VSCode also, by design, obscures what’s really going on on the development environment, so that when I help a VSCode user who gets stuck, they often don’t know what computer they’re logged into, where their files actually are in the file system, which Python interpreter they’re using, what HTTPS_PROXY is set to, and so on. The ssh extension also spins up a server process for every client a user connects, and it seems a bit inconsistent about preserving state across disconnections. All in all, I spend a lot of time helping people fix problems they’ve made for themselves by using VSCode.

> - The VSCode security story is very, very weak. Extensions are not sandboxed. The client, accessing remote repos, is wildly insecure, by design.

This is a big concern for our Infosec team. There is no middle ground between open access to every Extension on the marketplace or locked down and Extensions are installed via local files. The latter being a significant overhead in maintaining VSCode.

The clangd extension is much better for me, assuming that you have or are able to generate a compile_commands.json (at least easy in cmake) and point clangd to it.

> The client, accessing remote repos, is wildly insecure, by design

Who's the best kid in the block regarding third-party extensions security?

There's really not much standing in front of a supply-chain attack for my editor of choice, emacs. Most people use a community extensions aggregator that also directly fetches from git repositories. The only slim advantage we have is that I'm sure a much higher % of emacs users would actually look into the source code of the extensions they pull.

> Extensions are not sandboxed

This is quite surprising to me if true. Microsoft has for years touted "Security is everything and the single most important thing right now", yet something that basic is not taken care of for the most security minded audience, and for the audience with probably the biggest impact in case ssh-keys and alike gets stolen?

People randomly installing extensions (and Visual Studio Code suggesting random extensions by "language support") starts to look a lot worse than I thought. Guess I'm lucky I never jumped aboard the Visual Studio Code train...

Yes, their C++ LSP isn't really good and I've heard C# isn't good either - but that's because they want to sell Visual Studio too. But especially "Remote SSH" and "Dev Containers" are so called game changers. And their Typescript and Python extensions are actually good.

A wild Emacs appears...

wow, that's really troubling. people in the future will wonder what we were talking about after microsoft memory-holes that thread

Debian splits their distribution into three components:

  * main (free software)
  * non-fee
  * contrib (free software that depends on software outside of main, so usually non-free software)

wow, thanks for posting this.

in a few tiny comments it demonstrates precisely the problem the larger ecosystem is facing and will almost certainly get much much worse sooner than we think.

VSCode is not open-source, and neither is this extension.

Much F/OSS on Windows and virtually all F/OSS on macOS has proprietary build dependencies (e.g., MSVC on Windows, Xcode and various Apple frameworks and GUI toolkits on macOS), but is still itself F/OSS. It's true that such software doesn't promote or embody software freedom to the same extent as free software written for free platforms and built with free toolchains and dependencies.

But this case isn't about that. Reread the comment of maintainer (presumably an MS employee) at the end:

> I'm sorry to let you know that our license also prohibits using our extension in alternate distributions of VS Code - only the official one produced by Microsoft may be used. So even if we did produce a RISC-V version, you wouldn't be licensed to use it with Code Server.

That's just proprietary, software plain and simple.

Recall freedom 0 of the free software definition:

> The freedom to run the program as you wish, for any purpose (freedom 0).

In the way that third-party distributions of VSCode do not come with the same rights to extend the software or use it in combination with compatible extensions as the first-party distribution does, VSCode also fails the test of freedom 3, regardless of the license of much of the code:

> The freedom to distribute copies of your modified versions to others (freedom 3). By doing this you can give the whole community a chance to benefit from your changes. Access to the source code is a precondition for this.

It's not that your modified copies must give your users the same rights to inspect and modify the code as you had (that's copyleft) but that you are unable to give them such rights. MS does this not entirely through the licensing of VSCode but also through the licensing of certain extensions, but the actual outcome is the same.

It's not a different story for the term open-source. This:

> May we ask why you'd like to do this? If you're planning to redistribute the language server binaries as your own custom offering, please note that our runtime license prohibits that.

means that the extension fails condition 1 (the redistribution criterion) of the open-source definition. And VSCode not allowing modified redistributions the same rights as the original fails condition 3 (the derived works criterion).

Neither VSCode nor this extension is open-source. They're both just proprietary software with some open-source components.

Free Software Definition: https://www.gnu.org/philosophy/free-sw.html.en#four-freedoms

Open-Source Definition: https://opensource.org/osd

Note that these are not definitions in the ordinary lexographical sense. They are terms that were created with explicit social and technical purposes in mind, by and for organized movements. This isn't an argument from the dictionary but a reminder of the purposes of these concepts.

AFAUI, this extension uses proprietary C++ front-end commercially licensed from EDG.

The same front-end powers their Visual Studio IDE (not Code).

Also, AFAIK, there exist an alternative `clangd`-based C++ extension, which is fully open-source (but I could be wrong).

> From what I can tell, Microsoft isn't even sabotaging open alternatives

I think they are. VSIX extensions are supposed to be some sort of open standard, but some Microsoft extensions like Pylance actively refuse to work if they detect running in something other than Microsoft's build of VS Code.

>"The free software Microsoft is giving away isn't open enough"

This is not a quote from the article and isn't what the article is saying. It's effectively suggestig that devs are being duped and MS goals are closing essential parts down.

Exactly. Look at the Ashai Linux project. They are doing tremendous work, but getting basic feature parity with a now 3 year old laptop is still ongoing work.

Then once feature parity is done, performance problems are next, if they ever get addressed and completed.

I love the idea for open source software, but the very best software in todays world is always something you have to pay for.

So my problem with MSFT's big plan is that I simply don't know it.

I do know the price I'm paying for using Emacs and Vim. Even though (in theory) they are completely free, in reality there's a price there. Vim and Emacs require time, patience, and dedication, just like any other tools. I know who gains from my choice - myself, the community, and the industry.

I knew exactly how JetBrains profited from my choice of using IntelliJ in the past - I paid for the license and renewed it every year.

But what's MSFT's scheme here? They're giving me this beautiful, nice tool completely for "free"? What price will I have to pay for that choice in the future?

I'm sorry, but I think every dev should remain at least a bit skeptical, do you truly believe that Microsoft, a colossal corporation with a market capitalization comparable to the GDP of Germany, spends an enormous amount of resources to build "a free" code editor, because... I dunno, they love you or something?

> Microsoft's very best software

This has to be a joke, right?

Microsoft's software is absolute nightmare pile of trash.

> People are taking software given to them free of charge for granted.

Whooosh: this is the point made by the author of the article zooming over your head. The point is that closed-source software that pretends to be open-source will affect even those who don't need or want to use it.

For example, I don't want to use Azure DevOps (Github Actions) or w/e it's called. It's absolute garbage. Abysmal design, abysmal implementation. But, I'm forced into it because the org I work for has an obligation to put their projects in GitHub. And, against my will, my work and my knowledge is used by Microsoft to abuse their users.

My only consolation is that I do this as a paid job, and I, personally, will not use Github, and will advise everyone I can to do the same. But this is too little. I want to be a good person, and to do my job in such a way that it's valuable to people who requested it. I feel really bad that, instead, I'm indirectly peddling the pile of garbage made by Microsoft to astronomically enrich the few people standing at the top of the company.

Imagine a hypothetical world in which a nonprofit funded by donations and grants from nonprofits and governments funded your code editor.

That was eclipse.

There are lots of great examples of well funded open source software projects. Companies have a history of killing them off, which hurts everyone.

>Microsoft builds their own IDE for internal use in many other departments >Budget is acceptable to have a flexible modern tool for their own uses >Open source it to gain respect within other communities as well as get free code/bug checking and additional extensions written/supported even outside of MS ecosystem, that MS can still use

Doesn't seem that complicated to me...

that's not my problem. my problem is making sure i don't make my own job skills dependent on microsoft's continued goodwill, because historically that has been a guaranteed path to obsolescence. i don't need their engineering work. i have emacs, vim, clang, gcc, idea, eclipse, firefox, and so on

i'm only interested in microsoft's generous gift of blankets if they come without smallpox

Their business model being bad is not my concern. They're not a broke kid whose bad decisions I'm exploiting.

Edit: OTOH reporting on this as if it's a grand surprise is a bit funny. Like come on, this was obvious from the start. I just didn't care, it didn't feel like a fight worth fighting. And I care about BSD/MIT license devs being exploited about as much as MS' business model potentially falling apart because I turn off telemetry: folks knew what they're going into, and did it anyway because "sempai corpo will notice us." Well, it did, congratulations.

As for me, I don't care. I ain't posting anything on anything lighter than AGPL, ever, but I'm a small bean and ultimately there's stuff I care about way more than software.

Here's a simple example: you write an API consisting of one public function. You compile the API into a binary with a closed source license.

You then create another API with one public function. This function is an extern call into the library binary.

You publish the second API into Github with an MIT license and proclaim your API is open-source.

The broad theme is: if 100% of the functionality of the software is inside a closed-source compiled binary, should it be false advertisement to say it is "open source." Or in other words, who draws the line when someone oversteps the intent of "open-source" for exploitative reasons.

I don't know if cpptools' functionality is 100% closed; in reality there are three other licenses you must agree-to within a repository that is supposedly MIT licensed.

The problem is not companies doing this but users and developers not caring or sharing your concerns. All this moralism about ethos and such is just not that relevant.

What matters is that software licenses are legal text documents. The only place where the interpretation of those texts matters is in a court room. I don't think there are a lot of court cases involving VS Code. MS tends to have their house in order on that front.

So, VS Code seems safe enough in the legal sense. Yes, it has some extensions that are not licensed as OSS or that are simply closed source. So what? If that bothers you, don't use those. Or better, fix it by creating some open source. Open source is not a right, it's a privilege that is granted to you at the discretion of the creators of that software. Not something that you can demand from them.

VS Code is a closed source product that includes lots of OSS components. So much that there's VS Codium a well, which is fully OSS. A lot of those OSS components are used in other products as well. And some of those things are fully open source. The value of the VS code ecosystem is that it enables this ecosystem of components and products to thrive.

True, slap a price on it. I'm sure people here get enough utility out of VSCode to pay for it.

The problem is when the free offering is actually designed to ensnare you in a tarpit of legal liability and uncapped financial liability. Especially with a service like VSCode where it's not a single purchase and you rely on Microsoft indefinitely (through extensions and updates). But it's designed that way. There's no other option. They chose to not make it simple to avoid a single clean payment, and extract longer term money of ambiguous amount based on user resistance.

I paid for jetbrains stuff for many years because it was worth it. And compared to eclipses features et it was leagues above.

That's worth money.

Like I always say about open source. I'm skeptical about adapting frameworks without big money behind them... Because relying on the whims of random internet amazing engineer is a risk.

MS will make money on vscode. Just like Google makes money on Chrome. Just not directly.

A marvel of engineering, really? In find using bloated browser tech and napkin-designed language to build a barely functional IDE as "impressive" as building a mile-long pedestrian bridge using Popsicle sticks and chewing gum.

2022 discussion (142 comments): https://news.ycombinator.com/item?id=32657709

Possibly one change in 2024 is that Typefox (which contributes to Eclipse Theia) announced Open Collaboration tools: https://news.ycombinator.com/item?id=40970621 -> https://www.typefox.io/blog/open-collaboration-tools-announc... (2024)

I think DoomEmacs is worth a recommendation as an add on to what you’re saying. As it’s basically “slow” nvim with all batteries included + Org mode.

It’s was a very easy switch for me from VScode at least, and while I called it “slow” that is because nvim is ridiculously fast. DoomEmacs performance is still great, for the most part.

IntelliJ has been open source (or open core if you like) for many years now, I think even pre-dating VS Code. So the idea that it's the first or only IDE that works this way is wrong.

Everybody can do that themselves, if the original maintainers don't want to (which is a security problem ;):

   If you are not the author, we suggest you first reach out to the author with an issue in their GitHub repo to request that they publish their extension to open-vsx.org. We've drafted a template with suggested content for the issue.

Such "3rd party extensions" don't get the "verified publisher" icon (or at least should not get it ;).

Encourage you to look at the bigger picture. What happens when there’s an official extension by a 3rd party vendor SDK that defines a dependency on the proprietary language server/extension. It’ll work fine for “Visual Studio Code” but all these OSS forks (inc recent venture capital funding for AI ones) gets wrecked. It turns into a game of having to iterate through the graph and trying to convince official SDKs to change their product direction.

> Zed exists, it's new but it's already a very good IDE.

An IDE needs at least a working Debugger (or, to be more precise, a graphical interface to debugger(s)).

And Zed has exactly the same problems VS Code has, minus actually contributing LSP and DAP (Debug Adapter Protocol) to "the editor community". So, Zed is actually worse in that regard.

Are you using Microsoft's Python extension? That seems to be the main one that breaks for people, including me.

Also Microsoft's remote and container development tools only work on the official VS Code.

if your competitors can't sell your product, it isn't open source.

> But I think that this entire cloud coding workstation space is rather niche in itself.

It's common / popular in certain enterprise circles, for "security" and audit reasons. No admin or most permissions on your computer. You get a specific VM with "controls". Anything required might be installed on request.

A locked down cloud hosted IDE might just be 1000% easier.

Yup, same argument as Youtube. Also people suck at boycotting, if they don't like VSC don't use it...if they don't like ads on YT as a viewer then don't watch it. If they don't like ads on YT/lack of payment for content they make as a creator...don't use it! "There's no alternative" make one, or release content elsewhere (the path that Nebula, etc went down).

> the bulk of the IDE's power comes from closed-source language servers

Not sure that's so very true for most langs / stacks other than Python. Go LSP & vscode extension is Go-owned, C++ you have clang LSP+ext and can really skip MS' offering(s) there. TypeScript LSP+ext is most likely OSS (dunno) or else MS-owned anyway; dotnet same. Niche langs own their LSP+exts anyway. The builtin HTML / CSS stuff is bare-bones IIRC, if there aren't richer OSS alternatives out there yet there sooner-or-later will be. Python, I wouldn't know, but let's face it, if a lang is a big FOSS project it can and will mobilize their own owned and ever-more-excellent LSP + ext if and when necessary / desirable — and if it's niche and small-scale, MS won't anyway, proprietary or not.

JetBrains IDEA. It can do pretty much everything and has been my daily driver for almost a decade now.

Second Jetbrains' Intellij - Ultimate is all you need. Never really understood the point of the standalones.

I've tried other editors, including VS Code, because it was free. I always come back to Intellij.

The author of software (or generally the copyright holder) is not bound by the terms of their own license, so they can publish the same software and/or later versions under different licenses however they see fit.

This applies equally if their own license is MIT or if it's GPL/copyleft.

(From that point of view, Microsoft would be able to release VSCode as GPL while also shipping binaries under a proprietary license, if they wanted to.)

Things get more complicated when they aren't really the authors because they have merged contributions from other authors, e.g. pull requests. Then what happens depends on the license used by the other authors for their contributions. Sometimes the contribution's license is implied, or legally unclear. To avoid problems, some diligent organisations require contributors to sign or confirm something to make it clearer, before they accept contributions to be merged.

I can give you one data point. There is no way in hell my company would let us use cursor. Generative AI is viewed with a lot of skepticism, and we spent a long time testing out copilot before approving it for all developers to use. We use copilot because microsoft is so trusted and we use many microsoft products

They're probably asking themselves how Meta/Facebook is able to misappropriate "Open Source" to mean something completely different, and how they can do so themselves now while still showing "Microsoft <3 Open Source" ads.

They are probably relieved/glad that some player is helping them validate market for them.

> I'd be curious what similar caveats may apply to that editor?

Exactly the same as to VS Code, anything that is special about it is "closed" (as a service) https://zed.dev/blog/zed-is-now-open-source

Does zed have vi keybindings? I searched the extensions page but didn't see any.

"Source-available but not strictly OSS" is, in most cases, not really giving anything of value to the community. You are not free to use it in building your own solutions. At best, it allows easier collaboration with customers.

Open core absolutely is open source. There's a clear and valuable open source core that others can build on to build their own products.

This isn't just hypothetical. As far as I know, no source-available license allows you to actually use it to build your own product. While VS Code has many other products built on the core (including products that lawyers have reviewed closely for compliance).

> If you enjoy a rabbithole, look at how much DRM there is in Pylance (another extension that MS has locked down): https://github.com/VSCodium/vscodium/discussions/1641

The funny thing is that I’ll never understand why it’s not open source and why its license prohibits its use in VSCodium. Pylance is good, but not that good. Certainly not on a level of PyCharm. What incentive do they have to keep it secret except being evil?

Hmm.

Source Available is fine by me so long as it isn't being misrepresented as Open Source in an attempt to sponge off of the goodwill generated by Open Source communities. So I'm not feeling the "outrage".

And I spent a good portion of my open source advocacy activities on license compliance at the ASF, helping projects to ensure that even with all the bundled dependencies the aggregate licensing of the distributed artifacts complied with the terms of the Apache License Version 2.0. So I'm not feeling that "silence" either.

What I'm feeling is "hypocrisy" being projected onto a straw man by someone who's got an axe to grind with OSI and the Open Source Definition.

> MS has managed to pacify even the strongest FOSS advocates

I'm not sure that's the case. I think the strongest FOSS advocates gave up on Microsoft decades ago, and just don't engage with anything they put out. If MS release source-available stuff, strong FOSS advocates don't peep because they've not even looked at it. Why bother - it's Microsoft. If someone else does it, well, the FOSS advocates still had some hope that what they didn't wouldn't be terrible, so there's space for those hopes to be dashed.

> If you enjoy a rabbithole, look at how much DRM there is in Pylance

So just don't use it? The linked discussion points to Basedpyright https://github.com/detachhead/basedpyright/ as the best free alternative right now (with some additional features around Python optional typechecking that aren't even in Pylance itself).

Is this comment meant to apply generally to MS behavior? In my experience, MS faces some of the toughest judgment on anything related to OSS.

Convenience and comfort are freedom's enemy. What is going wrong with the traditional editors and programming tools that (assumably) younger devs are going for those full-blown IDEs? Has the complexity of development with back/front/ops exploded so much that older editors are lagging behind modern needs?

As OSS old-timer, I gave VS Code a try, but it was too noisy and distracting, slow, and didn't allow enough control over what was being installed and when. To each their own of course, but I didn't see any particular reason why VS Code is much better or deserves to be more popular than other editors, and if any functionality is missing from other editors – especially those that are incorporating tree-sitter – then maybe we can just improve those alternatives?

Talking about modern editors, I like where Zed is headed, but that project also has some non-OSS components or aspirations if I remember right.

The editor is open-source. If you want DRM trap to be open-source, create them yourself. VSCode is a text editor at its core, and you're free to use it as you see fit.

The blog read like the author is crying that Microsoft is not giving away extension for Gitpod to make money

I'm using vs codium. What most useful things am I missing? I have not found anything missing. Now I'm really curious.

MS is a bit weird. After realizing that most competent developers had left the MS ecosystem, they went for a Zeitenwende. But they did only for 90%.

I wonder to what extent this halfheartedness should be ascribed to the MS org chart or to reasoning like "we should prevent a competent competitor to run away with our tools".

In the mean time, there is a capable replacement named Theia [0] with none of the strings attached. We as a whole would do best to move to that one. [1]

___

0. https://theia-ide.org/#theiaide

1. That is to say: for vscode kind of experience. Native IDE's are unbeatable imho.

> The short summary is that MS uses multiple, constantly changing methods of DRM to make it impossible for people to patch out the "only official VSCode" check from the Pylance extension. This is very clearly malicious.

Huh? There's been lots of outrage about this. Repeatedly.

However, the problem is that nobody with any resource is willing to step up and replace the Microsoft closed source plugins. And developers aren't willing to put themselves out to use non-encumbered extensions.

It's basically a big "Put Up or Shut Up" from Microsoft, and nobody is willing to "put up" so we wind up with "shut up".

>The short summary is that MS uses multiple, constantly changing methods of DRM to make it impossible for people to patch out the "only official VSCode" check from the Pylance extension. This is very clearly malicious.

Huh? If anything, MS prevents people from shooting themselves in the foot and illegally installing a piece of software against the license terms.

You can use vscodium for free, it's great, you literally don't have access to a few MS extensions (with open alternatives, which you can support financially if you care).

Yes, PyLance has a pretty strict license and makes it very clear it cannot be used in forks (and that's not really surprising and pretty standard I'd even say for a corporation such as Microsoft, it's like the current licenses saying this is open source but cannot be used by competitors, what's really surprising for me is that forks are choosing to ignore this):

> INSTALLATION AND USE RIGHTS. a) General. You may install and use any number of copies of the software only with Microsoft Visual Studio, Visual Studio for Mac, Visual Studio Code, Azure DevOps, Team Foundation Server, and successor Microsoft products and services (collectively, the “Visual Studio Products and Services”) to develop and test your applications. b) Third Party Components. The software may include third party components with separate legal notices or governed by other agreements, as may be described in the ThirdPartyNotices file(s) accompanying the software.

One thing I don't understand is how forks (I'm actually talking about Cursor which is one I'm actually evaluatinng) are getting away with scrapping all extensions from the VSCode marketplace... I even e-mailed them but had no official position on that. Maybe they have some separate contract with Microsoft -- they do have OpenAI backing, so, maybe they have some bridge there, does anyone know? Or maybe Microsoft is just waiting to see how they themselves can profit for it and so is taking no legal action at this point?

-- disclaimer: I'm on the author of PyDev and I do have my own Python extension that I publish to VSCode and OpenVSX (https://marketplace.visualstudio.com/items?itemName=fabioz.v...)... it's completely Open Source in Eclipse, but for VSCode it's currently commercial. I discovered that's a nice way to have less people requesting support, even though 99% of it is still Open Source ;)

It's not really DRM. You can make most extensions work on codium by changing a few settings. It's just not officially supported.

I hate the way they don't open source the useful ones like the ssh debugging though

> People when a piece of software is source-available but not strictly OSS: outrage

There's no longer outrage, since this has become the norm. Biggest most obvious example: Chrome.

It's really important to realize that some 70% of the OSI's funding comes from proprietary services houses (Amazon, Microsoft, and Google mostly and then like... Comcast and IBM), and so nobody at the OSI legitimately cares about openness. The reason SSPL is not OSI approved is because Amazon pays an entire OSI staff salary a year and the SSPL costs Amazon money.

You could say the same about Google: https://killedbygoogle.com/

Said by someone who writes Flutter for a living :/

Say what you want about microsoft, but it protects its developers by making sure they get paid, and it also does so for third party developers who target Microsoft.

I'd rather get paid than build towards an ideal bunny world of free as in free beer software.

developers developers developers

As a whole section of tech sector that builds a lot of useful tools and products exclusively on Microsoft stack? I understand that Windows Server, MS SQL Server and ASP .Net folks are less represented in the HN crowd, but pretending that most of them regret their tech stack decisions is absurd.

Old ways die harder

Paul Maritz also explained to Intel representatives that Microsoft’s response to the browser threat was to “embrace, extend, extinguish”; in other words, Microsoft planned to “embrace” existing Internet standards, “extend” them in incompatible ways, and thereby “extinguish” competitors.

https://www.justice.gov/atr/file/705216/dl

>Anyone that ... has had a physical job knows that doing something 26 times in a row is basic stuff of any worthwile endeavor.

I have. There were an awful lot of electric tools doing things that used to require manual work. And they were used even the old guys who were fighting against their broken bodies to work for long enough be able to retire.

Maybe also set your font to bright green Comic Sans while you're at it..?

That just sounds painful if you work on large projects.

Use scite please, it's a match with your brutalist approach to development, but with some goodies. You won't regret.

I love your extreme position. I don't believe it could work for any of the projects I work on, and even if it would it would be a huge time sink and it would hold me back a lot.

But I dream about a simpler world where I could just open nano on a dusted terminal in a basement, grab my printed copy of a OS manual, and code away.

the only time i would ever consider doing that is when building a hello world application