On Raspberry Pi OS, repository and Microsoft package notation key are enabled by default

Raspberry Pi board users discuss the inclusion of a reference to Microsoft repository and adding a Microsoft GPG key for trusted package installation. Microsoft repository added by a package href=”https://github.com/RPi-Distro/raspberrypi-sys-mods”> raspberrypi-sys-mods , which ships Raspberry Pi OS specific settings and scripts. The /etc/apt/sources.list.d settings are changed by the post-inst script and are used to install the VSCode development environment. The main complaints are related to the fact that the repository and Microsoft key were added without warning users.

This behavior is dangerous for two reasons. First, whenever the information from the repositories is updated when installing or updating packages, the package manager polls all connected repositories, i.e. the Microsoft server accumulates information about the IP addresses of all Raspberry Pi OS users, which can be used to build a user profile. A similar profile can, for example, be used for targeted advertising when logging into Microsoft services from the same IP.

Secondly, the Microsoft repository is connected as fully trustworthy, despite the fact that it is not under the control of the Raspberry Pi OS developers and users were not prompted for confirmation to add the Microsoft GPG key. If the Microsoft infrastructure is compromised through such a repository, it is possible to distribute fake updates to replace standard packages or replace dependencies.

It is noted that the community-maintained Raspbian distribution is not affected, the change was only added to Raspberry Pi OS , a variant of Raspbian maintained by the Raspberry Pi Foundations. To remove access to Microsoft servers in Raspberry Pi OS, comment out the contents of the /etc/apt/sources.list.d/vscode.list file and remove the /etc/apt/trusted.gpg.d/microsoft.gpg key. Additionally, you can add “127.0.0.1 packages.microsoft.com” to / etc / hosts to block requests.

/Media reports.