We were recently notified of a storm in a teapot: When the Raspberry Pi Foundation made it easier to install Microsoft’s Visual Studio Code development environment, some Linux users lost it as a sort of Mark of the Beast, with concerns about telemetry. and “what Microsoft repo secretly installed without your knowledge.”
It’s true that a recent update to the Raspberry Pi OS added a Microsoft repo to Raspberry Pi OS systems – but it’s not true that it added any actual packages at all.
Examine the changes
Fortunately, my own Raspberry Pi 400 ran Ubuntu, not the Raspberry Pi OS, which made it easy to switch back to see what changes were happening to the system. Fortunately, the Raspberry Pi 400 is almost ideal for distro-jumping – all I needed to do to get a pre-update version of Pi OS that was running was to turn off the Pi, replace the SD card from the Ubuntu card I had used to my old Pi OS card, and then slide it back up. Presto, a pre-update Pi!
Then I made a copy of the whole
/etc/apt/ catalog on Pi 400, med
tar czvf ~/aptbackup.tar.gz /etc/apt. With backup in place, I did
apt update ; apt upgrade -y to use all the upgrades to my system that it had been missing since it last ran Pi OS.
To make a long story short, the only change in my package manager was to add a single file,
/etc/apt/sources.list.d/vscode.list. That file added a single repository to my sources:
http://packages.microsoft.com/repos/code, with branches
main. If we look at the actual content of
http://packages.microsoft.com/repos/code, we can see that it contains only three packages:
apt policy code confirms that Visual Studio Code was not actually installed on my system – it’s just easier to install (and update!) now, since the parent archive is part of my source list, along with the GPG code that verifies the contents of this repository.
Why add a third party repart?
Before the Pi Foundation added Microsoft’s repo for Visual Studio Code to the list, installing the IDE requires some additional, and non-Linux-y, steps. You needed to open a browser, go to the Visual Studio Code download page and navigate a few minor obstacles – for example, you need to know that your system will have
deb files and not
rpm, that your Pi needs ARM architecture packages, and finally whether these packages should be
ARM64 (which is different for different models of Pi).
After downloading the hopefully correct version of the Visual Studio Code package, you would need to locate the downloaded package and execute it – usually by finding it in File Manager and double-clicking it. Once done, you will need to authenticate as a privileged user, and eventually the package (and its dependencies) will begin downloading and installing itself on your Pi.
On the other hand, now that
code repo (and the GPG key) is installed on the system, one can use quite easily
sudo apt install code. This is a more Unix-like way of doing things, it’s considerably easier, and it can be done much easier without a GUI being available.
We can already hear some users mumbling that it was not so difficult to install VS code the old way – and for them we would like to point out that the primary purpose of the Raspberry Pi Foundation is not to give advanced users cheap toys, it is to facilitate computer training by removing roadblocks.
The first of these barriers was undoubtedly price – it is difficult to impossible to get a full-fledged, general calculation unit for less than it costs to buy a Pi. But the difficulty of getting started writing code is another of these potential roadblocks – so making it easier to install a very popular IDE is very much in line with the Pi Foundation’s core mission.
What are the consequences?
With Microsoft’s VS code warehouse installed on the system, the server at
http://packages.microsoft.com gets asked to see if there are any changes in the packages it makes available. If you roll your eyes very well and keep your mouth straight, you can claim that this is “telemetry” – you touched a Microsoft server, right?
However, in the words of Pi founder Eben Upton, this is “pretty thin gruel.” The only tool that affects that web server is
apt itself, and it does not reveal anything about the user’s system – it only checks to see what’s in it
/repos/vscode/dists/stable and downloads the current
Contents-*.gz file for the system architecture. On the Pi Pi 400 it is
Contents-arm64.gz; on older 32-bit Pis, it would be
With the content file downloaded,
apt then analyzes it to determine which package versions are available. This data informs
aptresponse to any user requests to
install a matching package name and also lets it know if there are newer versions of installed packages to be downloaded and put in place after one
apt upgrade or
apt dist-upgrade command. However, none of this information is leaked to Microsoft unless the user is actually hair installed
code; in that case, Microsoft will know when a newer version of it is downloaded (since it also comes from `packages.microsoft.com`).
For the overwhelmingly paranoid, there is an additional possibility: if Microsoft were to make packages available in its repo with the same name as packages in the standard
raspbian.raspberripi.org depot specified in
/etc/apt/sources.list, it can override the “real” system packages with others of its own production.
However, it will be an incredibly obvious change on Microsoft’s side – one that will be discovered almost immediately after the company does so – and that will effectively result in the immediate destruction of all goodwill in the Linux community the company has spent the past six years. laborious to build. This does not seem like a reasonable concern.
OK nice. What if I still do not like it?
If you have come this far and you are still upset that a Microsoft repo is present on your Raspberry Pi system, you have options. The most core option is to completely discard the Raspberry Pi OS – you can always run Ubuntu on your Pi, for example. There are also ready-made vanilla Debian pictures available for Pi, hosted at debian.org itself.
But it would be much easier to just break down the repository you are not happy with in the first place. There are several ways to do this: for example, you can edit or remove
vscode.list the file itself. And if you are concerned about future Pi OS updates that put that file back or undo the change, you can add an entry to
/etc/hosts makes it impossible to contact Microsoft Depot in the first place:
Presto! If the system tries to check Microsoft’s repo, it will instead check … itself, which then fails. Problem solved.
Listing image by Jim Salter