top | item 44570074

(no title)

hexomancer | 7 months ago

What are you proposing? Should I not be allowed to develop and publish an extension that I think is useful?

> nobody will do that

"nobody" is a strong word. Yes, most people don't do that, but if a single person reads the source code and finds something nefarious they can report it or leave a review disclosing that and my reputation would be ruined.

discuss

msgodel|7 months ago

IMO you should avoid installing editor extensions generally. It's better to try to get them merged into the editor itself.

I don't think it's good to constrain people in some way from doing that, you should just have a personal policy of avoiding extensions you're not involved in the development of.

anuramat|7 months ago

I thought the entire point of vscode was to be an extensible "lightweight" barebones code editor, as opposed to eg jetbrains stuff; what about vim/emacs then?

4gotunameagain|7 months ago

I did not by any means want to discourage you from developing things and sharing them, if anything I thank you for that.

My intention was to highlight that the SW supply chain nowadays is an insecure mess.

Regarding your last point, for the vast majority of open source SW releases, we can never be sure if the release we get is produced from the same code we see. I do not know if that is the case with VScode addons, but you get my point

hexomancer|7 months ago

> Regarding your last point, for the vast majority of open source SW releases, we can never be sure if the release we get is produced from the same code we see. I do not know if that is the case with VScode addons, but you get my point

You actually can depackage vscode's .vsix files (it is just a zip file) and compare the package contents to the repository.