From d7e5e7640dae7f60552084ffc66e15a536ca5d1d Mon Sep 17 00:00:00 2001 From: Leah Rowe Date: Fri, 21 May 2021 15:50:20 +0100 Subject: [PATCH] add todo to tasks page about RPi distros, and warn about security issues --- site/docs/install/spi.md | 30 ++++++++++++++++++++++++++++++ 1 file changed, 30 insertions(+) diff --git a/site/docs/install/spi.md b/site/docs/install/spi.md index 813b244..9999dcd 100644 --- a/site/docs/install/spi.md +++ b/site/docs/install/spi.md @@ -206,6 +206,36 @@ Under the Interface section, you can enable SPI. The device for communicating via SPI as at `/dev/spidev0.0` +Caution about RPi +----------------- + +On 20 May 2021, someone on IRC brought to my attention the following video: + + +Basically, the Raspbian project, now called Raspberry Pi OS, put in their repo +an update that added a new "trusted" repository, which just so happened to be +a Microsoft software repository. They seem to have done this for VS Code, but +the problem here is that it gave Microsoft free reign to define whatever +dependencies they liked (as per apt-get rules), and every time you updated, +you would be pinging Microsoft servers. Do you think that is strange? + +Microsoft shouldn't have *any* access to your GNU+Linux system! This was the +commit that Raspbian added to their distro, which added this what should rightly +be called a security vulnerability, intentaionally: + +* + +They then removed it, after a public backlash, via the following commits: + +* +* + +For now, Raspbian / Raspberry Pi OS (which is based on Debian) should be safe, +but this whole episode proves that the distro can no longer be trusted to +respect its users. Therefore, it's now on the [tasks page](../../tasks/) +a TODO entry for recommending and documenting alternative GNU+Linux distros +on the Raspberry Pi, for the purposes of SPI flashing. + Install flashrom ----------------