> Extensions are not sandboxed

This is quite surprising to me if true. Microsoft has for years touted "Security is everything and the single most important thing right now", yet something that basic is not taken care of for the most security minded audience, and for the audience with probably the biggest impact in case ssh-keys and alike gets stolen?

People randomly installing extensions (and Visual Studio Code suggesting random extensions by "language support") starts to look a lot worse than I thought. Guess I'm lucky I never jumped aboard the Visual Studio Code train...

> - The VSCode security story is very, very weak. Extensions are not sandboxed. The client, accessing remote repos, is wildly insecure, by design.

This is a big concern for our Infosec team. There is no middle ground between open access to every Extension on the marketplace or locked down and Extensions are installed via local files. The latter being a significant overhead in maintaining VSCode.

The clangd extension is much better for me, assuming that you have or are able to generate a compile_commands.json (at least easy in cmake) and point clangd to it.

> The client, accessing remote repos, is wildly insecure, by design

Who's the best kid in the block regarding third-party extensions security?

There's really not much standing in front of a supply-chain attack for my editor of choice, emacs. Most people use a community extensions aggregator that also directly fetches from git repositories. The only slim advantage we have is that I'm sure a much higher % of emacs users would actually look into the source code of the extensions they pull.

Yes, their C++ LSP isn't really good and I've heard C# isn't good either - but that's because they want to sell Visual Studio too. But especially "Remote SSH" and "Dev Containers" are so called game changers. And their Typescript and Python extensions are actually good.

Debian splits their distribution into three components:

  * main (free software)
  * non-fee
  * contrib (free software that depends on software outside of main, so usually non-free software)

wow, that's really troubling. people in the future will wonder what we were talking about after microsoft memory-holes that thread

wow, thanks for posting this.

in a few tiny comments it demonstrates precisely the problem the larger ecosystem is facing and will almost certainly get much much worse sooner than we think.

AFAUI, this extension uses proprietary C++ front-end commercially licensed from EDG.

The same front-end powers their Visual Studio IDE (not Code).

Also, AFAIK, there exist an alternative `clangd`-based C++ extension, which is fully open-source (but I could be wrong).

VSCode is not open-source, and neither is this extension.

Much F/OSS on Windows and virtually all F/OSS on macOS has proprietary build dependencies (e.g., MSVC on Windows, Xcode and various Apple frameworks and GUI toolkits on macOS), but is still itself F/OSS. It's true that such software doesn't promote or embody software freedom to the same extent as free software written for free platforms and built with free toolchains and dependencies.

But this case isn't about that. Reread the comment of maintainer (presumably an MS employee) at the end:

> I'm sorry to let you know that our license also prohibits using our extension in alternate distributions of VS Code - only the official one produced by Microsoft may be used. So even if we did produce a RISC-V version, you wouldn't be licensed to use it with Code Server.

That's just proprietary, software plain and simple.

Recall freedom 0 of the free software definition:

> The freedom to run the program as you wish, for any purpose (freedom 0).

In the way that third-party distributions of VSCode do not come with the same rights to extend the software or use it in combination with compatible extensions as the first-party distribution does, VSCode also fails the test of freedom 3, regardless of the license of much of the code:

> The freedom to distribute copies of your modified versions to others (freedom 3). By doing this you can give the whole community a chance to benefit from your changes. Access to the source code is a precondition for this.

It's not that your modified copies must give your users the same rights to inspect and modify the code as you had (that's copyleft) but that you are unable to give them such rights. MS does this not entirely through the licensing of VSCode but also through the licensing of certain extensions, but the actual outcome is the same.

It's not a different story for the term open-source. This:

> May we ask why you'd like to do this? If you're planning to redistribute the language server binaries as your own custom offering, please note that our runtime license prohibits that.

means that the extension fails condition 1 (the redistribution criterion) of the open-source definition. And VSCode not allowing modified redistributions the same rights as the original fails condition 3 (the derived works criterion).

Neither VSCode nor this extension is open-source. They're both just proprietary software with some open-source components.

Free Software Definition: https://www.gnu.org/philosophy/free-sw.html.en#four-freedoms

Open-Source Definition: https://opensource.org/osd

Note that these are not definitions in the ordinary lexographical sense. They are terms that were created with explicit social and technical purposes in mind, by and for organized movements. This isn't an argument from the dictionary but a reminder of the purposes of these concepts.

Exactly. Look at the Ashai Linux project. They are doing tremendous work, but getting basic feature parity with a now 3 year old laptop is still ongoing work.

Then once feature parity is done, performance problems are next, if they ever get addressed and completed.

I love the idea for open source software, but the very best software in todays world is always something you have to pay for.

>"The free software Microsoft is giving away isn't open enough"

This is not a quote from the article and isn't what the article is saying. It's effectively suggestig that devs are being duped and MS goals are closing essential parts down.

> From what I can tell, Microsoft isn't even sabotaging open alternatives

I think they are. VSIX extensions are supposed to be some sort of open standard, but some Microsoft extensions like Pylance actively refuse to work if they detect running in something other than Microsoft's build of VS Code.

Their business model being bad is not my concern. They're not a broke kid whose bad decisions I'm exploiting.

Edit: OTOH reporting on this as if it's a grand surprise is a bit funny. Like come on, this was obvious from the start. I just didn't care, it didn't feel like a fight worth fighting. And I care about BSD/MIT license devs being exploited about as much as MS' business model potentially falling apart because I turn off telemetry: folks knew what they're going into, and did it anyway because "sempai corpo will notice us." Well, it did, congratulations.

As for me, I don't care. I ain't posting anything on anything lighter than AGPL, ever, but I'm a small bean and ultimately there's stuff I care about way more than software.

that's not my problem. my problem is making sure i don't make my own job skills dependent on microsoft's continued goodwill, because historically that has been a guaranteed path to obsolescence. i don't need their engineering work. i have emacs, vim, clang, gcc, idea, eclipse, firefox, and so on

i'm only interested in microsoft's generous gift of blankets if they come without smallpox

The author of software (or generally the copyright holder) is not bound by the terms of their own license, so they can publish the same software and/or later versions under different licenses however they see fit.

This applies equally if their own license is MIT or if it's GPL/copyleft.

(From that point of view, Microsoft would be able to release VSCode as GPL while also shipping binaries under a proprietary license, if they wanted to.)

Things get more complicated when they aren't really the authors because they have merged contributions from other authors, e.g. pull requests. Then what happens depends on the license used by the other authors for their contributions. Sometimes the contribution's license is implied, or legally unclear. To avoid problems, some diligent organisations require contributors to sign or confirm something to make it clearer, before they accept contributions to be merged.

> since the copyleft conditions also binds the author of the software to continue releasing their code under an open-source license

Not universally.

In a single-author context, the author of a copyleft project is not bound by the licence they choose to distribute it under, because it's already their code to do with what they will. The licence isn't what makes it their code. And so the author is always free to make a new version of a product that is licensed differently and includes all their GPL code.

It's in a multi-author context that it gets complex. If they accept contributions without assignments in a contributor agreement, they would have to excise all the contributed code to do this unilaterally.

But they would still be free to abandon a product, and start a newly-licensed version of that product, with any code that is fully theirs.

There's always the risk that in changing the licence, people will fork, but that's equally true of MIT-licensed code, isn't it?

I paid for jetbrains stuff for many years because it was worth it. And compared to eclipses features et it was leagues above.

That's worth money.

Like I always say about open source. I'm skeptical about adapting frameworks without big money behind them... Because relying on the whims of random internet amazing engineer is a risk.

MS will make money on vscode. Just like Google makes money on Chrome. Just not directly.

True, slap a price on it. I'm sure people here get enough utility out of VSCode to pay for it.

The problem is when the free offering is actually designed to ensnare you in a tarpit of legal liability and uncapped financial liability. Especially with a service like VSCode where it's not a single purchase and you rely on Microsoft indefinitely (through extensions and updates). But it's designed that way. There's no other option. They chose to not make it simple to avoid a single clean payment, and extract longer term money of ambiguous amount based on user resistance.

A marvel of engineering, really? In find using bloated browser tech and napkin-designed language to build a barely functional IDE as "impressive" as building a mile-long pedestrian bridge using Popsicle sticks and chewing gum.

JetBrains IDEA. It can do pretty much everything and has been my daily driver for almost a decade now.

2022 discussion (142 comments): https://news.ycombinator.com/item?id=32657709

Possibly one change in 2024 is that Typefox (which contributes to Eclipse Theia) announced Open Collaboration tools: https://news.ycombinator.com/item?id=40970621 -> https://www.typefox.io/blog/open-collaboration-tools-announc... (2024)

I think DoomEmacs is worth a recommendation as an add on to what you’re saying. As it’s basically “slow” nvim with all batteries included + Org mode.

It’s was a very easy switch for me from VScode at least, and while I called it “slow” that is because nvim is ridiculously fast. DoomEmacs performance is still great, for the most part.

Everybody can do that themselves, if the original maintainers don't want to (which is a security problem ;):

   If you are not the author, we suggest you first reach out to the author with an issue in their GitHub repo to request that they publish their extension to open-vsx.org. We've drafted a template with suggested content for the issue.

Such "3rd party extensions" don't get the "verified publisher" icon (or at least should not get it ;).

Are you using Microsoft's Python extension? That seems to be the main one that breaks for people, including me.

Also Microsoft's remote and container development tools only work on the official VS Code.

IntelliJ has been open source (or open core if you like) for many years now, I think even pre-dating VS Code. So the idea that it's the first or only IDE that works this way is wrong.

> Zed exists, it's new but it's already a very good IDE.

An IDE needs at least a working Debugger (or, to be more precise, a graphical interface to debugger(s)).

And Zed has exactly the same problems VS Code has, minus actually contributing LSP and DAP (Debug Adapter Protocol) to "the editor community". So, Zed is actually worse in that regard.

The problem is not companies doing this but users and developers not caring or sharing your concerns. All this moralism about ethos and such is just not that relevant.

What matters is that software licenses are legal text documents. The only place where the interpretation of those texts matters is in a court room. I don't think there are a lot of court cases involving VS Code. MS tends to have their house in order on that front.

So, VS Code seems safe enough in the legal sense. Yes, it has some extensions that are not licensed as OSS or that are simply closed source. So what? If that bothers you, don't use those. Or better, fix it by creating some open source. Open source is not a right, it's a privilege that is granted to you at the discretion of the creators of that software. Not something that you can demand from them.

VS Code is a closed source product that includes lots of OSS components. So much that there's VS Codium a well, which is fully OSS. A lot of those OSS components are used in other products as well. And some of those things are fully open source. The value of the VS code ecosystem is that it enables this ecosystem of components and products to thrive.

> I'd be curious what similar caveats may apply to that editor?

Exactly the same as to VS Code, anything that is special about it is "closed" (as a service) https://zed.dev/blog/zed-is-now-open-source

Does zed have vi keybindings? I searched the extensions page but didn't see any.

>Anyone that ... has had a physical job knows that doing something 26 times in a row is basic stuff of any worthwile endeavor.

I have. There were an awful lot of electric tools doing things that used to require manual work. And they were used even the old guys who were fighting against their broken bodies to work for long enough be able to retire.

Maybe also set your font to bright green Comic Sans while you're at it..?

That just sounds painful if you work on large projects.

I love your extreme position. I don't believe it could work for any of the projects I work on, and even if it would it would be a huge time sink and it would hold me back a lot.

But I dream about a simpler world where I could just open nano on a dusted terminal in a basement, grab my printed copy of a OS manual, and code away.

Use scite please, it's a match with your brutalist approach to development, but with some goodies. You won't regret.

the only time i would ever consider doing that is when building a hello world application

> the bulk of the IDE's power comes from closed-source language servers

Not sure that's so very true for most langs / stacks other than Python. Go LSP & vscode extension is Go-owned, C++ you have clang LSP+ext and can really skip MS' offering(s) there. TypeScript LSP+ext is most likely OSS (dunno) or else MS-owned anyway; dotnet same. Niche langs own their LSP+exts anyway. The builtin HTML / CSS stuff is bare-bones IIRC, if there aren't richer OSS alternatives out there yet there sooner-or-later will be. Python, I wouldn't know, but let's face it, if a lang is a big FOSS project it can and will mobilize their own owned and ever-more-excellent LSP + ext if and when necessary / desirable — and if it's niche and small-scale, MS won't anyway, proprietary or not.

You could say the same about Google: https://killedbygoogle.com/

Said by someone who writes Flutter for a living :/

Say what you want about microsoft, but it protects its developers by making sure they get paid, and it also does so for third party developers who target Microsoft.

I'd rather get paid than build towards an ideal bunny world of free as in free beer software.

developers developers developers

As a whole section of tech sector that builds a lot of useful tools and products exclusively on Microsoft stack? I understand that Windows Server, MS SQL Server and ASP .Net folks are less represented in the HN crowd, but pretending that most of them regret their tech stack decisions is absurd.

Old ways die harder

Paul Maritz also explained to Intel representatives that Microsoft’s response to the browser threat was to “embrace, extend, extinguish”; in other words, Microsoft planned to “embrace” existing Internet standards, “extend” them in incompatible ways, and thereby “extinguish” competitors.

https://www.justice.gov/atr/file/705216/dl

"Source-available but not strictly OSS" is, in most cases, not really giving anything of value to the community. You are not free to use it in building your own solutions. At best, it allows easier collaboration with customers.

Open core absolutely is open source. There's a clear and valuable open source core that others can build on to build their own products.

This isn't just hypothetical. As far as I know, no source-available license allows you to actually use it to build your own product. While VS Code has many other products built on the core (including products that lawyers have reviewed closely for compliance).

> If you enjoy a rabbithole, look at how much DRM there is in Pylance (another extension that MS has locked down): https://github.com/VSCodium/vscodium/discussions/1641

The funny thing is that I’ll never understand why it’s not open source and why its license prohibits its use in VSCodium. Pylance is good, but not that good. Certainly not on a level of PyCharm. What incentive do they have to keep it secret except being evil?

Hmm.

Source Available is fine by me so long as it isn't being misrepresented as Open Source in an attempt to sponge off of the goodwill generated by Open Source communities. So I'm not feeling the "outrage".

And I spent a good portion of my open source advocacy activities on license compliance at the ASF, helping projects to ensure that even with all the bundled dependencies the aggregate licensing of the distributed artifacts complied with the terms of the Apache License Version 2.0. So I'm not feeling that "silence" either.

What I'm feeling is "hypocrisy" being projected onto a straw man by someone who's got an axe to grind with OSI and the Open Source Definition.

> MS has managed to pacify even the strongest FOSS advocates

I'm not sure that's the case. I think the strongest FOSS advocates gave up on Microsoft decades ago, and just don't engage with anything they put out. If MS release source-available stuff, strong FOSS advocates don't peep because they've not even looked at it. Why bother - it's Microsoft. If someone else does it, well, the FOSS advocates still had some hope that what they didn't wouldn't be terrible, so there's space for those hopes to be dashed.

Convenience and comfort are freedom's enemy. What is going wrong with the traditional editors and programming tools that (assumably) younger devs are going for those full-blown IDEs? Has the complexity of development with back/front/ops exploded so much that older editors are lagging behind modern needs?

As OSS old-timer, I gave VS Code a try, but it was too noisy and distracting, slow, and didn't allow enough control over what was being installed and when. To each their own of course, but I didn't see any particular reason why VS Code is much better or deserves to be more popular than other editors, and if any functionality is missing from other editors – especially those that are incorporating tree-sitter – then maybe we can just improve those alternatives?

Talking about modern editors, I like where Zed is headed, but that project also has some non-OSS components or aspirations if I remember right.

> If you enjoy a rabbithole, look at how much DRM there is in Pylance

So just don't use it? The linked discussion points to Basedpyright https://github.com/detachhead/basedpyright/ as the best free alternative right now (with some additional features around Python optional typechecking that aren't even in Pylance itself).

Is this comment meant to apply generally to MS behavior? In my experience, MS faces some of the toughest judgment on anything related to OSS.

MS is a bit weird. After realizing that most competent developers had left the MS ecosystem, they went for a Zeitenwende. But they did only for 90%.

I wonder to what extent this halfheartedness should be ascribed to the MS org chart or to reasoning like "we should prevent a competent competitor to run away with our tools".

In the mean time, there is a capable replacement named Theia [0] with none of the strings attached. We as a whole would do best to move to that one. [1]

___

0. https://theia-ide.org/#theiaide

1. That is to say: for vscode kind of experience. Native IDE's are unbeatable imho.

The editor is open-source. If you want DRM trap to be open-source, create them yourself. VSCode is a text editor at its core, and you're free to use it as you see fit.

The blog read like the author is crying that Microsoft is not giving away extension for Gitpod to make money

Yes, PyLance has a pretty strict license and makes it very clear it cannot be used in forks (and that's not really surprising and pretty standard I'd even say for a corporation such as Microsoft, it's like the current licenses saying this is open source but cannot be used by competitors, what's really surprising for me is that forks are choosing to ignore this):

> INSTALLATION AND USE RIGHTS. a) General. You may install and use any number of copies of the software only with Microsoft Visual Studio, Visual Studio for Mac, Visual Studio Code, Azure DevOps, Team Foundation Server, and successor Microsoft products and services (collectively, the “Visual Studio Products and Services”) to develop and test your applications. b) Third Party Components. The software may include third party components with separate legal notices or governed by other agreements, as may be described in the ThirdPartyNotices file(s) accompanying the software.

One thing I don't understand is how forks (I'm actually talking about Cursor which is one I'm actually evaluatinng) are getting away with scrapping all extensions from the VSCode marketplace... I even e-mailed them but had no official position on that. Maybe they have some separate contract with Microsoft -- they do have OpenAI backing, so, maybe they have some bridge there, does anyone know? Or maybe Microsoft is just waiting to see how they themselves can profit for it and so is taking no legal action at this point?

-- disclaimer: I'm on the author of PyDev and I do have my own Python extension that I publish to VSCode and OpenVSX (https://marketplace.visualstudio.com/items?itemName=fabioz.v...)... it's completely Open Source in Eclipse, but for VSCode it's currently commercial. I discovered that's a nice way to have less people requesting support, even though 99% of it is still Open Source ;)

>The short summary is that MS uses multiple, constantly changing methods of DRM to make it impossible for people to patch out the "only official VSCode" check from the Pylance extension. This is very clearly malicious.

Huh? If anything, MS prevents people from shooting themselves in the foot and illegally installing a piece of software against the license terms.

You can use vscodium for free, it's great, you literally don't have access to a few MS extensions (with open alternatives, which you can support financially if you care).

It's not really DRM. You can make most extensions work on codium by changing a few settings. It's just not officially supported.

I hate the way they don't open source the useful ones like the ssh debugging though

I'm using vs codium. What most useful things am I missing? I have not found anything missing. Now I'm really curious.

> People when a piece of software is source-available but not strictly OSS: outrage

There's no longer outrage, since this has become the norm. Biggest most obvious example: Chrome.

> The short summary is that MS uses multiple, constantly changing methods of DRM to make it impossible for people to patch out the "only official VSCode" check from the Pylance extension. This is very clearly malicious.

Huh? There's been lots of outrage about this. Repeatedly.

However, the problem is that nobody with any resource is willing to step up and replace the Microsoft closed source plugins. And developers aren't willing to put themselves out to use non-encumbered extensions.

It's basically a big "Put Up or Shut Up" from Microsoft, and nobody is willing to "put up" so we wind up with "shut up".

It's really important to realize that some 70% of the OSI's funding comes from proprietary services houses (Amazon, Microsoft, and Google mostly and then like... Comcast and IBM), and so nobody at the OSI legitimately cares about openness. The reason SSPL is not OSI approved is because Amazon pays an entire OSI staff salary a year and the SSPL costs Amazon money.

if your competitors can't sell your product, it isn't open source.

> But I think that this entire cloud coding workstation space is rather niche in itself.

It's common / popular in certain enterprise circles, for "security" and audit reasons. No admin or most permissions on your computer. You get a specific VM with "controls". Anything required might be installed on request.

A locked down cloud hosted IDE might just be 1000% easier.