-
The controversial Pi update just adds Microsoft’s VS Code repository in a separate file at sources.list.d. No actual packages have been installed.
Jim Salter
-
Going a step further, we can see that there are only three packages in the newly added repo; all three are related to Visual Studio Code. (The other two packages are alternative builds, with newer versions of Electron and a few other changes.)
Jim Salter
-
My only real complaint about the Microsoft repository and packages is the lack of descriptive metadata. This is clearly an honest oversight on the part of Microsoft, since metadata (although extremely basic) is present in the apt-cache search, but not in the apt search.
Jim Salter
We were recently alerted to a kind of storm in a teapot: when the Raspberry Pi Foundation made it easy to install Microsoft’s Visual Studio Code development environment, some Linux users mistook it for a kind of Mark of the Beast, with concerns being raised about telemetry and “what the Microsoft repository installed secretly without your knowledge”.
It is true that an update recently sent for the Raspberry Pi OS added a Microsoft repository to the Raspberry Pi OS systems – but it is not true that it added any real packages.
Investigating the changes
Jim Salter
Fortunately, my own Raspberry Pi 400 was running Ubuntu, not the Raspberry Pi OS, which made it easy to go back to see what changes have occurred in the system. Fortunately, the Raspberry Pi 400 is almost ideal for distro-hopping – all I needed to do to get a pre-upgrade version of Pi OS running was to turn off my Pi and exchange the SD cards from the Ubuntu card I was using for my Pi card Old OS, then activate it again. Presto, a pre-update of Pi!
Then I made a copy of the entire /etc/apt/ directory on my Pi 400, with tar czvf ~/aptbackup.tar.gz /etc/apt. With the backup in place, I did apt update ; apt upgrade -y to apply to my system all the updates it had missed since the last time Pi OS was run.
To make a long story short, the only change in my package management was the addition of a single file, /etc/apt/sources.list.d/vscode.list. This file added a single repository to my sources: http://packages.microsoft.com/repos/code, with branches stable and main. If we look at the actual content of http://packages.microsoft.com/repos/code, we can see that it contains only three packages: code, code-explorationand code-insiders.
Finally, carrying out apt policy code confirms that Visual Studio Code was not actually installed on my system – it’s just Easier to install (and update!) now, as your parent repository is part of my source list, along with the GPG code that checks the contents of that repository.
Why add a third party repo?
Before Pi Foundation added the Microsoft repository for Visual Studio Code to the list, installing this IDE required some extra steps, not Linux related. You needed to open a web browser, go to the Visual Studio Code download page and navigate through a few more minor obstacles – for example, you need to know what your system wants deb files and not rpm, that your Pi needs ARM architecture packages and, finally, whether those packages should be ARM or ARM64 (which is different for different Pi models).
After downloading the correct version of the Visual Studio Code package, you need to locate the downloaded package and run it – usually by finding it in the File Manager and double-clicking it. That done, you need to authenticate yourself as a privileged user and, finally, the package (and its dependencies) starts to be downloaded and installed on your Pi.
In contrast, now that the code repo (and its GPG key) are installed on the system, a user can simply sudo apt install code. This is a more Unix-like way of doing things, it is considerably simpler and can be performed much more easily without a GUI available as well.
We can already hear some users complaining that it was not so difficult to install the VS Code in the old way – and for them, we would like to point out that the main objective of the Raspberry Pi base is not to provide advanced users with cheap toys, it is to facilitate computer education , removing obstacles.
The first of these obstacles, no doubt, was price – it is difficult or impossible to get a complete, general-purpose computing device for less than it costs to buy a Pi. But the difficulty of starting to write code is another one of those potential obstacles – so facilitating the installation of a very popular IDE is in line with the core mission of the Pi Foundation.
What are the consequences?
With the Microsoft repository for VS Code installed on the system, each time the system checks for updates, the server at http://packages.microsoft.com get queries to see if there are any changes in the packages it makes available. If you squeeze your eyes tight and hold your mouth properly, you can argue that this is “telemetry” – you touched a Microsoft server, right?
However, this is, in the words of Pi founder Eben Upton, “very thin porridge”. The only tool that touches this Web server is apt itself, and doesn’t reveal anything about the user’s system – it simply checks what’s inside /repos/vscode/dists/stable and download the appropriate Contents-*.gz file for your system architecture. On my Pi 400, this is Contents-arm64.gz; on the older 32-bit Pis, it would be Contents-armhf.gz.
With the content file downloaded, apt then, analyze it to determine which package versions are available. These data inform aptresponses to any user requests for install a corresponding package name and also tells you if there are newer versions of installed packages that must be downloaded and put in place after a apt upgrade or apt dist-upgrade command. But none of that information was leaked to Microsoft, unless the user really have installed code; in that case, Microsoft will know when a newer version is downloaded (since it also comes from `packages.microsoft.com`).
For the extremely paranoid, there is one more possibility: if Microsoft made packages available in its repository with the same names as those in the standard raspbian.raspberripi.org repository specified in /etc/apt/sources.list, he could overwrite “real” system packages with others of his own making.
However, this would be an incredibly obvious change on the part of Microsoft – one that would be detected almost immediately after the company did – and would result in the immediate destruction of all the goodwill of the Linux community that the company has undergone over the past six years painstakingly built. This does not seem to be a reasonable concern.
OK Alright. What if I still don’t like it?
If you made it this far and are still upset about the presence of a Microsoft repo on your Raspberry Pi system, you have options. The most nuclear option is to totally discard the Raspberry Pi OS – you can always run Ubuntu on your Pi, for example. There are also pre-made Debian images available for Pi, hosted at debian.org itself.
But it would be much simpler to simply nerf the repository you are unhappy with in the first place. There are several ways to do this: for example, you can edit or remove the vscode.list file itself. And if you’re concerned about future Pi OS updates by putting that file back or undoing your change, you can add an entry for /etc/hosts making it impossible to contact the Microsoft repository in the first place:
127.0.0.1 packages.microsoft.comPresto! If your system tries to check the Microsoft repository, it will check … itself, which will fail. Problem solved.
Jim Salter’s list image