undefined | Better HN

0 points4gotunameagain8mo ago0 comments

> view the source code and package the extension yourself

The problem is that nobody will do that. Even if it were 500 LOC.

And this is why supply chain attacks are on the rise.

0 comments

What are you proposing? Should I not be allowed to develop and publish an extension that I think is useful?

> nobody will do that

"nobody" is a strong word. Yes, most people don't do that, but if a single person reads the source code and finds something nefarious they can report it or leave a review disclosing that and my reputation would be ruined.

msgodel8mo ago

IMO you should avoid installing editor extensions generally. It's better to try to get them merged into the editor itself.

I don't think it's good to constrain people in some way from doing that, you should just have a personal policy of avoiding extensions you're not involved in the development of.

anuramat8mo ago

I thought the entire point of vscode was to be an extensible "lightweight" barebones code editor, as opposed to eg jetbrains stuff; what about vim/emacs then?

4gotunameagainOP8mo ago

I did not by any means want to discourage you from developing things and sharing them, if anything I thank you for that.

My intention was to highlight that the SW supply chain nowadays is an insecure mess.

Regarding your last point, for the vast majority of open source SW releases, we can never be sure if the release we get is produced from the same code we see. I do not know if that is the case with VScode addons, but you get my point

hexomancer8mo ago

> Regarding your last point, for the vast majority of open source SW releases, we can never be sure if the release we get is produced from the same code we see. I do not know if that is the case with VScode addons, but you get my point

You actually can depackage vscode's .vsix files (it is just a zip file) and compare the package contents to the repository.

1 more reply

hollerith8mo ago

>The problem is that nobody will do that. Even if it were 500 LOC.

I do it with the code I download to extend Emacs.

j / k navigate · click thread line to collapse

0 comments

hexomancer8mo ago

What are you proposing? Should I not be allowed to develop and publish an extension that I think is useful?

> nobody will do that

msgodel8mo ago

IMO you should avoid installing editor extensions generally. It's better to try to get them merged into the editor itself.

I don't think it's good to constrain people in some way from doing that, you should just have a personal policy of avoiding extensions you're not involved in the development of.

anuramat8mo ago

I thought the entire point of vscode was to be an extensible "lightweight" barebones code editor, as opposed to eg jetbrains stuff; what about vim/emacs then?

4gotunameagainOP8mo ago

I did not by any means want to discourage you from developing things and sharing them, if anything I thank you for that.

My intention was to highlight that the SW supply chain nowadays is an insecure mess.

hexomancer8mo ago

You actually can depackage vscode's .vsix files (it is just a zip file) and compare the package contents to the repository.

1 more reply

hollerith8mo ago

>The problem is that nobody will do that. Even if it were 500 LOC.

I do it with the code I download to extend Emacs.

j / k navigate · click thread line to collapse