Comments (30)
The decision to add the repo came from people who are more familiar with GDPR than I am, so I'll trust their judgement.
from raspberrypi-sys-mods.
This discussion is ridiculous. Since the early days of linux it is my favorite os. A lot of discussions between linux lovers and ms enthusiasts have been read by me.
Fact is that microsoft is swallowing open source projects for a while now. This platform here (github) is the best known example for this.
I don't know how many people spent years of their lifetime to develop excellent software. More than 90% of the internet server infrastructure is based on linux. And all the old guys like me know that MS hated linux in the early days because it is just more flexible, robust and secure.
If now a company like raspbery pi comes along with such a b..shit patch it is like kicking all those people into there a..
So my final decision is... good bye raspberry pi. There are tons of other hardware platforms we can use and we will use.
from raspberrypi-sys-mods.
We are actively reviewing the distribution mechanism, having received a number of helpful suggestions, but there is at least a simple way to opt out.
from raspberrypi-sys-mods.
what about the fact that you are potentially violating the GDPR law in europe? as i already commented on the PR #51 (comment) there is a GDPR problem here.
to sum this up: you are risking law problems for you and your users in europe and you are losing your communities trust just to spare a small subset of your users this commands:
wget -qO- https://packages.microsoft.com/keys/microsoft.asc | gpg --dearmor > packages.microsoft.gpg
sudo install -o root -g root -m 644 packages.microsoft.gpg /etc/apt/trusted.gpg.d/
sudo sh -c 'echo "deb [arch=amd64,arm64,armhf signed-by=/etc/apt/trusted.gpg.d/packages.microsoft.gpg] https://packages.microsoft.com/repos/code stable main" > /etc/apt/sources.list.d/vscode.list'
Given that the repo doesn't do anything unless she chooses to install vs code, I'd advise against risking somebody else's life for your ideology.
it is nothing about ideology it's about law. by installing the repo without an active consens of the user you are simply acting against this law as each apt-get update
pings the m$ server and exposes their ip to them.
... but there is at least a simple way to opt out.
it has to be opt-in and not opt-out.
Since our aim is to remove hurdles and make things simple for beginners who may not know what a repo is, requiring input like that is just confusing.
as i wrote above you see the command it needs to install vscode. we are talking about software development. if the persons which will use vscode are confused by going to the shell and enter the required commands to install or answer a simple y/n dialog, maybe they should not develop at all? at least admit that it's about money and a deal you have with microsoft.
if you want to help them simply add a shortcut to the deskop which starts a script which is doing running the command for them but installing a third party for all of your users is simply wrong.
you don't really remove hurdles in fact your are build up a very big hurdle for all people in europe who want to use this OS legally.
for a small subset of persons which want to use vscode you make it easier and make it more difficult for everyone in else europe. yes most of the people simply don't care if it is legal or not until they get sued. a associate of a customer of mine had to pay 5000eur just because of a GDPR violation (one person company).
with opt-out instad of opt-in you will require a privacypolicy which the user has to accept before they can download the image. in that policy you are required to inform the user that their ip is sent to mircosoft.
i really don't understand this reaction of you (the company who creates the raspberry OS): you are really losing your communities trust, your force close discussions, ...
don't you see the $hitstorm you created with this? simply go one step back and remove all third party repos.
from raspberrypi-sys-mods.
Have you read the other comments here? Do you see the constructive dialogue that some users manage? The ones actually doing something useful to achieve their goal? Be more like them, and stop knocking on an open door.
from raspberrypi-sys-mods.
Unconstructive comments will be deleted.
from raspberrypi-sys-mods.
And maybe give people the option to install it instead of forcing it onto people? I dont care if you dont care about your privacy but some people do and its already too late when people have run an apt update.
from raspberrypi-sys-mods.
Throw a sudo apt update in there as well and you're set.
@XECDesign No, Unless im wrong, on the next update of this package. The repository will be re-added.
If @sabotagebeats only remove the file. The only thing this user is "set" ATM is to allow the re-installation of the microsoft repo as soon as postinst will be run agan.
This is line only check if file exist, If not, the repository is re-added everytime the user run dpkg-reconfigure -a
, or a new version of raspberrypi-sys-mods is released.
On the current state of the code. The file must remain. After deleting the unwanted repo. The user can use
apt-mark hold raspberrypi-sys-mods
if the user doesn't want this package to mess again with it's repo list.
Sadly, this package is an omnibus bill, it does not "do one thing and do it well". the user would also cut itself from receiving others changes he might want.
The hacky way to do would be to do touch /etc/apt/sources.list.d/vscode.list
not the cleanest solution but what can a user do at this point... ?
For more security and confidence, I would also recommend doing chattr +i /etc/apt/sources.list.d/vscode.list
to make sure that any bad regex in the future decide to update the content of the file.
I begin to understand why people feel that this update is forced on them and sneaky.
I can't believe that no one in your team have flagged that would be a sensitive update and extra care would have to be taking.... knowing how much Linux people love to hate M$ since 1991 .
from raspberrypi-sys-mods.
I have done the following. What else do I need to do?
sudo rm /etc/apt/sources.list.d/vscode.list && sudo rm /etc/apt/trusted.gpg.d/microsoft.gpg
Throw a sudo apt update
in there as well and you're set.
from raspberrypi-sys-mods.
And maybe give people a chance to answer?
from raspberrypi-sys-mods.
I think you hit the nail on the head, but the argument from others is that they can combine that IP with other information they've collected. You may have accepted some EULA that lets them track you while signing up for some other MS service like Azure or Github, or maybe while installing something you don't even remember. Now they can run those IPs by the HTTP access logs and determine who's who. This way they'd know that you're probably running Raspberry Pi OS and when you're active and that may contribute to an overall profile they may or may or may not have. Maybe someone might say, "okay I don't care if they track me on github, but I don't want them also knowing what else I'm doing". At least, that's my best effort to steel-man the argument.
Then there's also the hypothetical possibility that they're logging and cross-referencing everything, without checking who has opted in or out. Or maybe they're sharing those logs with other partners which have data they can cross-reference. If something like that's happening, they could be a violating some laws. I am sure that they have lawyers which they have to run everything by.
And yes, we've been keeping an eye on all the feedback, forum, reddit posts, youtube videos and so on, but there are things to sort out internally become we can make a final decision.
from raspberrypi-sys-mods.
from raspberrypi-sys-mods.
If you believe we're mishandling personal data in any way, I wouldn't discourage anybody from protecting their rights:
https://edpb.europa.eu/about-edpb/board/members_en
https://ico.org.uk/make-a-complaint/
from raspberrypi-sys-mods.
Do I need to wipe the pi and install a different OS?
from raspberrypi-sys-mods.
Any decision taken at raspberry foundation ?
from raspberrypi-sys-mods.
from raspberrypi-sys-mods.
from raspberrypi-sys-mods.
I have done the following. What else do I need to do?
sudo rm /etc/apt/sources.list.d/vscode.list && sudo rm /etc/apt/trusted.gpg.d/microsoft.gpg
from raspberrypi-sys-mods.
Just delete the additional entries in the sources - now that the version number has passed that particular value it won't be added again.
from raspberrypi-sys-mods.
Also the title is :
Remove Microsoft vscode from raspberry pi os lite
and I don't see it as solved. Is it a won't fix ?
from raspberrypi-sys-mods.
now that the version number has passed that particular value it won't be added again.
@pelwell I think this is false
The function will be executed on every update in the future,
and as stated earlier, if the user delete the file.
Will add it agan.
from raspberrypi-sys-mods.
The version comparison line is checking if the existing version is older than "20210125", and only running add_ms_repo if it is. Once you have gone past that version it won't try again.
from raspberrypi-sys-mods.
I tested it and you are right. I have read lt-nl backward I guess, My bad.
from raspberrypi-sys-mods.
I don't believe YOU are, but you are enabling m$ collecting data on users of other devices and OSs without asking those users first (especially non-GUI users as VSCode is a GUI app).
from raspberrypi-sys-mods.
I've reviewed the data, ala tcpdump, sent back and forth and there is no cookie exchange. There is a user agent which is complete standard. There is also an etag which is very different than a cookie.
Of course the service owner will have logs of each hit. When you visit a website they have that log whether or not you click the accept cookies button.
So I guess I don't know where the line is drawn as far as data collection and GDPR. As far as I can tell they have service logs only.
from raspberrypi-sys-mods.
They can as anyone could. Without the cookie they would not be able to target the individual assets as accurately and in some cases not at all.
So we are talking about anonymous aggregated data. If that is a GDPR violation and they are doing it they should stop. I think that falls on Microsoft if that is the case. I'm no lawyer though and I have not studied the law in detail other than what my employer requires me for my job.
I agree with @XECDesign that a complaint should be filled if you believe there is a mishandling of person data.
I just wanted to let you know what data is actually being exchanged. If you wish I could probably teach you how to run tcpdump and read some simple http packets.
from raspberrypi-sys-mods.
it is not about cookies it is about personal data, where the ip counts towards personal data:
What is personal data?
....
an Internet Protocol (IP) address;
...
https://ec.europa.eu/info/law/law-topic/data-protection/reform/what-personal-data_en
if some university mirror gets my ip where the chance is high that they don't aggregate the personal data, well, simply does not matter but microsoft is doing telemetry and is quite aggressive with their data collection. so no i don't want them to get my ip. so yes i still think it is a GDPR violation.
if i connect to a webpage, i know that i share my ip, if i install debian i know that the debian mirrors get my ip but no i don't assume that if i install linux my ip gets to microsoft.
from raspberrypi-sys-mods.
And I don't see Debian, or RedHat, or Ubuntu or other linux Distros asking m$ to put their package update sites into the base m$ installs for any reason. Maybe, RPiFoundation is going to get reciprocity, to know where and how many m$ installs there are? Not necessarily cookied, but just the hits from IP Addresses would tell them much... Where m$ can and does aggregate and correlate all their data, users, installs, locations, and now can get other systems.
If you own a MAC, but don't install any m$ software, does your MAC check with m$ sites? I can imagine what Steve Jobs would have given to have that happen for Apple...
from raspberrypi-sys-mods.
I apologize in advance if this response exacerbates this discussion. I feel that this is now a closed issue and not the correct medium to discuss this further. This will be my last update to this thread.
An IP address alone without other identifiers (such as cookies) is considered to be psuedo-anonymized, and does not qualify as personal identifying information under GDPR. This is classified as essential data to be stored for the health and safety of the servers that are being accessed. Assuming that they are used for the purpose of security and maintenance.
See also recital 49 of GDPR:
https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32016R0679
You can't expect a website to purge you server logs just because you clicked no to the server cookies. Honestly, I don't even think that APT would know how to store and pass the cookies back and forth. I do not believe there is a violation here.
I for one am not actually in favor of adding this repo by default, but for different reasons. Regardless, I do not feel this is a rights or privacy violation and will just remove the repository on the servers that I do not want it on. There are more important causes for me to allocate my time to. I also do not believe a positive outcome will be had by discussing it further here. I think that @XECDesign has heard the communities response and they are discussing internally what to do next.
If you just want to argue. I love to argue. Send me an email and we discuss. It is pretty boring sometimes being stuck inside. Lots of snow here in New England. Reddit is a good place to argue too.
from raspberrypi-sys-mods.
@BitBistro-code
This is classified as essential data to be stored for the health and safety of the servers that are being accessed._
You can't expect a website to purge you server logs just because you clicked no to the server cookies.
It's true that Microsoft has every right to keep a record of just my IP address making a connection to some of their servers.
The point here is "Why is my Raspberry making a connection to some Microsoft server every time I update it even though I've no intenction of installing any Microsoft product on it?.
I can't expect a website to purge their sever logs if I opt out of their cookie policy, but I can expect them to NOT put in their homepage a 1-pixel transparent png hosted on the server of some completely unrelated company so that the completely unrelated company can keep a record of my IP visiting that homepage.
from raspberrypi-sys-mods.
Related Issues (20)
- Raspberry Pi OS Image is missing Microsoft Repository HOT 1
- [Bullseye] postinst script contains every auto-added block four times HOT 3
- Post-installation script subprocess returned error exit status 126 HOT 5
- Remove 010_pi-nopasswd HOT 7
- New postinst flush code fails if vfat partition not found HOT 3
- [bullseye] FIRSTBOOT exits prematurely on NOOBS/PINN sd card HOT 4
- `init_config` python module named 'toml' is missing in Raspberry Pi OS lite 64bit HOT 2
- missing license HOT 2
- Introduce the ability to limit rootfs size at first boot HOT 16
- firstboot script hangs if image contains already kernel 6.1
- "imager_custom set_wlan" generates script but does not escape special characters properly HOT 1
- Abstract boot partition path HOT 5
- Exit status of grep HOT 2
- Firstboot fix_partuuid issues
- How to update wifi after first boot? HOT 13
- Serial port symlinks broken in bookworm. HOT 6
- imager_set_custom using uuid which is not always available HOT 1
- Initrd rootfs resize fails on RPi5 HOT 12
- Recent removal of /boot/cmdline.txt link to /boot/firmware/cmdline.txt HOT 9
- Custom script during firstboot HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from raspberrypi-sys-mods.