Some background about that controversy where the foundation added the Microsoft repo to the sources

TL;DW: The foundation didn't make the change available to further auditing. Community got upset, mods started deleting comments on their forum about it

From the video description, to remove said changes:

sudo rm /etc/apt/sources.list.d/vscode.list

sudo rm /etc/apt/trusted.gpg.d/microsoft.gpg

sudo apt update

· · Web · 6 · 14 · 8

@cypnk I think the problem also is that whenever you install any of these Microsoft products via the command line it’ll add these repositories back without question though..

Happens with Teams, happens with VSCode, or any other pre-packaged product that’s also available via their own repositories..

@moritzheiber This is exactly the issue

Removing the repo now is only a temporary fix until it's also fixed upstream to be optional

Overall, I'm disappointed with the default opt-in approach. Also their attitude of "we do this all the time". That's really not appropriate for a distro like that, considering the user base

@cypnk it’s not the distro. It’s Microsoft. The packages are adding these repositories in their post-install routines, indiscriminate of whatever distribution they are getting installed on.. I don’t see how you could put blame on anyone but Microsoft for this, honestly

@cypnk wouldn’t that require an extra step of installing the package?

@JoYo In this case, it seems the vscode repo and the Microsoft GPG was automatically came by default whenever someone updated Raspberry Pi OS (or installed new)

@cypnk right, but the vscode telematics wouldn’t be installed without someone intentionally installing vscode.

@JoYo I think the issue was the connection to, which, for better or worse in some peoples eyes, constitutes telemetry

@JoYo @cypnk
The problem is the ping to microsoft servers on each apt update

@cypnk Thanks for this. I agree that Microsoft is not a trustworthy collaborator. They love open source like a tapeworm loves a healthy digestive system. And yeah, I wouldn't use VSCode on principle.

@lightweight Yeah, this has been the down side. VSCode itself is a pretty nice piece of software for the features it has, but there's too much baggage for me to use personally

At work, this is the standard so I have little say. But I still have choice at home and I chose no

@cypnk yeah, I don't respect Microsoft and have previously quit jobs where I was going to have to use their software, even started my own company to ensure I wasn't subjected to anyone else's incompetence beyond my own :) ( that went for 14 yrs :) - 100% FOSS dev/hosting company). But yeah, won't even use VSCodium, as I don't want any MSFT dependencies.

@cypnk I don't like MS either, but freaking out that someone can easily install a dev tool from them is insane and stupid. There's no MS software on there until you ask for it!

RPF just wants people to have access to the tools they ask for.

@mdhughes I think the hiccup was that it was never available for public audit before being included in the first place. This was very different from previous changes

Eben's flippant Twitter replies didn't help when he knows how much animosity there is still among FOSS old timers toward MS

I also think deleting the forum threads discussing it was a mistake. Instead, they should have walked through the reasoning at least. And maybe apologized for not running it across the community first

@cypnk Probably socially mishandled, but they may also have my level of eyeroll at ideology-over-utility.

Showing the number of requests for it would be compelling evidence to people who don't care, but wouldn't budge a FOSS true believer: "All those kids are wrong!"

@mdhughes Oh yeah, at least some of this could have definitely handled better. There's just no convincing some folks, but that's just par for the course in any of these projects

@mdhughes @lightweight

The point is that the repo is added even if you didn't ask for or have any MS software, so your Pi is connecting to Microsoft on every apt update regardless (unless you take specific action to stop it).

If it got added when you installed VSCode then that'd be much more reasonable.


@edavies @lightweight @cypnk But you can't install VSCode without the MS repo attached. And all that's there is VSCode, so it doesn't matter.


@mdhughes They could just as easily have had a small “bootstrap” package which added the repo first.

All that's there may well be VSCode for now. What if Microsoft later “helpfully” decides they have a better kernel everybody needs, or whatever? It hugely increases the trust domain.

@lightweight @cypnk

@edavies @lightweight @cypnk This is a ridiculous and poorly-thought-out idea. First, the kernel would be pulled from the original repo, not from some new one.

Second, MS is a publicly-traded corporation, they're extremely legal risk-averse, they aren't going to engage in "hacking" like some rando taking over an npm project. They could just buy RPF for $10B if they wanted it.

Third, they already had software on the RPi from day one: Minecraft. What if Minecraft takes over the system?!@!1!

@mdhughes Yes, the kernel comment was a bit tongue-in-cheek (though I haven't looked at how apt searches through repos).

The point, though, is that all other software just goes in the Debian/RPF repos so we have to be at least a bit suspicious as to why Microsoft needs a special one.

@lightweight @cypnk

@edavies @lightweight @cypnk

From the forum:

> We've been in touch with Microsoft who have agreed we should point at their repo (rather than telling people to download VSCode from their website)
> So there's nothing wrong here, as other's say, it's just the repo, you don't have to install anything from it and we won't have a dependency on anything from Microsoft in the Debian / Raspbian or Raspberry Pi repositories



sudo rm /etc/apt/sources.list.d/vscode.list
touch etc/apt/sources.list.d/vscode.list
chattr -i etc/apt/sources.list.d/vscode.list

sudo rm /etc/apt/trusted.gpg.d/microsoft.gpg

chattr -i /etc/apt/trusted.gpg.d/microsoft.gpg

Sign in to participate in the conversation

Server run by the main developers of the project 🐘 It is not focused on any particular niche interest - everyone is welcome as long as you follow our code of conduct!