Heads up: Microsoft repo secretly installed on all Raspberry Pi’s Linux OS

Raspberry Pi is a little useful computer for learning programming and building projects. It comes with Debian Linux based modified operating system called Raspbian. It is the most widely installed OS on RPi. In a recent update, the Raspberry Pi OS installed a Microsoft apt repository on all machines running Raspberry Pi OS without the person’s or admin’s knowledge. Every time a Raspbian device is updated by having this repo, it will ping a Microsoft server. Microsoft telemetry has a bad reputation in the Linux community. Let us see why and how this matters to Linux users.

Microsoft repo secretly installed on all Raspberry Pi’s Linux OS

Let us find out what this repo contains:
ssh pi@192.168.2.180
Here is how we can confirm it:

lsb_release -a
ls -l /etc/apt/sources.list.d/
ls -l /etc/apt/trusted.gpg.d/
cat /etc/apt/sources.list.d/vscode.list

Let see what Microsoft repo secretly installed without your knowledge on Raspberry PI contains:

curl -s http://packages.microsoft.com/repos/code/dists/stable/main/binary-arm64/Packages \
| grep "^Package: " \
| cut -d" " -f2 \
| sort -u


It seems that it contains VS Code IDE for your Raspberry Pi. Now keep in mind this is a server with a lite image, and there is no need to install this on my old RPi 2. Naturally, it made many Linux users unhappy. To make matters worse, the official Raspberry Pi forums admins quickly locked down and deleted the topic threads, claiming it was “Microsoft bashing.”

Why is this bad news?

It seems RPi foundation officially recommends MS IDE, and hence this was included Raspberry Pi OS. They should keep this to GUI image for kids or anyone who wish to to learn Python and other stuff using VS Code. Most Linux geeks and power users use RPi as a git server or adblocker and so on as a headless server. There is always a trust issue when unwanted software repo configured and gpg keys are installed secretly, which is the main issue. What other problems Linux users may face:

  1. By using forced MS repo on my RPi 2, MS controls the software I install. For example, when I run `apt install app,` I will get an app distributed and modified by MS. Maybe they will not do anything evil, but I don’t want anything to do with them.
  2. Hardcore Linux users like me (or anyone who works in infosec/IT) will never trust Microsoft or Raspberry Pi OS to install such a repo secretly.
  3. Microsoft may collect more info about RPi and Linux users as many try to reduce their digital footprint such as your IP address and build a profile about you.
  4. Every apt-get update command pingback to MS repo.
  5. If you or any family members logged into the MS ecosystem such as Github, Bing, Office/Live, they could identify and track you when using same shared public IP at home.

If you are okay with this, then stop reading and go back to your life. Nothing is wrong with that. But, if you are not okay with such a change. Here are some options for you.

1. Stop using Raspbian

This is the best possible solution. I will probably switch to plain Debian for RPi 2. Other operating system includes:

2. Block Microsoft VSCode if you still want to use Raspbian OS

Edit your /etc/hosts on RPI (or add that domain to your Pi-Hole)
sudo vim /etc/hosts
Add the following line:
0.0.0.0 packages.microsoft.com
Save and close the file in vim. Put Debian package on hold so that it will not install further updates:
sudo apt-mark hold raspberrypi-sys-mods
Delete Microsoft’s GPG key using the rm command:
sudo rm -vf /etc/apt/trusted.gpg.d/microsoft.gpg
Make sure new keys cannot be installed:
sudo touch /etc/apt/trusted.gpg.d/microsoft.gpg
Next, write protect that file on Linux using the chattr command:
sudo chattr +i /etc/apt/trusted.gpg.d/microsoft.gpg
lsattr /etc/apt/trusted.gpg.d/microsoft.gpg

3. Use VSCode safety, especially when your kids are using it

VSCode has telemetry too, use a version of VSCode with telemetry removed:

Free/Libre open source software binaries of VSCode with all telemetry removed

Someone notified me about vscodium-deb-rpm-repo.

Summing up

Truth to be told, RPis is not 100% opensource. Like Intel and AMD CPU/GPU, it comes with a binary closed source firmware too. However, that doesn’t mean, install unwanted software repo and gpg keys secretly on your device without your knowledge. That is what malware does, and hence Linux and the opensource community are upset. I hope they will fix it. Check out Reddit thread with many more suggestions. RPis/OS maintainer should have published a blog post about such a notable change, and doing so without informing RPis users is not great. What do you think? Let us know in the comment section below.


🐧 Get the latest tutorials on Linux, Open Source & DevOps via RSS feed or Weekly email newsletter.

🐧 32 comments so far... add one

CategoryList of Unix and Linux commands
File Managementcat
FirewallAlpine Awall CentOS 8 OpenSUSE RHEL 8 Ubuntu 16.04 Ubuntu 18.04 Ubuntu 20.04
Network Utilitiesdig host ip nmap
OpenVPNCentOS 7 CentOS 8 Debian 10 Debian 8/9 Ubuntu 18.04 Ubuntu 20.04
Package Managerapk apt
Processes Managementbg chroot cron disown fg jobs killall kill pidof pstree pwdx time
Searchinggrep whereis which
User Informationgroups id lastcomm last lid/libuser-lid logname members users whoami who w
WireGuard VPNAlpine CentOS 8 Debian 10 Firewall Ubuntu 20.04

Comments on this entry are closed.

  • Michael Horne Feb 4, 2021 @ 10:47

    It’s the repo for VS Code which is useful for Pico development

  • pastebin Feb 4, 2021 @ 11:43

    Wheb this happen?

  • anon Feb 4, 2021 @ 11:44

    “Note: Raspbian is not affiliated with the Raspberry Pi Foundation. Raspbian was created by a small, dedicated team of developers that are fans of the Raspberry Pi hardware, the educational goals of the Raspberry Pi Foundation and, of course, the Debian Project. ”

    It’s on the main page of the Raspbian O/S. Your statement is “The Raspberry Pi Foundation installed a Microsoft apt repository on all machines running Raspberry Pi OS” is completely wrong. And all clickbate/hate talk happening after.

    Having microsoft APT package repositories is not malicious in any way. You can of course assume Microsoft is “tracking” you, but unless you actually use VSCode, there’s no telemetry. That same repo is used for .NET packages and other MS stuff, and is quite popular among .NET Core on linux users.

    • 🐧 Vivek Gite Feb 4, 2021 @ 12:35

      I alerted text to remove foundation name. Thanks!

  • Whocares Feb 4, 2021 @ 12:08

    Mate get some help. Really just chill

    • Nerdom Feb 4, 2021 @ 15:28

      This.

      Not sure why they’re making such a big deal out of it.

    • Lwatcdr Feb 4, 2021 @ 18:14

      Pretty much. If you claim that you are “hard core” you probably are not. Yes people use PIs for all sorts of things including development. Having a repo pre installed is handy and VSCode is a good tool. So take a deep breath and just remove the repo and the keys if you want. Talk about a tempest in a teapot.

      • thenatsdorf Feb 4, 2021 @ 18:23

        I care as a long time Debian user. I have never seen Debian or any reputed Linux distribution like Slackware add such nonsense without permission. What is the purpose of it? Why are they deleting forum threads? Maybe you love Microsoft so much and think it is acceptable to install anything that I paid for it.

  • Nobody Feb 4, 2021 @ 12:54

    Dismissing forum users who doesn’t like this with “Microsoft bashing” doesn’t seem right to me considering that there is so much distrust exists from past action of software giant. MS is also helping ICE separate families and Satya Nadella defended decision to support such contract. This company is truly evil and here to make money out of opensource and Linux.

  • a@b.com Feb 4, 2021 @ 13:45

    You lost me at “Save and close the file in vim“.
    After two hours of trying, I gave up and rebooted :-p
    But it’s a good point. I only keep vscode as an extensions downloader for vscodium, and I can take the repo out of my workstations.

  • Reality Feb 4, 2021 @ 14:18

    It’s no longer the year 2002, which means it is no longer fashionable or cool to blindly hate MS especially taking into account the considerable open source work that they are doing. Step out of your time machine and rejoin the rest of the world in reality. No, they should not install this software without the user’s consent, but this is in no way some sort of hysterical GNU-inspired “end-of-computing-as-we-know-it” event. Calm down, it will be okay.

    • Nobody Feb 4, 2021 @ 17:56

      Nobody cares what you think in 2021. Take your MS agenda to somewhere else. We don’t want anything to do with company that supports separating children from parents and helping ICE. How came you are not talking about that?

  • Indranil Kamulkar Feb 4, 2021 @ 14:26

    What you said and think is absolutely right … I checked and also found the same … Have a look at the below error it throws …

    sudo apt-get update
    Err:1 http://packages.microsoft.com/repos/code stable InRelease
      Could not connect to packages.microsoft.com:80 (0.0.0.0). - connect (111: Connection refused)
    Hit:2 http://download.zerotier.com/debian/buster buster InRelease                                                        
    Get:3 http://raspbian.raspberrypi.org/raspbian buster InRelease [15.0 kB]                                                
    Hit:4 http://archive.raspberrypi.org/debian buster InRelease
    Fetched 15.0 kB in 3s (5,276 B/s)             
    Reading package lists... Done
    W: Failed to fetch http://packages.microsoft.com/repos/code/dists/stable/InRelease  Could not connect to packages.microsoft.com:80 (0.0.0.0). - connect (111: Connection refused)
    W: Some index files failed to download. They have been ignored, or old ones used instead.
  • William Deans Feb 4, 2021 @ 15:12

    Vivek Gite is correct. Pro-censorship Raspberry Pi forum admins are wrong. Hopefully the censorship Nazis won’t kill Gite’s efforts to enlighten the people. Is there any good way to punish this censorship? It should be punished.

  • Jonathan Feb 4, 2021 @ 15:51

    using colon-redir would be faster than doing an rm, and then a touch:

    :> /etc/apt/trusted.gpg.d/microsoft.gpg

    The parent shell would need to have write access already, though. So via sudo

    sudo bash -c ":> /etc/apt/trusted.gpg.d/microsoft.gpg"

    The chattr step is belt and braces, although once you’ve modified a file in /etc packages should not overwrite it (if they are policy complaint)

    You may also want to ensure the key is not present in /etc/apt/trusted.gpg or another trusted path (apt-key list will tell you)

  • Leandro Sehnem Heck Feb 4, 2021 @ 16:04

    I really hate Microsoft crap, specially VSCrap. Microsoft stuff was the thing that drove me to switch to linux 20 years ago. But see, I could not see any good reason in your post saying why users have to fear this kind of stuff. I am just seeing you are pissed with this which is Ok for me, but this is not enough. This post is shallow, dude.

  • Andrew Palumbo Feb 4, 2021 @ 16:11

    Hey- thanks for pointing that out,

    FYI- VSCode is pretty popular among DevOps types who may game out networks using rpis and update the apt repository lists which Include Microsoft’s open source Channel.

    I definitely appreciate that you brought this information up, for licensing reasons. It’s important that people know what is open source and what licenses cover a project.

    I just install Raspberry OS yesterday, and will edit this if it turns out that I am wrong, but I do not think that, in this particular case, this channel being in the Raspberry PI OS apt repository lists for malicious reasons.

    Microsoft maintains many OSS project:
    https://opensource.microsoft.com/projects

    I am thinking that the upstream debian project voted to add the microsoft channel. VSCode is a very popular IDE, and the signed microsoft repo is the most secure.

  • Eric Hambright Feb 4, 2021 @ 16:26

    Sounds like typical anti Microsoft rhetoric to me, with a click bait headline. You aren’t being tracked. Of course if you update it pings the repo to see if there are any updates. Everyone of the other repos in Raspbian does the same thing.

  • anon Feb 4, 2021 @ 16:35

    I have a fresh install of buster and this repo isn’t there. Sure you didn’t add it to install VSCode?

    • 🐧 Vivek Gite Feb 4, 2021 @ 16:42

      I use vim. Never used MS software since 1996.

      • Pipone Feb 4, 2021 @ 16:51

        MiCRoSOFt BaD aM I rItE?

        • 🐧 Vivek Gite Feb 4, 2021 @ 17:05

          Kind of. But the real reason is when I started, I didn’t have money to buy the software at that time, so I started using free stuff instead of a pirated version. That is how this site was born to document different Linux and FOSS software tutorials.

  • MW Feb 4, 2021 @ 16:42

    The Operating System is “Raspberry Pi Operating System”, it covers the fork of Raspbian ARMHF, the fork of Debian ARM64 and the fork of Debian i386

  • GarthBock Feb 4, 2021 @ 16:49

    I can see the problem that this is causing with the slow encroachment of Microsoft’s control. Windows 10 is the most obvious with settings in it to pull back “user experience” and diagnostic data plus pushing advertisements. Requiring a M$ account to login to your own computer (which can be changed to a local account) is a warning flag. Talk is future versions of Windows will not have those options, you have to login to get permission from M$ to fully use your computer. I am not a Luddite. Just be aware that something is going on.

  • anon Feb 4, 2021 @ 17:21

    There’s nothing secret about this despite this article’s clickbaity title. The inclusion of the Microsoft Apt repos on lite server images was a bug. See this commit where the bug was introduced: https://github.com/raspberrypi/pico-project-generator/commit/75d4a56b22fb82b437ed00ad9582af42603057cf

    There’s nothing secret there, it was 100% public. Furthermore, the bug was fixed 3 days ago as you can see here: https://github.com/raspberrypi/pico-project-generator/commit/a6e454696342984c236015fa9f22a7db635fd86e#diff-6c936ccf51a28154c16cf78e753d9d67fb655b29e6e7d01ca29b1f360d4a38ddL709

    • Tim Feb 4, 2021 @ 17:53

      yeah, right, it was a bug. everything is bug these days when get caught.

  • Tim Feb 4, 2021 @ 17:41

    I think there is a reasonable line to be drawn between blindly accepting the change and gratuitously bashing m$ like it was still 1993.

    For me the question is: why does this m$ repo deserve the special privilege of being added by raspberrypi-sys-mods ? Convention, if nothing else, suggests external companies’ repos be added by providing manual instructions around add-apt-repository(1) etc. The changelog doesn’t give a reason, just a statement that it happened on Jan 25th.

  • Ritesh Feb 4, 2021 @ 18:08

    Embrace, extend, extinguish

    good ol Microsoft.

  • A kid Feb 4, 2021 @ 18:28

    The Raspberry Pi 2 was released in 2015. Get RPi 4, grandpa.

    • 🐧 Vivek Gite Feb 4, 2021 @ 18:34

      I am fine with whatever I have. It workes perfectly for my needs. Take care, kid.

      /Thread and comment closed.

Use HTML <pre>...</pre> for code samples. Problem posting comment? Email me @ webmaster@cyberciti.biz