Raspberry Pi OS has turned into spyware for M$:

And yes, they add M$'s repository key to APT's trusted database and add their repo to APT's repo list.
Without asking.
Or informing you via a NEWS file.

So now every time you do "apt[itude] update", M$ will know about it.

This isn't the first time that the Foundation changed your sources.list without asking:

Fuck that.

This is soo freaking bad.
You'd think that over the years they'd learn a bit on how works. But I guess not.
rpdom: "Repos should not be added to a system without permissions from the owner/administrator." 👌

jamesh (): "where do you draw the line on stuff changed during an install or upgrade." ... "Do you say 'No changes to configs at all' which basically makes updates not work?" 🤦‍♂️

Declare as conf file and use debconf.

If only Debian would've ever had to deal with system upgrades with possibly accompanying configuration file modifications.

Or Eben Upton on :birdsite:

"Sorry: I can't understand why you think this was a controversial thing to do. We do things of this sort all the time without putting out a blog post about how to opt out."

Wow. Just wow.
Ever heard of Embrace, Extend and Extinguish?

Only to push a certain editor which they want to use by default for Pico.

Also, M$ adding their non-free 'code' program in the 'main' section ...


RPF thought it was good to blog about 'it' after all:

.. by a M$ snake-oil sales representative.

"VS Code is a free, open source developer text editor"

That is "free" as in beer, not freedom. And yes, the code is available, so technically open source, but you can't distribute the binary.

So technically he isn't lying.
But this also proves you (still) can't trust anything that comes from M$.
And shame on for giving this credence.

And through the comments I learned that VS Code is an Electron app.

Maybe we should start a fundraiser so M$ can rewrite it in a proper way?

But what actually pisses me off the most is this:

Linux isn't hard to learn.
Linux becomes hard to learn, when you first learn something else and then have to unlearn that first in order to learn the new thing.
Then it is different from what you know and that makes it hard.

That is why M$ and Apple give their software (almost) for free to elementary schools, so children get locked in early.

The FOSS community has done a LOT for and and now RPF is helping M$ lock kids in too

🖕 🖕 🖕

@FreePietje The posts by "gsh" (Raspberry Pi Engineer & Forum Moderator) are also telling:

"So there's nothing wrong here, as other's say, it's just the repo, you don't have to install anything from it and we won't have a dependency on anything from Microsoft in the Debian / Raspbian or Raspberry Pi repositories"

That's complete horseshit. What if MS decides to host a "openssh-server" package in their repo with whitelisted MS keys? You know, to make life easier for their support employees.

Hence: "This is soo freaking bad.
You'd think that over the years they'd learn a bit on how works. But I guess not."

It looks like the worst aspect, like you mentioned, may get addressed:

Several people explain, imo extremely polite, what is wrong with it and how to remedy that (including a DD mentioning using NEWS.Debian ;P) ... and that still got his feelings hurt.

But that he needs to be educated about these things, while he's been building/maintaining RPF deb packages for years now, is just sad.

@kekcoin @FreePietje it’s a bit different than what you are describing Debian devs have voiced concern and they have been heard.

@wa__em @FreePietje Do note the timeline; the first comment on that issue by the devs conceding there might be a bit of a problem ( was posted after my remark here. So at the time of writing, my criticism was accurate.


It wasn't when I reported about it.
It really annoyed me that RPF didn't think of the scenario as @kekcoin described. After so many years, they should have known.

And I actually referenced that issue myself here:

@kekcoin @FreePietje If I don't have to install anything from it, why would I have it then? OFF it goes!

@carl @FreePietje The argument is that they want to make it easier to install things from MS... I wonder how much they got paid.

@kekcoin @FreePietje Yeah, but I sure do not want to install ANYTHING from MS. And I would like to be asked FIRST, thank you very much.

@carl @kekcoin
The RPF makes choices which I wouldn't make, but do make sense when you view it in light of *their* primary goal:
get kids interested in computers and electronica.

I'm not going to excuse the way that they did it or their dismissive and belittling response to valid criticism.
I also stand by my point that they should have known and done better. Asking permission to add a 'random' repo is one of them.

I will not assume malice though.
I 'know' some more/longer then I can tell.

@FreePietje O U C H. The fundamental problem I have with this is that #RaspberryPi is adding something third-party to the trusted keyring. In no way is that right.

I have been meaning to try out the #ROCK64 (AES acceleration onboard, which rpi doesn't have!) and looks like this will be what pushes me to it. Too bad they don't have an 8GB version though.

Had they asked for informed consent then this would've been a non-issue.
A bit more troubling is that they/RPF can't see/understand that people have a problem with their actions.

If you haven't bought the board and you can afford it, the RockPro64 is probably a better choice. And get proper cooling.
The RockPro64 appears to have better kernel support.

The RPi/RPF were actually doing good with upstreaming stuff.
AFAICT Pine64 does absolutely nothing in that regard (no SW, only HW).

@FreePietje I have one -rPi - but I never let it online; only use it as a utility-linux thing.

That works too.
You can get online with it, but the one thing you need to avoid like the plague is raspberrypi-sys-mods.
Or just get rid of the repo altogether.
Raspbian(.org) is run by a Debian Developer (plugwash) and ~ just recompiles the Debian packages for RPi (1 architecture).

Or do as @jvalleroy suggested, use an image from which only contains things from . And you can be sure that Debian would never pull crap like that :)

Thank you for the link and info. I will try one of those images. I mostly used it for Kodi. Last time I dl the raspOS it was the "basic" bc I knew that Raspberry official was for kids and had a lot of limitations, like you can't change the DNS from ggl's 8888.


@FreePietje I've just discovered this for myself and I'm disgusted.

@FreePietje how raspbian different from debian arm plus the gpu blob
@FreePietje is raspbian deprecated or something? i've never heard of raspios
@georgia @FreePietje It's just rebranded raspbian. They want to distance themselves from debian so the can shill licensed software

@abloo @georgia

See the toot I linked earlier.

The RPF should've done a 'rebranding' from the start, because before that, raspbian referred to various different things.
The majority of software in RaspiOS still comes from and there's absolutely nothing wrong with that.
Some software package do come from and that's where the problem lies, including what I reported in OP.

While #Microsoft is a better company than some years ago they're still labelled as the #blackknight as they haven't stopped some of their evil ways. Other companies are more evil these days, in different ways: one dropped its motto "Don't be evil" some years ago, the other locks people in comfortable #GoldenPrisons

@FreePietje Argh. The RPi is such a cool little computing device, but things like that make it unusable for everyone who wants to have at least a little bit of security, and of course for literally the whole industry. Can't install something like the RPi into production lines if shit like this happens.

You can run (pure) on them and someone mentioned Gentoo works too. Likely Arch does too and likely other distributions as well.

@FreePietje @KopfKrieg I can't fathom why you would ever need a distro that isn't #Debian at this point, but any distro that supports arm or arm64 should work.

@BalooUriza @FreePietje You all do realize that I'm talking about industrial applications? I can't just switch distros, I have to use the official one (also because we don't use Raspberry Pis but their industrial version which requires special kernel support).

With a headline like that, I won't bother reading the rest as the author is obviously clueless.

ECMAScript was M$'s thing vs Netscape's JavaScript. Netscape has long gone, which leaves only ECMAScript. ECMAScript was there before there were "open source javascript communities", so I don't see a 'takeover' here. I love his top picture though.

@FreePietje "lock in early" is Adobe's strategy too—it's not so much that (modern) creative open source tools like Krita and Blender are so hard to use compared to Adobe's monsters, but everyone is used to Adobe's so it's always "but this is haard!" because it is different to use

@orionwl @FreePietje isn't that also why marketing is generally aimed at younger audiences? Get them while they are impressionable and make them a customer for life.

@mep1911 @orionwl @FreePietje Look at what google is doing with chromium (migrating features to chrome-only) now that the entire ecosystem has become a chromium derivative. Using VSCodium is just as big of a mistake as using VSCode.

@kekcoin @mep1911 @orionwl
Yep, you first need to get a foot in the door. From that you can Extend and Exterminate. And the RPF has given them that.

And I believe them when they say they haven't been paid for that. That makes them dumb af as well.

@FreePietje @mep1911 @orionwl I'll invoke Grey's law; "Any sufficiently advanced incompetence is indistinguishable from malice."

@kekcoin @mep1911 @FreePietje that's up to you of course

just be aware that in the case of open source, freely licensed software, you're not spiting anyone by "i'm not using your software"

someone you completely disagree with could make software that is useful to you and it shouldn't really matter

@orionwl @mep1911 @FreePietje I agree that this is true often, but this is not universally true. Look at the current state of the web; google has de facto complete control over the direction of web standards. The entire browser ecosystem, aside from a rounding error, is either chromium-based or firefox, which is mostly google-funded.

@orionwl @mep1911 @FreePietje Google are in a perfect position to do EEE, and in fact they are already doing so by pulling features out of chromium (and into chrome) that derivative browsers (foolishly) relied on. This strategy isn't new. And this VSCode thing has all the ingredients to take on a similar role in the IDE world.

@kekcoin @orionwl @mep1911
I've used the Debian build of Chromium for a while (as secondary browser) as it disabled various anti-privacy 'features' in chromium. About a year ago I concluded that this was just a losing game. And while open source, (afaict) g👀gle controlled everything. The amount of 'questionable' things G👀gle has done these last couple of years, made me ditch it then. Because of the context.
That G👀gle moved sync from chromium to Chrome was therefor completely expected by me.

@FreePietje @orionwl @mep1911 Yeah when the whole Sync scenario played out my first response was just a jaded "what did you expect? that service uses google servers, it was proprietary all along, it should never have been in chromium in the first place!". But it was pointed out to me later that downstream browsers also used this function and now lost access.

@kekcoin @orionwl @mep1911
That's one of the things that the Debian builds disabled (by default or entirely).

> it should never have been in chromium in the first place!

Excellent point, I had actually overlooked that.
By putting it in chromium all downstream browsers would normally have it, making the sync with android seamless for far more users, thus locking users in.

@FreePietje @orionwl @mep1911 Not just "locking users in", but also "locking browser vendors in". This is pure speculation but it wouldn't surprise me if vendors decided to make the switch to chromium-based partially because this function came included. At the very least they never bothered building their own, which they might have were it not for the inclusion.

And now all those non-chrome users get presented with the choice to create a new vendor-specific sync account or switch to chrome.

Sign in to participate in the conversation
unidentified instance

The social network of the future: No ads, no corporate surveillance, ethical design, and decentralization! Own your data with Mastodon!