How do you feel about VS Code getting silently pushed into Raspbian? (Has telemetry)

If you have a cool-enough head, I would encourage you to voice your opinion in the comments section of this blog post, from Raspberry Pi:

PS: even if you are headlessly running Raspbian, you’ll get VS code forced upon you none the less!

1 Like

On the Pico it is automatically installed if you use their setup script but at least they let you know that in the Pico documentation.

Disturbing.

1 Like

Somewhat not cool, because MS and maybe their telemetry might just sneak in into a sincere and unpretentious product like the Raspberry Pi. Its like the Pi would lose some sense of purity and innocence with some VS Code baked into it.

On the flip side, Raspberry Pi is a learning tool and VS Code is arguably a good learning tool and putting them together makes sense.

Somehow I wish it was opt-in, rather than built-in.

3 Likes

I will be moving two of my four PI’s off of Raspian because of this decision. The other two are already running a non-Raspian distro.

I am one that does not like the telemetry, but the bigger issue is the trust that was broken because of this being a silent deployment and the fact that a non-free repo was automatically added without consent.

2 Likes

100% agree. This move smells too much of “sell out” styles. I also feel that VS Code is too sophisticated for kids. Or at least too sophisticated to deserve to be in the default install. I think MS wanted to brag about how many VS Code installs existed, so by strong-arming this install across all Rasbian installs, this very conveniently inflated their statistics:

It’s been estimated that there are 24 million developers in the world. 14 million of them now use Microsoft’s Visual Studio Code (VS Code) as their IDE, reports ZDNet, with five million new users arriving in 2020.

I have a RPi4 in production with Ubuntu, and I too would have switched, had that been Raspbian.

There is an MX Linux beta for the Raspberry Pi (fluxbox desktop), and once that ripens up some more, I’ll likely consider it to be my goto, for a Raspberry Pi Desktop OS. Not Raspbian any longer.

I’m lost here. Where is the silent aspect? VS code is still a package that needs to be manually installed. In the article you linked to, the conclusion is that now VS code can be manually downloaded if you want it.

A link from that article about getting started with the Pi Pico, takes you to the documentation. The first chapter of which is called: Chapter 1. Quick Pico Setup, where it explicitly says “The script will: […] Download and install Visual Studio Code”

There is every opportunity to NOT install it.

Am I missing something?

I read in another thread somewhere else the problem isn’t that you can manually install that, but that Raspbian adds a source to to your repos, without your permission, using a script during an update. Then, when everyone caused a stink, the Raspbian people more or less said ‘don’t like that? oh well’ which added fuel to the fire a bit.

I haven’t decided what to do with my Pi’s yet. On the one hand, since they’re all local and mostly static, I don’t update them a ton. On the other hand, I do have Pihole so I could block http://packages.microsoft.com

Raspbian forum post that was allowed to stay up

GitHub issue related to the fact that they updated the source code AFTER the push as well

Ah, thank you for that. Well this news is annoying. My Raspberry Pis are all the version one variety, as in 32 bit, and I can’t find any Linux OS other than raspbian to run on them. I’d be forced to go to NetBSD for these devices.

I’ve needed some time to mull over this… I see the problem from a few perspectives.

  1. Pi’s concession to Microsoft that it doesn’t need to place software on their repos. One could argue there’s pros and cons similar to PPAs but it’s a bad precedent when a big company can simply refuse to play ball till their repo is added for convenience.

  2. If you own the repo you know the IP of the user downloading packages and combined with aggregate data who they are to some degree. This enables…

    • Targeted watering hole attacks that are orders of magnitude harder to detect. They could occur in instances of a major breach (like SolarWinds) or Gov’t surveillance to the degree they have leverage over the company.
    • “Soft” IP based telemetry which I think should require user consent but there’s arguements it’s not important enough to need it. For example Ubuntu by default will ping Canonical every few minutes to check for connection (as a user feature) and Firefox is similarly in regular contact with Google even while sitting on about:blank.
  1. It’s a bad precedent that they just get automatically added as a repo, without consent. You cannot do that with PPAs or whatever Fedora’s things are called (copr?); you have to jump through a lot of hoops and say ‘yes, I agree to whatever I’m doing here.’ But they decided to just add it, and without telling the user.
  2. Do you have a source for the Firefox/Google piece?
1 Like

I’m the source. I’ve done two tests about a month apart on two fresh VM installs of Fedora fully updated.

I open Firefox, go to about:blank, remove all other tabs and make sure the search bar is not focused (Firefox feeds address bar entry to Google by default so it could create a false positive).

I then open Wireshark and let it sit for about 20 minutes and I get several different Google owned URLs showing up multiple times as well as cloudfront, an ec2 instance, ect. I then close Firefox, clear Wireshark and let it run for a few hours to help confirm it’s not from something else.

These are the uniques I got last Firefox test (there may be more, this was for a quick answer to someone on Matrix):

13.224.102.75 - Hostname: 13-224-102-75.zrh50.r.cloudfront.net
216.58.215.227 - Hostname: zrh11s02-in-f3.1e100.net
172.217.168.36 - Hostname: zrh04s14-in-f4.1e100.net
34.107.221.82 - Hostname: c.googleusercontent.com
54.149.208.57 - Hostname: ec2-54-149-208-57.us-west-2.compute.amazonaws.com

1e100.net is a Google-owned domain name used to identify the servers in our network.”
https://support.google.com/faqs/answer/174717?hl=en

https://www.ip-address.org/reverse-lookup/reverse-ip.php

I’d strongly encourage confirming my results.

I’ve been resisting doing a proper forum post for reasons I might describe if I do one.

2 Likes

At the risk of hijacking this thread, what is this part too?

That is interesting to see. I’ve never used Wireshark, though I do have a PiHole. Could I check from there, you think?

I have no experience with PiHole (sadly) but I know it can do logging. If the only thing connected to your PiHole is a freshly installed and updated OS w/ Firefox you should be good to go.

Clear the logs, let it sit for 20mins+ to make sure nothing else is talking to Google. Then open Firefox and go to about:blank, clear the PiHole logs again and see what it picks up in 20mins. Then close Firefox, clear the logs and let it sit for another 20. That’s overkill but it’s up to you on how “sure” you want to be.

Then run the collected IPs through a reverse lookup to help you find out who they belong to.

@snorlax You might be able to, but Google is one of those companies that has been embedding their own DNS servers into their code and using DoH to hide the DNS queries. This effectively by-passes pi-hole ( and ad blockers ). FF has DoH enabled by default.

There are advantages and disadvantages to disabling DoH.

1 Like

Linux distributions use officially maintained repositories to act as an intermediate third party between users and developers, acting as an additional measure of security. When you chose a distribution to install, you implicitly trust the distro’s repo maintainers that the software they provide for you is good for you. If you trust others, too, you can add the additional repository manually.
If the distro maintainers add an additional repository that is maintained by someone else without warning the user beforehand, that’s betraying the user’s trust.

2 Likes

I am with you on this. I have two RPi Gen 1 Version B the 32 bit, 512mb versions. I would like to put them back into use, they have been idol for a while. Private message me if you are willing to share what you are doing with your Generation 1 Pi’s.

Possible other distros, although I admit that my best experiences with the Gen 1’s has been Rasbian in the past.

  • Dietpi
  • Sparkylinux

I believe both of the above use the Raspberry PI OS repos to achieve the backwards comparability with Gen 1 and 2 Pi’s.