Mathias' Blog

Occasional musings and technical posts…

04 Feb 2021

Shady Behavior from the RaspberryPi Foundation

Well, the RaspberryPi Foundation burnt a lot of good will this week. For those who haven’t heard, they released an update for the official “Raspberry Pi OS” (based on Debian/Raspbian) that essentially backdoors in an apt repository controlled by Microsoft. This predictably blew up at places like /r/linux, and people quickly found that the changes were not even published before the package was released.

Needless to say, this left a sour taste in several people’s mouths, mine included. This was a major violation of the trust of the end users of the RaspberryPis, and the mop up after this was discovered has only made things worse.

It turns out that the way the new repository was added didn’t even follow the proper way of installing new config files. Threads on the official forums and github repos are being locked. There’s been no official mea culpa from the RaspberryPi Foundation.

So what’s the issue?

Simply put, many Linux users don’t appreciate having a third-party – and a Microsoft one at that – automatically added to their systems without explicit permission. This was done to allow people to install vscode easily, but a vast number of users will never do that. However, this now will result in an army of RaspberryPis automatically pinging Microsoft’s servers on every update. While it’s only a HTTP GET, that’s still another data point for possible correlation with other online activity.

But the fundamental issue is that these hijacked RaspberryPis will happily install any packages that look like an update from the Microsoft (or other third-party) repository. While this probably won’t happen, Microsoft could now package an “update” for chrome that replaces it with their Edge browser, and your RaspberryPi would happy install it when apt upgrade was invoked. This could have been alleviated by utilizing apt pins to only allow vscode updates from the new repository, but that’s not been done.

I think the next steps are pretty clear: I’ll be wiping and reinstalling my RaspberryPis with a version of Linux that doesn’t betray my trust as an end user. It will probably be a pure Debian install, which means I’ll loose some of the nifty shine and polish right out of the box, but at least I won’t be worried about the next underhanded action from the RaspberryPi Foundation.

This also means I won’t be buying any more RaspberryPi hardware in the future… luckily there’s now a pretty good ecosystem of similar arm boards out there that provide alternatives.

Sorry RaspberryPi – it’s been fun, but this went too far and based on initial responses, you knew this wouldn’t be taken well by the community.