[HN Gopher] Workspace Trust in VS Code
___________________________________________________________________
Workspace Trust in VS Code
Author : ItalyPaleAle
Score : 42 points
Date : 2021-07-06 16:37 UTC (6 hours ago)
(HTM) web link (code.visualstudio.com)
(TXT) w3m dump (code.visualstudio.com)
| gushie wrote:
| I'm likely going to blindly say yes every time I get the dialog
| out of habit. Making it useless.
| nathanaldensr wrote:
| Ah, the classic tug of war continues between the principle of
| least privilege and convenience/productivity. It's safe to say
| people's opinions are all over the spectrum.
|
| Despite favoring "least privilege" myself, I find the new nag
| screens overbearing. I think some basic UI reworking can help to
| alleviate that, though. It's a new feature; they'll get it right
| within a couple of iterations.
| conceptme wrote:
| It's usually a bit silly, yes i trust the author of this
| directory but I have no clue about the authors under
| node_modules.
| krono wrote:
| Yeah I think people really underestimate how massive of a
| security liability node modules are in the way the system
| currently works.
|
| Fixing it should really be given top priority, but doesn't look
| to be a very popular subject when you compare it to some of the
| others such as whether or not ESLint should become a NodeJS
| core module ...
| sdiq wrote:
| Based on the first four comments, I see some do not appreciate
| this unlike me, at least. Just last-night, I was forced to
| download a zipped folder with source code from a site I was new
| to. Well, I did appreciate using this new feature because I
| wasn't sure what I of the 'trustworthiness' of the folder.
| 74B5 wrote:
| >I see some do not appreciate this
|
| It is the same approach to defend off phishing attacks in large
| corporations: shift the responsibility to the user.
|
| In my opinion, this is just another scream for codified
| capabilities. Which would be a real solution and not just
| repeatedly a click away from disaster.
| swiley wrote:
| If I had to download source in zip format I probably wouldn't
| touch it outside a VM.
| ItalyPaleAle wrote:
| I don't think a ZIP is that much different from a random Git
| repo...
| swiley wrote:
| This is why I don't use editor configurations that execute code
| from files I open.
|
| I prefer zero trust.
| siproprio wrote:
| DO I HEAR THE WORDS ORGANIZATION-WIDE BAN????
| duped wrote:
| Total anecdata but I don't appreciate the nag screen every time
| I've opened repos that I have either authored or contributed
| heavily to... I default to "yes I accept in this directory and
| all directories" which seems very sketchy in general, but is the
| easiest for me to get my work done.
| sergiomattei wrote:
| This happens even in files I just created or when doing `code
| ~./zshrc`.
|
| It's pretty annoying. I'm a developer, I know what I'm doing. I
| don't need to be asked whether I trust a Python notebook or
| not.
| duped wrote:
| Which is kind of ridiculous because .zshrc isn't a workspace.
| My understanding of this feature was to calm fears of
| untrusted code running due to some configuration in .vscode
| configurations or with plugins.
|
| Basically the files and folders are usually innocuous, it's
| the particular configuration of the workspace or plugins that
| may run code on them that need to be "trusted" or designed to
| request permission before executing code
| incrudible wrote:
| > I'm a developer, I know what I'm doing.
|
| famous last words
___________________________________________________________________
(page generated 2021-07-06 23:03 UTC)