It is a shame that the team never prioritized extension permission issues [0] despite their big boss said security is the top priority [1]. All they have is "workspace trust" and various other marginally useful security measures.
I don't install a VSCode extension unless it is either official or well known and audited and I have to use it. I keep most of them disabled by default unless I need something for a project. (Even if you don't care about security, it's good for VSCode performance. I'll save that story for another day.)
[0] https://github.com/microsoft/vscode/issues/52116
[1] https://blogs.microsoft.com/blog/2024/05/03/prioritizing-sec...
So I started uninstalling some icon themes and less used extensions that I installed on a whim years ago.
I implicitly trust extensions by Google, Microsoft and the like, but the less known published make me nervous.
Meanwhile random FOSS projects be like "please sudo curl bash to install the prebuilt binaries".
But this is true about lots of code. We have this notion of "it works, therefore there's no problem" which is just bad engineering. Just because you don't know there's a problem doesn't mean there isn't. Just because it passes the tests doesn't mean you have test coverage.
curl -L "foo.sh" -o foo.sh && bash foo.sh
Why sudo though?
I honestly think it's stupidity. Most people really don't know you can build programs to the user and don't need system privileges. I think everyone is just so used to installing from package managers and doing `sudo make install` that they forgot programs only need to be in $PATH and not /usr/bin
Second off, you're not steaming into bash
Third, you gotta read between the lines a little. I used some convenience considering my audience is programmers. Don't use && or shove && `less foo.sh` in the middle. There's a million options here
That aside, it protects you from this gaping hole of an exploit mechanism. https://news.ycombinator.com/item?id=17636792
Of course, the one advantage of having source is that it is easier to run things like SAST tools against source, but how many people do that in practice? How integrated is that with package systems? And when package maintainers might provide hashes of what they ostensibly checked, you still need trust.
So we need a combination of static analysis tools that are integrated properly to produce trusted binaries, and you need earned trust and authority. Hyperindividualist self-reliance is, at the very minimum, impractical. And with authority, we know whose job it is to care for the quality of software and therefore whom to hang.
However commits tend to be much easier to trace at a later date than arbitrary binaries so attackers will be less inclined to go that route. Once committed it's there forever unless you can somehow get everyone to censor it from their own copies for an unrelated reason. Consider that the xz compromise involved downloading the payload later.
My policy is to either obtain binaries from a major distro or to build from a clean commit in a network isolated environment. If I can't go one of those routes it's almost always a hard pass for me.
In theory you can mix and match, but in practice most bureaucrats will insist on single-sourcing.
Also I’m not sure the tradeoffs of adding security to an editor are that big of a deal. Are we really seeing revolutionary stuff here? Every now and then I check out VS Code only to realize Vim is still 10x better.
They did the same with Chrome extensions.
I'm also skeptical that even a dark mode extension would be simple considering how varied web pages can be
I've used it to inject download links on sites, autoclose modals, etc. You can either write them yourself, or review other people before installing them.
It’s not a perfect solution, but at least it reduces the surface area to a single extension.
FYI: Just set Script Updates to Never.
Trusting other devs to not write malicious code has led to a surprisingly small number of incidents so far, but I don't think this will extrapolate into the future.
With more lines of code being auto-written without deliberate intent or review from an accountable author, things can only get worse!
They are (of course) not foolproof and very well may miss something, so people need to evaluate their own risk/reward tradeoff with these extensions, even after reviewing them with AI, but I think they are pretty useful.
We already have so many good fast secure polygot customizable text editors. Why run one through Chrome and fill it with extensions for everything that will have arbitrary access to everything?
You open it. It just works. And the learning curve is smooth.
Compare this to Vim where, if it's the first time you're opening it, you are forced to kill the process because you don't even know how to quit it, never mind actually do any productive work.
> Compare this to Vim where, if it's the first time you're opening it, you are forced to kill the process because
I'm serious. Open a blank file by typing `vim` into the terminal. Don't press anything, just look at the screen.
I'm sorry, but reading docs, or just reading, shouldn't be considered a significant barrier to entry.
Rule number one is that users don't read documentation.
I really really wish there was ONE standard orthodoxy with regards to UI and how programs work and how we get around them.
Instead we have these clowns constantly inventing new ones. I love learning things and tweaking things but I have limited bandwidth and I am so over micromanaging my PC
For the record I know and love vi. But as I get older I find myself yearning more for the cathedral than the bazaar
The comment isn't actually even talking about providing the same service, so they mention emailing themselves files and usb drives.
The problem was there was a big technical hurdle to locally network mount a file system. Especially across OSes. It's even harder to do it non locally. Sure, it's not hard if you're familiar with that stuff. Sure, it's not hard to learn if you're comfortable in the terminal. Sure, today you can use rclone. BUT that's not a tool my grandma can use.
On the other hand, we're not talking about tools my grandma can use. We're talking about tools a programmer can use.
my favorite VSCode feature is the SSH remote working feature. VSCode gives me the full editing / console / Claude environment on my local workstation, where all files, shells, and yes Claude as well run on a company lab machine over the VPN. Props to the collaborative working feature where several people can all share the same VSCode editor session on their individual workstations.
Vim can do the above two things if you run as a terminal app with tmux. Sublime could do it if you shared the editor via X or Waypipe (well not the second feature). But VSCode integrates it directly in the app and it's a much better experience.
> But VSCode integrates it directly in the app and it's a much better experience.
Why do these companies put so much effort into fighting right to repair to avoid IP leaks any halfway serious company could reverse engineer in a week, but on the other hand encourage their employees to vibe all company secrets into the cloud?
Only if you believe they are truthful about the reason for fighting right to repair. I think the reason for fighting right to repair is to reduce the time before a replacement purchase is required.
> but on the other hand encourage their employees to vibe all company secrets into the cloud?
Lots of companies do ban or restrict usage of LLMs etc.
Can't repair your own stuff and either need to use authorized repair shop or buy new? The company gets more money.
Force your developers to forgo quality in efforts to produce more cruft in less time? The company gets more money.
Of course, only considering short-term, long-term they'll lose money, but at that point all the executives and managers already got their bonuses and probably moved on to doing the same in some other company.
The main thing I had to wait on for a long time was support for preventing 3rd party code from being plagiarized since our code base was intermingled with partnered companies.
Even this reads like an AI extension wrote it.
You all can take vim out of my cold dead hands.
I think it’s the culture behind the (neo)vim community is a bit more technical, and are quite quicker to sound the alarm if anyone tries something shady.
But, in any event, I hand-roll my own config and every plugin I install is inspected by me. When I pull changes, I check the diffs for anything shady. If a plugin is simple enough, I will just integrate it into my own stuff.
TBF, Cursor's code indexing works the same way, it has to send all workspace files to their servers.
Auto-completion systems need previous edits to suggest next edits so no surprises their either.
“Oh that’s cool, I already donate to my local neo nazi group. We are both philanthropists!”
Nothing makes me go from apolitical to a red blooded American faster than seeing someone make a stupid false equivalency about the US on this forum
In fact, many even are from "hostile countries" that are "enemies of democracy".
What's more, some of those people aren't aligned with US interests and aren't willing to put their lives on the line for CIA operations!