that whatever programs are offered from that repo are available to the user of the device from the package manager. That individual still has to select and install any Microsoft items manually, if any are desired.

Until then, the only thing downloaded from Microsoft is a list of packages they offer for installation, which is done without sending any unique or identifying user information to Microsoft. It’s not much different than viewing a list of Microsoft files available for download (anonymously) from a web browser.

I don’t know the specifics of the situation, but I don’t know how the conclusion that the repo was “secretly” added was reached.

Every distro comes with whatever repos the devs of that distro thought would be appropriate. That changes sometimes, as in this case. Distros consist of thousands of packages that are all being developed independently, and it is up to the distro maintainer to select which versions of each package will be used, along with what settings will be used in each of them, and in doing so, to “tune” the finished product for a given role.

Kali Linux, for example, is specially built for penetration testing of networks. Some distros are set up for server use (and these may not even have a GUI), while others, like the discontinued Scientific Linux, are or were meant for even more specialized purposes, like scientific research. The desktop versions of Ubuntu are general-purpose operating systems, while the distro I use, KDE Neon, is a minimal installation of the most recent Ubuntu LTS with a rolling release schedule of KDE’s software on top of that, which is offered by KDE as a tech demo of what they have to offer (though many of us use it as a general purpose distro).

Each distro has packages, settings, and repo offerings that reflect its purpose. Apparently, the maintainers of Raspbian decided that the role of their distro meant that adding this repo set up was a good idea. Since they recommend the MS dev tools as the best for what the distro is meant for, it makes sense to include the repo. Again, no actual MS program is installed… just a link to a MS server so that people can easily choose to install the MS dev tools if they want them.

This kind of change would have been sent to the users in a package whose friendly name (that the user would have seen at the time it was updated) was probably something like “system settings” or something more specific, like “software sources.” It wouldn’t make the changes until the user had ok’d the update and told it to begin installing, if the way Raspbian is anything like Ubuntu and its derivatives (which, like Raspbian, are derivatives of Debian).

Are these changes “secret” because the user didn’t check what was in the system settings package prior to installing it? I would say not.

I can’t say for sure that the changes weren’t hidden in some other package that the user would not think would change the software repo list, which would make it seem like something sneaky was going on, but I doubt that’s what happened.

If it bothers someone to have the MS repo, it’s a simple thing to delete it. I’m a pretty harsh critic of MS at times, and I’m certainly one who left the Windows world in favor of Linux to get away from Microsoft and their desire to control my PC, but I really don’t see the harm in this.

Dell XPS 13/9310, i5-1135G7/16GB, KDE Neon 6.2
XPG Xenia 15, i7-9750H/32GB & GTX1660ti, Kubuntu 24.04
Acer Swift Go 14, i5-1335U/16GB, Kubuntu 24.04 (and Win 11)

1 user thanked author for this post.

johnf

Reply | Quote

Paul T wrote:

And Edge is installed in Raspbian is it?

If you had read the article you would know it’s for the VS code repo, which makes sense in a development environment.

cheers, Paul

Microsoft’s behavior is a long time tactic whether it is Windows, Linux…or browsers
https://www.theverge.com/2020/1/22/21077280/microsoft-chrome-bing-extension-office-365-proplus-installer-default-search-engine

Reply | Quote

Never actually happened though, did it?

Several things have to happen for the Microsoft Search in Bing extension to be installed for Google Chrome on the user’s device.

You must opt in by configuring a setting in the Microsoft Search section of the Microsoft 365 admin center.

How does the Microsoft Search in Bing extension for Google Chrome get installed?

Reply | Quote

This did happen

https://forum.avast.com/index.php?topic=45577.0;imode

Reply | Quote

Alex: “Microsoft’s behavior is a long time tactic whether it is Windows, Linux…”

But, depending on whom you ask, this is either the doing of the people in charge of the Raspberry Py operating system who added the MS URL to the list of repos to be searched for updates when so required, or the result of a system bug. Neither opinion, whichever one happens to be the true one, means that MS has had anything to do with it, beyond existing.

This does not mean that MS is run by angels with wings and harps, but neither does this mean it is responsible for every reported trouble whenever “MS” is mentioned. (Although it’s past behavior explains why people might be ready to suspect it of doing something underhand and self-serving and against the user’s best interest whenever it is mentioned in the same breath with something suspicious or bad.)

Ex-Windows user (Win. 98, XP, 7); since mid-2017 using also macOS. Presently on Monterey 12.15 & sometimes running also Linux (Mint).

MacBook Pro circa mid-2015, 15" display, with 16GB 1600 GHz DDR3 RAM, 1 TB SSD, a Haswell architecture Intel CPU with 4 Cores and 8 Threads model i7-4870HQ @ 2.50GHz.
Intel Iris Pro GPU with Built-in Bus, VRAM 1.5 GB, Display 2880 x 1800 Retina, 24-Bit color.
macOS Monterey; browsers: Waterfox "Current", Vivaldi and (now and then) Chrome; security apps. Intego AV

1 user thanked author for this post.

Ascaris

Reply | Quote

If it’s included in the Sources Lists then it’s going to get picked up by the Linux distro’s package manager and the package manager will get that info and so will the update manager so the Package List will get downloaded but not result in any actual application’s instillation and that’s checked against any software that may or may not be installed on one’s Linux distro.

So for me on Linux Mint that’s Synaptic and Mint’s Software Manager for any installed and not installed packages that are on the sources lists and made available to the package manager on any Linux distro.

So Linux Mint’s Update manager is the update manager to the already installed applications  and Synaptic that has its own Front end as well that’s looking at all the repositories on all the sources lists for software packages, installed or not, to either offer updates to already installed packages(Via Mint’s Update Manager) and maintain lists of application  that can be installed and offered to end users (Via Mint’s Software Manager).

So that requires some degree of background telemetry that’s going on with the sources lists but nothing actually gets  installed without root access and no one on Mint/Linux logs in with root access and any installation of software requires the Administrators password to be entered unless the end user initiates a root terminal session that’s again requiring an Admin password to initiate, ditto for sudo with the admin password and doing things from the terminal with temporary root assess for that single sudo command!

So I’m not talking about Flatpacks or Snaps and all what that entails with regards to Mint! But that sources lists has to be end user initiated or be included as part of the Distro Maintainers default sources lists. But just having a sources list made available does not necessarily point to something nefarious going on!

 

 

Reply | Quote