Microsoft repo and key are automatically added to Raspberry Pis

A couple weeks ago, I noticed when running apt-get upgrade on one of my Pi projects that a new repository was added.

VSCode Repository added to Raspberry Pi OS automatically during apt upgrade

It was a little odd, because Linux distributions don't typically 'inject' new repositories like this. And it was even stranger because this particular repository was for VSCode, from Microsoft.

The Raspberry Pi Foundation just posted an article to their blog about Visual Studio Code coming to the Raspberry Pi—but that post didn't address any of the controversy surrounding this change.

There's also a video that goes along with this post: Is Microsoft Spying on your Raspberry Pi?

What Happened

In late 2020, Microsoft released a version of VSCode compatible with the Raspberry Pi.

In early February this year, the Raspberry Pi OS team added an automatic update that installs Microsoft's GPG key and a Microsoft repo source on all Raspberry Pis running Pi OS.

After the install, whenever someone on Pi OS runs apt update, the Pi will reach out and check Microsoft's apt server for any updates.

VSCode isn't automatically installed—at least not yet. And the amount of data Microsoft can get from this apt configuration is minimal (though some would argue getting the IP addresses of most Raspberry Pis connected to the Internet would be a privacy violation in itself). But that's not the main concern people have with this action.

VSCode Concerns

First let's talk about VSCode.

VSCode Telemetry option on Raspberry Pi

By default, it has 'telemetry' that sends out system and usage information to Microsoft if you install it. This telemetry is annoying at best, but concerning if you care about privacy. The telemetry can be disabled, but most people would rather have it be opt-in versus opt-out.

Worse than that, VSCode's source code is open source, but the binary you install is not, since it includes some extra bits that are built in by Microsoft outside of the public source tree.

This makes VSCode non-free software, and it should be marked as such if following typical Debian packaging standards (though the Pi Foundation is under no such obligation).

VSCode Alternatives

Many in the community pointed out that VSCodium is truly open source, end-to-end, and would be a worthy inclusion in the free and open source spirit. There aren't any giant corporations pushing that project, so why not include VSCodium in the default repositories and recommend people install it instead?

I learned recently that Microsoft's licensing for VSCode extensions is restrictive to the point that many extensions are not made available separately to open source VSCodium installs, meaning many popular extensions won't work if you want to use an unencumbered version of VSCode. Go figure.

Well, I know Microsoft would love to have more inroads in 'educational computing'. VSCode on the Pi could allow them to more directly integrate Microsoft services like Azure IoT into people's projects, thus making it less appealing to use competing IoT services like those from Amazon.

I won't speculate on the relationship Microsoft has with the Raspberry Pi Foundation or Raspberry Pi Trading, but I'm guessing there is some incentive for Microsoft besides just 'goodwill,' especially considering the official Raspberry Pi blog post showing how to use VSCode on the Pi was penned by a Senior Cloud Advocate from Microsoft who's involved in promoting Azure's IoT platform.

Why so angry?

But what made people so fired up about this? It's the Raspberry Pi Foundation's right to add in software they believe will be loved by their users, right?

The problem is that many Pi users noticed a Microsoft repository being added to their Raspberry Pis unannounced, and when they followed the breadcrumbs back to the raspberrypi-sys-mods GitHub repository, the code that did the automatic push wasn't even present for further auditing until days after the repo was already installed.

What's more, when users posted their concerns to the Raspberry Pi Forums, many threads about the situation were locked or deleted.

Sure, you can just not install VSCode, but the apt repo is still pushed to your Pi unless you explicitly ignore it, which is hard to do if you don't know it's coming.

It didn't help when someone asked Eben Upton about the situation on Twitter. This was his response to the situation:

Sorry: I can't understand why you think this was a controversial thing to do. We do things of this sort all the time without putting out a blog post about how to opt out.

I can't imagine someone like Eben, who's been in the industry for years, not seeing what's controversial about something from Microsoft being automatically added to a Linux OS without any user interaction or prior warning.

Sure, Microsoft's been coming around to the open source way, slowly but surely. But Pi OS is built on Linux, and most in the Linux community aren't willing to give Microsoft a free pass. They have to earn their standing in the open source community, and pushing non-free software into educational Linux-based computers isn't the way.

Force push non-free repos to all Raspberry Pis - This is not the way

Finally, many people argue "you're fine with Android and Alexa collecting all your information, but not Microsoft?"

Not only is that a false equivalence, many who share these concerns don't use Alexa or Android for exactly that reason.

Aren't you just overblowing the situation?

There are some people making a mountain out of a mole hill. I don't think the Pi Foundation has any nefarious plans here. And I don't think Microsoft is going to be injecting software in Pis anytime soon now that they have their GPG and a default repo installed everywhere. Well, hopefully they won't.

Assuming the best intent, I can see the argument that VSCode is a popular code editor, it would help the Pi's outreach if it were easily available to anyone using a Raspberry Pi.

I've run a local development survey for the Drupal community for three years now, and it's amazing how quickly VSCode has surpassed most other editors in usage—at least for web-based projects.

From the Raspberry Pi Foundation's perspective, VSCode is a popular mainstream code editor, and making it easy to install on the Raspberry Pi is a worthy goal, if you want people to consider using a Pi as their main computer.

And it's not like the Pi Foundation is scot-free in terms of being 100% free and open source. Pis still require a closed-source binary blob for its booting and the GPU, and that's been a thorn in the side of the Pi open source community for years.

As a pragmatic programmer, I understand the motivations behind this inclusion, but it does erode some of the trust I have in the Pi Foundation to be good stewards of Raspberry Pi OS.

It's not that hard to teach someone the three or four terminal commands to add a third party repository to the Raspberry Pi, and I'd much rather the Pi Foundation teach people that, than force it on everyone:

wget -qO - https://packages.microsoft.com/keys/microsoft.asc | sudo apt-key add -
echo "deb [arch=amd64,arm64,armhf] http://packages.microsoft.com/repos/code stable main" | sudo tee -a /etc/apt/sources.list.d/vscode.list
sudo apt-get update

Will I still use Raspberry Pi OS? Yes, I'm using both the 32-bit and 64-bit versions for various projects.

But will this action cause me to consider Ubuntu for Pi or any of the other ARM Linux builds more often? Most definitely.

How can you prevent this repo from being used?

Here's how to remove the installed repo and GPG key from your Raspberry Pi, if you're running Raspberry Pi OS:

sudo rm /etc/apt/sources.list.d/vscode.list
sudo rm /etc/apt/trusted.gpg.d/microsoft.gpg
sudo apt update

This should be a permanent fix, since the update that forces in the repo and key should only ever run once.

Conclusion

The Raspberry Pi Foundation's mission is education, and they've been focused on simplicity and targeting the mainstream in what they do.

Focusing solely on 'pure' free and open source software can lead to missed opportunities (and they've already distributed other proprietary apps like Minecraft and Wolfram), but this action still taints their standing as good stewards in the open source community.

I'm mixed on this decision. I'd much rather the Pi Foundation give people the knowledge of how to install VSCode (or other applications like it) by teaching them how to use apt to install it, instead of forcing a new repo for a tool that relatively few Pis will ever get installed.

And even with the forced repo install, there should've been prior warning, especially since it was pushed to all Pis, even those running the 'lite' OS with no GUI and thus no way to run VSCode.

Comments

What bugs me is that the new file: /etc/apt/sources.list.d/vscode.list points to a repo (packages.microsoft.com) that only has IPv4.

I have systems that run IPv6 only and up until now Raspberry Pi OS and Ubuntu IoT (the RPi one) worked fine with IPv6 only. But now I get ugly text when I run apt update/upgrade. I tried posting about it on the Raspberry Pi forums, but the moderators never let me through.

Yes open-source but I can not find any comments from RPF / RPT over the last decade that explicitly state their Operating System is and will be forever open-source.

If users are that bothered then 96boards is a good place to look for a replacement Single Board Computer and sell there RPi on eBay.

From a legal point the opt-out feature is propably not even allowed in the EU.
And I am sure this was not the reason the UK left the EU.
But it makes it more of an issue to put legal pressure in the PI Foundation to stop this.
Most importantly there is a true open source equivalent that would have taken care of things without this nonsense.

If only the raspberry pi had a simple GUI that already can install non-free software like Wolfram Mathematica... It would make sense that you would have a GUI for the 1-click solution and a multistep process for the command line. If only that was already installed on all raspberry pi's with a desktop environment...

"I don't think the Pi Foundation has any nefarious plans here."

Yet Eben's Twitter profile reads "Necessary Evil".

All the flags are there to abandon ship.

any suggested lifeboats? There are a lot of other SBCs and low-cost computers (and OSes to run on them) but how many have even half the attention and support that Raspberry Pi and Pi OS has.

I've been running OpenSUSE on my Pi cluster for awhile. Something just never seemed right about Raspberry Pi OS. Well.. I admit I don't much like Debian. Is it "apt install" or "apt-get install"? And why does the install happen without confirmation and sometimes not? (Don't answer that)

Nah I'll bite and answer, not for you, but for satisfying others' curiosity. "apt" is a newer and shorter version, uniting apt-get, apt-cache and some others, just shorter to always use "apt" instead of "apt-get" and easier to remember. + It will not ask for confirmation if the package doesn't pull in any additional dependencies.

Thank you for this calm and sensible reflection on what happened. The argument over how open-source VSCode is, is a red herring ... that's not what this is about. It is about HOW the change was done - automatic, to a 3rd party repository, with opt-out only available after the fact.

I am unpersuaded by the argument that they just want to make things easier, to get to the "teaching how to code/giving you better tools" quicker. They passed up an opportunity to teach people the usual way to obtain software tools in other repositories. Also, there's no real "need" to make it easier ... from what I can tell, it's not that hard; in fact, there's a lot of harder things about configuring and troubleshooting the Pi already!

Again, thanks for talking sense, Jeff.

Jeff,
Not sure if you were just lurking before or just joining the discussion a bit late. This was blowing up on GitHub. Multiple bugs being entered by people and frankly just getting censored. Finally we got some answers albeit still incomplete.
I created a patch (see closed pr 51) to prompt with debconf. It was rejected though. I don't like the idea of a postinst adding a third party repo AND KEY without my knowledge. I feel like this was bad form.
Anyway, I'd speculate that there was a decision made high up to include this. It doesn't make sense to me to add it where they did. This should have went in the recommended software package and not sys mods. They really need to work on their transparency if anything.

MS is a bully. If raspberry pi foundation wants to be friends with "the bully" that's fine. But there's no reason to try and force me to associate with "the bully". When you consider the many dirty deeds of "the bully" you see why it's hated so much by so many. I don't want any part of MS in my pi.

Personally, with VS Code being the top code editor these days, installing it on a Raspberry Pi adds the repo anyways, why? to be able to update VSCode via apt. People also have an issue with telemetry? why? on your first launch VSCode pops up telling you how to disable it https://code.visualstudio.com/docs/getstarted/telemetry Why is this such a problem? when the majority is using VSCode anyways.

The thing I have to laugh at is people who use VSCode all the time and then complaining about this, rather stupid when the repo and gpg keys are added when you install VSCode anyways.

From my understanding, adding a repo cannot get telemetry from your system, unless I am wrong? they have not pushed VSCode to be installed on every raspberry pi have they? they only added a repo, so if you want to install it then you can, if you don't then don't. you also forget that VSCode is the top code editor of choice for its flexibility and customisability. you can use it as just a simple code editor or install extensions, building it out into a full blown IDE which is rather educational itself. Also some top tier companies use VSCode all the time too. If they are not force installing VSCode then there is no harm, adding the repo/gpg keys, just makes it easier to install VSCode.

I dont see people complaining about other tools such as piapps or pikiss having the ability to install VSCode.

Personally i think all this is blown way out of proportion

A precise analogy may not be possible ... but for starters (perhaps someone can build on this or re-cast it):

Imagine you rent a condo, and the landlord has a master key. One day, you come home and there's an envelope on your desk chair. Inside, it's a coupon for a free smart speaker / security camera setup (whole house) from an electronics store you have used before at another place, but don't trust. You call your landlord and ask if they know anything about someone entering your condo. "Yes, we are good friends with the folks that run that store. They really helped us out, and offered to help you out too. So we gave them your address and a key to your place, so they could put the coupon where it couldn't get lost."

You are stunned: "I don't want anything to do with that place. I don't trust them! Do you even read the news? Why would you let them in without asking me first?"

Landlord: "Look, it's nothing personal! We're giving them the keys to all our residents' condos! They're all getting this wonderful offer. Sure, yes, they've had run-ins with the law in the past, but that's all behind them. They have assured us they would never misuse access to your condo or give you anything that, in their estimation, you wouldn't want or benefit from."

***

CAProjects, you need to pay more attention to the details and nuances of what Jeff and others have pointed out. I'm not going to repeat them here, but because you ignored them, you have put up a bit of a straw man argument.

I try to find out how this crazy adding of a microsoft repo is working and came along some interesting stuff. If you build your own Raspberry Pi OS with https://github.com/RPi-Distro/pi-gen you will have a Raspberry Pi OS without any microsoft repo.

The adding of the microsoft repo is happening when there is/will be an update of the raspberrypi-sys-mods package. See here (at the moment line 122-124) https://github.com/RPi-Distro/raspberrypi-sys-mods/blob/master/debian/r…

***
if dpkg --compare-versions "${2}" lt-nl "20210125"; then
echo "Adding vscode repo..."
add_ms_repo
fi
***

Even when you download the latest Raspberry Pi OS from 11th January 2021 their is no microsoft repo. Only the fact that in this version there is an older raspberrypi-sys-mods will add the microsoft repo after an upgrade.

I wonder how they will add vscode to a newer Raspberry Pi OS because as long as there is no update in the raspberrypi-sys-mods the microsoft repo is not added. I think that is a strange behavior and a strand dependency.

First, thank you for giving us a place to discuss, as the raspberry forum seems to fall back to old ages inquisition type structure. Well, a forum on the internet is some kind of medieval small kingdom, but in the open source community this will cause permanent damage.

Just to add to the bad things. A while ago I removed the microsoft repository using the above method. Today I did an apt update and recognized while watching the large number of packages being updated - guess what, these bl**dy f*ckers added it again. Once again I removed that sh*t from my installation and am now planning to abandon the repo completely. Yes, they do nice work, but it is not the only nice girl in the room. After all past recent discussions, deleted suppressed or ignored by them, this was a NoGo.

So guys, if you did an update lately, check and decide for yourself.

From what I can see from this post and comments, it seems like they have upset some of their most loyal users, which is(or was) y'all.
It seems they were okay with that, as they went with providing an industry leading code editor(or so far, the repositories) to potentially millions of not yet educated and/or underprivileged children and adults alike.
I get that you feel betrayed in some way... but if you've even found your way to reading this post, well, I don't think this was a decision about you. If it bugs you that much, remove it.
If you have the means, consider supporting educational programs for youth that can benefit from this, like Black Girls Code for instance.

The problems have absolutely nothing to do with providing better educational resources and support for underprivileged users, it has to do with the trust that we have for the stewards of the operating systems we use.

And I still use Raspberry Pi OS a lot ;)

I regret giving my money to Raspberry Pi Foundation. When I need to upgrade my RAM, I will look into an alternative single board computer instea. When I post a critical comment on Raspberry Pi Foundation Facebook page, they apparently censor it by deleting it - it isn't there anymore even when I switch comment display mode to "All". A mobile phone company censored my Facebook complaint after I used them for 4 years - soon, I switched to a different company and now I am using that.