Uncovering the obfuscated origin of unacceptable new files in Raspberry Pi OS
by Turbocapitalist from LinuxQuestions.org on (#5DQY3)
With a recent update, I notice that some package deposited some unwanted changes to my systems running Raspberry Pi OS. These may have some official excuse but the bottom line is that among all the other problems, the changes to the repositories point back to M$ own servers and which will get polled each and every time APT runs update.
Code:$ cat /etc/apt/sources.list.d/vscode.list
### THIS FILE IS AUTOMATICALLY CONFIGURED ###
# You may comment out this entry, but any other modifications may be lost.
deb [arch=amd64,arm64,armhf] http://packages.microsoft.com/repos/code
stable mainIt seems that some package has also inserted an OpenPGP key for M$ into these systems as well as adding an M$ repository to APT's sources. The package manager neither asked before making thse changes nor can I identify the package at fault using dpkg.
Code:$ dpkg -S /etc/apt/trusted.gpg.d/microsoft.gpg
dpkg-query: no path found matching pattern /etc/apt/trusted.gpg.d/microsoft.gpg
$ dpkg -S /etc/apt/sources.list.d/vscode.list
dpkg-query: no path found matching pattern /etc/apt/sources.list.d/vscode.listThus the origin of these offending files is hidden. There might be more. How do I find which package is causing the problem? Once it is found what is the best way to deal with it? apt-pinning or a hack like below?
Code:rm /etc/apt/sources.list.d/vscode.list
touch /etc/apt/sources.list.d/vscode.list
chmod 444 /etc/apt/sources.list.d/vscode.list
chattr +i /etc/apt/sources.list.d/vscode.list
rm /etc/apt/trusted.gpg.d/microsoft.gpg
touch /etc/apt/trusted.gpg.d/microsoft.gpg
chmod 444 /etc/apt/trusted.gpg.d/microsoft.gpg
chattr +i /etc/apt/trusted.gpg.d/microsoft.gpgUnless those changes get added preemptively before connecting to the net, it looks like M$ now gets pings from APT for every last networked Raspberry Pi OS system which has received the latest updates. I presume this tracking was rejected upstream in Debian and only in Raspberry Pi OS (formerly Raspbian) but have to ask if either Debian testing or unstable are affected too?
Code:$ cat /etc/apt/sources.list.d/vscode.list
### THIS FILE IS AUTOMATICALLY CONFIGURED ###
# You may comment out this entry, but any other modifications may be lost.
deb [arch=amd64,arm64,armhf] http://packages.microsoft.com/repos/code
stable mainIt seems that some package has also inserted an OpenPGP key for M$ into these systems as well as adding an M$ repository to APT's sources. The package manager neither asked before making thse changes nor can I identify the package at fault using dpkg.
Code:$ dpkg -S /etc/apt/trusted.gpg.d/microsoft.gpg
dpkg-query: no path found matching pattern /etc/apt/trusted.gpg.d/microsoft.gpg
$ dpkg -S /etc/apt/sources.list.d/vscode.list
dpkg-query: no path found matching pattern /etc/apt/sources.list.d/vscode.listThus the origin of these offending files is hidden. There might be more. How do I find which package is causing the problem? Once it is found what is the best way to deal with it? apt-pinning or a hack like below?
Code:rm /etc/apt/sources.list.d/vscode.list
touch /etc/apt/sources.list.d/vscode.list
chmod 444 /etc/apt/sources.list.d/vscode.list
chattr +i /etc/apt/sources.list.d/vscode.list
rm /etc/apt/trusted.gpg.d/microsoft.gpg
touch /etc/apt/trusted.gpg.d/microsoft.gpg
chmod 444 /etc/apt/trusted.gpg.d/microsoft.gpg
chattr +i /etc/apt/trusted.gpg.d/microsoft.gpgUnless those changes get added preemptively before connecting to the net, it looks like M$ now gets pings from APT for every last networked Raspberry Pi OS system which has received the latest updates. I presume this tracking was rejected upstream in Debian and only in Raspberry Pi OS (formerly Raspbian) but have to ask if either Debian testing or unstable are affected too?