1. 40
  1.  

  2. 47

    If you think pulling apt sources is telemetry then it means apt should send less data about you. You have the same problem with any mirror: Those cannot be trusted all that much and may retain any metadata. I know for sure I don’t really trust my ISP’s package mirror when it comes to privacy, it just happens to be very fast and reliable.

    There is always a trust issue when unwanted software and gpg keys are installed secretly, which is the main issue

    Not sure if I understand the issue correctly, but if adding Microsoft’s repo to apt requires installing a GPG key that is trusted for signing arbitrary packages even if installed from other repos then that’s for sure a problem with apt too.


    Overall, can’t help but also roll my eyes on this. User complains that the image isn’t lightweight enough but clearly the stock image of RbPI is not sharing this kind of goal. Might as well complain that it doesn’t come with Alpine.

    BTW this article adds nothing over the reddit thread. Not that I really sympathize with either.

    1. 23

      Unless there is something special about Microsoft’s repository, this is pure prejudice against Microsoft.

      Microsoft has thankfully provided their software in a convenient repository, and the RPi Foundation chose to include it by default – nothing wrong with that.

      Software providers should be judged on merit … oh well, the prejudice is somewhat deserved, but my point is that recent merits should weigh more than old.

      1. 8

        You mean like the way Windows 10 keeps installing random applications (Cortana, Skype, Spotify) without my ever asking for them? Or the constant whack-a-mole required to turn off telemetry in their flagship operating system?

        They remain as hostile to user control as ever, but have learned to be a data vacuum too.

        1. 4

          recent merits should weigh more than old.

          Linking to a wikipedia article on EWMA doesn’t really justify what you said. Many of us are old enough to remember the bullshit, destructive behavior of Microsoft, and are (rightfully so..) highly skeptical at Microsoft’s abrupt change of heart.

          Why do you feel that EWMA applies to human behavior, and and to corporate/business strategy?

          1. 2

            Exponential decay is simply the nullhypothesis of decay (including perception of the past, I argue), because it makes the least amount of assumptions. Adding constraints, such as human lifetime, is a liability.

            For starters, if you argue that people have a long memory, and businesses don’t change overnight, you are merely arguing for a long half-life of those exponential weights on which to perceive the past – perfectly within the model!

          2. 4

            Microsoft has recent merits?

          3. 20

            Yeah, this really feels overblown. They really think MS would bother linking your apt updates to your IP for advertising purposes? And so it makes it “ironic” that Pi-Hole would use it? Mountains out of molehills.

            1. 13

              bother linking your apt updates to your IP for advertising purposes

              Who knows what they will use it for, but yes, absolutely. All of this data will end up in their lake and be joinable by what ever additional data they have on hand. They also have all of your github activity. I’d personally love to have all the IP addresses of someone running a raspberry pi.

              This absolutely should have been opt-in.

              1. 13

                IP addresses are a lot less useful than people would think; they’re often cycled, and the increased prevalence of carrier-grade NAT makes it pretty much impossible to single out individuals. For consumer addresses it’s very hard to have insight about whether an IP from yesterday refers to the same person as today. You can’t “just join” it.

                At any rate, using this information in these ways would be illegal. Doesn’t mean they can’t do it, but if the NSA can’t keep their secret data collection a secret, then I don’t think Microsoft can either. Secret cabals are hard to keep a secret, especially for long periods of time.

                These large corporations are also a lot less monolithic than people seem to assume; I wouldn’t be surprised if the people in charge of Windows have hardly ever (or never!) spoken to the people in charge of GitHub. It’s not like they have regular meetings filled with moustaches twirling, diabolical laughter, and hatching of evil plots.

                1. 6

                  Both my IP address and my parents’ IP address rarely changes. I have been sshing from the outside for years without dynamic DNS. I don’t know what you mean by “it’s very hard to have insight,” but in practice IP addresses carry a lot of information that can be exploited. There is a tendency to overlook this and emphasize that the mapping is not perfect, as if this offers some degree of privacy protection. At best it offers some slight plausible deniability, but this does not prevent a data collector from having a very good guess of who an IP address corresponds to.

                  This is especially true in cases where the data sent from your IP address is relatively uncommon. How many people in a given household or neighborhood are likely to be running a Raspberry Pi with Raspberry Pi OS? The same issue arises with Signal which falsely claims to protect the identity of the message sender.

                  At any rate, using this information in these ways would be illegal. Doesn’t mean they can’t do it, but if the NSA can’t keep their secret data collection a secret, then I don’t think Microsoft can either. Secret cabals are hard to keep a secret, especially for long periods of time.

                  So… we know that Microsoft is handing user data to the NSA? Hardly reassuring.

                  Besides, the last window into the illegal NSA data collection operation (featuring Microsoft!) was in 2013. You don’t suppose there have been any developments since then? A sparse scattering of past leaks does not mean any current illegal program would’ve been leaked already.

                  It’s not like they have regular meetings filled with moustaches twirling, diabolical laughter, and hatching of evil plots.

                  If you’ve ever been to a coffee shop in Redmond, the moustache twirling is not as far fetched as one might think.

                  1. 7

                    If you’ve ever been to a coffee shop in Redmond, the moustache twirling is not as far fetched as one might think.

                    … What? I have been to several coffee shops in Redmond and have no idea what you’re talking about

                    1. 1

                      ohh yeah i forgot redmond is a clean shaven oasis

              2. 9

                IMHO in light of what they’ve done with the (immutable) telemetry, privacy dark patterns, and non-removable apps in Windows 10, which I consider user abuse, Microsoft has lost the right to the benefit of the doubt. I respect people who opt for a more charitable view, maybe I’m just cynical.

                1. 3

                  The author entirely misses the real concern here with this move: by using microsoft repos, microsoft controls the software you install. You want to apt install some application? Well, you’re going to get that application as it is distributed by microsoft, and (the real kicker) potentially modified by microsoft. Things might be rosey now, but the opportunity here for microsoft is likely too great for them to “ignore” for long.

              3. 45

                Secretly? /etc/apt/sources.list.d/ is the opposite of secret.

                1. 12

                  Just a click baiting title, there is nothing secret about it.

                  1. 10

                    I wanted to comment exactly this. Don’t you see it in the output of apt update?

                    Also, raspbian is not the only linux distribution one can run on RaspberryPI. At top of my head: Debian, Fedora and Alpine run on Raspberry PI 2+. And that doesn’t include the three major BSD systems which all run on it as well…

                  2. 27

                    A reminder as to why older geeks, like myself, have precisely zero trust towards Microsoft when it comes to open source, or a customer-first mentality in general:

                    http://www.catb.org/~esr/halloween/

                    More recently, they’ve shown their true colours with the Minecraft Education Edition, that’s only available to students at schools affiliated with Microsoft. I’ve tried (repeatedly, at the behest of my literally teary-eyed children) to pay money for Minecraft EE, only to be repeatedly rebuffed.

                    The answer I was given is that they’re afraid that the low price of EE licensing might cannibalize their regular Minecraft sales. So they’ll only offer it for sale to students of schools where they’re already making up the difference on bulk licensing.

                    Perhaps I’m wrong; I certainly hope I am. But I eye things like Microsoft’s acquisition of Github, and their embrace (to be followed by extending and extinguishing?) of Linux in Windows, with great skepticism. They certainly weren’t to be trusted in the 90s and early 2000s, and their treatment of Minecraft users suggests nothing has changed.

                    1. 5

                      You’re not alone! I am very afraid that the younger generations fail to study history and understand that Microsoft’s so-called “friendly” attitude towards the open source community is nothing more than a new business strategy.

                      Things are actually much worth today than in the past. In the past it was clear and obvious that Microsoft was very hostile towards all open source, now they hide it, which makes it worse.

                      1. 2

                        I agree. I’m more upset that people aren’t upset about this. Microsoft has never been the good guy. They’ve open sourced some stuff here or there, but they still track you just as hard as Google or Facebook in every way imaginable.

                        If the Pi team wanted to offer VS Code, why not do it from an official repo, or add a repo for vscodium?

                        Maybe it’s just because I lived through the Windows 95 era and all the garbage Gates and his company tried to pull to completely crush Linux. But nothing has really changed. Sure Windows 10 doesn’t blue screen of death once every 2 ~ 3 days, but instead you get ads on everything from the start menu to lockscreen, endless amounts of telemetry, Cortana … why are so many people so quick to give Microsoft a free pass? This distribution literally has a Microsoft repo in it. Depending on the repo priority, it could offer Microsoft versions of other packages on your system.

                        Also, have people just forgotten about youtube-dl and github? I don’t understand all the Microsoft apologists. Keep Linux MS free. It’s not a hard ask. It’s just common sense.

                        1. 3

                          Keep Linux MS free. It’s not a hard ask.

                          It is a hard ask, because that would break Freedom Zero.

                          1. 2

                            I don’t think that @djsumdog’s comment was a legal request, but a “social” one.

                      2. 15

                        It seems RPi foundation officially recommends MS IDE, and hence this was included Raspberry Pi OS. They should keep this to GUI image for kids or anyone who wish to to learn Python and other stuff using VS Code. Most Linux geeks and power users use RPi as a git server or adblocker and so on as a headless server.

                        (my emphasis)

                        What an amazing dismissal of the next generation of “Linux geeks and power users”.

                        1. 10

                          Especially since educational use is explicitly the aim of the Raspberry Pi project

                          1. -1

                            Got to educate them into dependency on Microsoft IDEs. The younger, the better.

                          2. 3

                            Totally.

                            The implication is that if you’re a Linux geek/power user you wouldn’t go near something like VSCode.

                            It’s just utterly wrong headed. I use and love VSCode. It’s a superlative tool. I install the Vim keybindings so I can continue to leverage my years of muscle training, and still use and love Vim on the server.

                          3. 13

                            If you didn’t want proprietary software (including say, Mathematica), then don’t use Raspbian.

                            This blog sums up my opinions on this - FUD.

                            1. 7

                              And a lot of people do want this software, something these hard-core “muh freeze croftware” people never quite seem to understand. Having people play games with their APT repositories to install some of the most commonly used software (I believe VSCode is the most popular IDE now) is one of the reasons why “Linux on the desktop” never materialized.

                              If you don’t like this and want to use Debian then that’s perfectly fine: use Debian then. Don’t expect everyone to share your preferences.

                              1. 6

                                I bet many of the same people complaining are installing Chrome and Steam eagerly.

                            2. 9

                              We’re talking about the same distro which installs Wolfram Alpha by default. If you want to be careful about what you’re going to install, do yourself a favor and skip Raspbian.

                              1. 7

                                (nit: Wolfram Mathematica. Alpha is a web service.)

                              2. 8

                                I’m finding it hard to be angry about this.

                                Raspbian/RPi OS has always been about education, and it shows. There’s quite a few applications that are and have been proprietary. It’s not a purist OS like Debian is. It’s for education.

                                And VSCode is good at what it does. And yes, it does telemetry. But searching for VSCode and telemetry shows the checkbox to turn it off ( https://code.visualstudio.com/docs/getstarted/telemetry ). It’s not a big secret here.

                                And for the experienced Linux users and admins, 5 seconds returns this link of 20 different distros you can install https://www.fossmint.com/operating-systems-for-raspberry-pi/

                                1. 8

                                  I have Very Serious Issues with this article, and they’re typified by the following passage:

                                  It seems RPi foundation officially recommends MS IDE, and hence this was included Raspberry Pi OS. They should keep this to GUI image for kids or anyone who wish to to learn Python and other stuff using VS Code. Most Linux geeks and power users use RPi as a git server or adblocker and so on as a headless server. There is always a trust issue when unwanted software repo configured and gpg keys are installed secretly, which is the main issue. What other problems Linux users may face:

                                  From the Raspberry Pi foundation’s mission statement:

                                  We enable any school to offer students the opportunity to study computing and computer science through providing the best possible curriculum, resources, and training for teachers.

                                  How is including Visual Studio Code anything other than in service to this goal?

                                  This is the kind of reactionary behavior that leads me to think parts of the open source community are more interested in heaping derision and generally biting the hand that feeds them.

                                  1. 7

                                    Raspberry Pi OS is more of a compromise, so I’m not that horrified about this, but what I found weird, was the reactions as mentioned in this reddit thread. It might just be my bias, but just dismissing anyone who doesn’t like this with “Microsoft bashing” doesn’t seem right, given that there is still a lot of distrust towards the company, especially in the free software world. I wish that would have been handled better.

                                    1. 5

                                      Microsoft has a long history of screwing its partners.

                                      Now, suppose in which manner could they do it this time, given that their repository is trusted by raspbian.

                                      1. 3

                                        And how would they screw over people? If they distributed malware, that would cause them a lot of hell.

                                        1. 4

                                          Telemetry. And, apparently, they’re already doing it. The scope could, however, grow anytime.

                                    2. 7

                                      This article is thoroughly terrible. The fact that this is not a secret has already been discussed at length, but also consider:

                                      • Microsoft runs hundreds if not thousands of software repositories for the open source world already.
                                      • Microsoft runs NTP nodes in the pool you’re almost certainly “pinging”.
                                      • The “solutions” offered beyond simply removing the .list configuration file are truly insane. Host file entries? Chattr? Just why? Stop, he’s already dead! But seriously, this kind of administration is planting land mines.
                                      • Beyond what Microsoft owns directly, they indirectly “run” many more repos owned by projects that use Azure as their cloud platform.
                                      1. 11

                                        I opened this article expecting something terrible.. But uh. nope this is overblown.

                                        1. 4

                                          The author entirely misses the real concern here with this move: by using microsoft repos, microsoft controls the software you install. You want to apt install some application? Well, you’re going to get that application as it is distributed by microsoft, and (the real kicker) potentially modified by microsoft. Things might be rosey now, but the opportunity here for microsoft is likely too great for them to “ignore” for long.

                                        2. 3

                                          Perhaps I’m misunderstanding, but isn’t this simply the proper way to include VSCode? /etc/apt/sources.list.d/ is designed to separate non-Canonical sources from main/extra/universe, and it seems like this is MSFT’s way of providing rolling-release updates.

                                          Edit: I didn’t realize until rereading that this is the “lite” image, which makes this silly if not necessarily evil. Does Lite even provide a GUI?

                                          1. 3

                                            I’d like to be able to minimize my relationship with microsoft and talk about how to do so without being called hypocritical because I can’t take it to the level that Richard Stallman does.

                                            1. 2

                                              And you can simply by choosing a different distro to run on your Raspberry Pi.

                                              Pick any one of the gajillion free software only choices out there and be happy.

                                              The Raspbian folks have made pragmatic choices.

                                              1. 2

                                                Sorry, I should have replied directly to the people saying “But Chrome! But Steam!” I make pragmatic choices too, but I’m not giving up entirely yet.

                                                1. 1

                                                  Adhering to principle is good, but in this case IMO you’re tilting at a windmill.

                                                  If you are rabidly against anything MSFT then there’s no hope, but if you have a reasonable distaste for the non 100% FLOSS version of VSCode why not give VSCodium a whirl?

                                                  Honest to god it’s a really great, capable tool. You don’t have to like it or want to use it to appreciate the value it adds or the contribution it’s made to the programming ecosystem.

                                            2. 2

                                              This problem, and others, can be solved by using official distribution images instead of those provided by the Raspberry Pi project. I’m using the official Fedora 33 ARM64 (aarch64) image for example, works perfectly on my Raspberry Pi 3B+ and has the exact same packages (including kernel!) as the x86_64 version of Fedora.

                                              See https://fedoraproject.org/wiki/Architectures/ARM/Raspberry_Pi

                                              1. 3

                                                Do the distro-originated images come with all the same raspberry-pi configuration, hardware drivers, and firmware gubbins as Raspbian? That’s the main reason I run Raspbian, aside from it having more or less guaranteed support when things break and I need to do some googlin’ to fix it.

                                                1. 2

                                                  Generally speaking? No.

                                                  Raspbian is the only distro that provides truly first class support for the pi’s hardware.

                                                  Graphics support is becoming more widespread at least, and there are bits and bobs of work happening in various distros.

                                                  But from what I’ve seen most distros are optimizing for a good desktop experience on the pi.

                                                  1. 1

                                                    At least on Fedora you get a kernel very close to upstream Linux, also for the Pi, so no crazy stuff and everything I use works out of the box (LAN, WIFi). That is the reason why the Raspberry Pi 4 for example still doesn’t work in Fedora, requires more stuff to be properly upstreamed: https://github.com/lategoodbye/rpi-zero/issues/43

                                                2. 0

                                                  I know this isn’t that big of a deal but it is a little upsetting…