Having had a quick look through this workflow it seems to miss most opportunities to ensure a safe build.
- Downloads binaries for use in build with no hash/signing verification.
- Doesn't pin shared actions.
- Uses Yarn to install dependencies (which can involve downloading/executing arbitrary code from anywhere)
- Doesn't sign the final binary.
None of this is necessarily wrong, all would make maintenance harder in the long run, but it means this project is really about removing MS branding and some telemetry, and that there is a security trade-off to get those benefits.
That's the key value of open-source projects. You don't have to release a binary, just source code and a build guide. It's also one of the reasons why I have such high respect for OS distributions like BSDs and Slackware. They give you a good base that you can build upon if you know what you're doing.
The problem is, many PC users don't really know what they're doing.
Can't tell you how many times I've had to explain how environmental variables work to developers, and that's a pretty simple concept compared to many other things in an operating system.
vorticalbox|2 years ago
https://github.com/VSCodium/vscodium/blob/master/.github/wor...
danpalmer|2 years ago
- Downloads binaries for use in build with no hash/signing verification.
- Doesn't pin shared actions.
- Uses Yarn to install dependencies (which can involve downloading/executing arbitrary code from anywhere)
- Doesn't sign the final binary.
None of this is necessarily wrong, all would make maintenance harder in the long run, but it means this project is really about removing MS branding and some telemetry, and that there is a security trade-off to get those benefits.
wheelerof4te|2 years ago
That's the key value of open-source projects. You don't have to release a binary, just source code and a build guide. It's also one of the reasons why I have such high respect for OS distributions like BSDs and Slackware. They give you a good base that you can build upon if you know what you're doing.
The problem is, many PC users don't really know what they're doing.
no_wizard|2 years ago
I'd say most, even software engineers.
Can't tell you how many times I've had to explain how environmental variables work to developers, and that's a pretty simple concept compared to many other things in an operating system.