Beware of Microsoft repro taking over your Pi

Dana Mon, 8 Feb 2021 10:54:30 -0600, TCW napis'o:

Thx for this one!

The article doesn't give the obvious solution, of simply editing the /etc/apt/sources.list file and removing the microsoft repo line.

My own view on this (and I don't run current versions of raspbian, I'm no fan boy), is that there is no malignant intent, they were careless and hadn't thought it through. As any follower of the rpi forums will know, they can be thin-skinned about criticism, and have got a bit defensive about this.

They are currently altering the repo priorities so that no package in the Raspberry Pi OS repo's can be installed by "accident" from the Micro$oft repo. - a very sensible precaution. It doesn't stop the call to the MS repo. every "apt update" though (unless you remove the repo from the sources.list file!).

Jim

Op 08-02-2021 om 17:54 schreef TCW:

Also

Just a bit, yeah..

Non-issue.

It's for VS Code. A bundled and IME a very useful application *.

Many other applications provide the same kind of telemetry for their developers to catch errors. I doubt it does anything unless ye run the program, which does self-update in normal use so it does need to know an Apt repository.

Even this program (thunderbird) has that. If you run it, you will notice T&C's to be agreed.

Should we ditch all connected applications because we don't understand them?

• best thing MS ever wrote, IMO.

They even open sourced it. Apache Eclipse picked it up, and I use this browser based variant of it from docker running under node.js / electron.

Just fired up thunderbird for the first time on Linux desktop and there were no T&C's to be confirmed.

Well, Linux and MS have never played nice together and even with Windows WSL/WSL2, there's obviousness to what MS is up to. I'm not putting on my tin hat just yet but MS didn't get to it's market share by being nice guys. Just my 2 cents.

You may be right, but I have no idea what MS intentions are. My comments where just about the RPI people.

And there we agree. =)

When it crashes for the first time, you'll be be asked to confirm if you would like to submit developer logs.

You are at least asked! I think Firefox does the same.

I noticed that thunderbird (v68) displays

which of course gives them a heads up to the fact you have fired up thunderbird, and some extra info. - version, locale, OS, build and maybe (I assume) that it a debian build. I'd prefer to be asked before loading and displaying something from outside my box.

In preferences I didn't find anything to stop html emails loading remote content - the main way of tracking if you've read that commercial email you received. However, it appears that thunderbird does do the right thing there see

"Remote Content in Messages

Email messages can contain remote content such as images or stylesheets. To protect your privacy, Thunderbird does not load remote content automatically, but instead shows a notification bar to indicate that it blocked remote content."

Thanks for making me look more at thunderbird; but I'll stick to my text only MUA.

Plus, a relatively small open source project asking for crash logs is a bit different to bloody Microsoft being pinged every time you update your Pi.

Dana Tue, 9 Feb 2021 09:35:08 -0000 (UTC), Jim Jackson napis'o: [snip]

True. I only use my slrn to read news posts. :)

Ok, I goofed.

OK.

There is a lot more. If you open up "about:telemetry" in either firefox or thunderbird (via Help->Troubleshooting Information, look for telemetry data), you can openly see the depth of their data collection.

Actually, I'm somewhat bowled over how much detail is in the troubleshooting information screen for Thunderbird, which surely must make it easy for their developers to identify problems. Why wouldn't you give them that ability?

If you, say, have issues with identifying Linux audio cards - it may be an easy place to look!!!

Most other HTML mail clients do the same thing.

However, the original accusation is that a company that makes 'connected' applications, is doing it solely for nefarious reasons. I'm not really much sold on that.

No worries.

In addition to the mitigation instructions near the bottom of that article, it should be possible to comment out the packages.microsoft.com line in /etc/apt/sources.list.d/vscode.list and make the file immutable. I did that earlier today, and it appeared to stick but not cause problems.

HTH

Yawn. If you don't install any packages from the repo you'll be fine. It seems to be stuff to do with moby.