Upon installing #VSCode ("insiders edition", their nightly build), it:
- Immediately opened my web browser without my permission and instantly loaded a URL with various parameters (what did it just send to Microsoft?!)
- Tried to connect to at least 4 different domains, including one for "bing search results" when I tried searching *inside the text editor*
- Still continued to connect to 3 domains, including Bing search, after I disabled all "telemetry" settings
Not worth it.
It downloads who knows what code and injects it into the built product:
Meaning, the source code in the git repo isn't the only thing that your "custom built" VSCode instance will be running.
Shady Microsoft doing shady things.
Something tells me this will blow up in their user's faces. #vscode
Opened 3 related issues. Let's see how fast Microsoft closes (or ignores) them:
https://github.com/Microsoft/vscode/issues/49159
@taoeffect Yeesh. Reminds me of Google downloading the voice detection binaries into chrome. VScode seems to be MIT license, but I wonder if the downloaded bits are too. That could put companies in hot water if they build against it.
@ultimape @taoeffect quick correction *chromium, which is kinda an important distinction bc chromium is supposed to be open source
Guys, #OpenSource is just a #marketing tool. You should not expect anything from an open source software: it's not #FreeSoftware.
https://medium.com/@giacomo_59737/what-i-wish-i-knew-before-contributing-to-open-source-dd63acd20696
@Shamar @prydt @taoeffect oh yeah well the licensing angle would just be a different way to stink about the fact that there's unverifiable code being downloaded from a third party without being able to verify its signature or even what it does.
@Shamar @prydt @ultimape @taoeffect #OpenSource is a label. It doesn't necessarily capture the motivations or values of the people using it -- one must always look closer.
@downey @Shamar @ultimape @taoeffect inb4 someone posts the Stallman "open source misses the point of free software" essay
@prydt @Shamar @ultimape @taoeffect Case in point, RMS still awarded me the free software award, despite our use of the term "open source" (although he did take a moment to hassle me about it!)
@downey @prydt @ultimape @taoeffect
It's true that #words are just words.
But you know, I'm a #programmer, I need a precise language to work with.
So I'm going to use the term with the meaning that they seem to have, not with the ambiguous meanings that are exploited by corporates.
#OpenSource is a #marketing tool, used by some companies to challenge the adversaries or to enter a niche.
#FreeSoftware is an #hackers' pursuit for applicable #knowledge, a byproduct of #curiosity.
@downey @Shamar @ultimape @taoeffect whoa... that's really cool... I'm curious as to what you what you got it for! :)
@downey thats really cool ^^
@taoeffect looks like your #3 is a dupe, setting is workbench.settings.enableNaturalLanguageSearch
wonder if that's exposed in the UI anywhere π€
Update on #VSCode:
Less than 24 hours later, the "Build process injects unknown code into artifact" issue has been closed:
https://github.com/Microsoft/vscode/issues/49159#issuecomment-386695240
Downloading mystery code during the build step is something Microsoft does in other projects as well, see CoreCLR:
https://lobste.rs/s/orc6nw/vscode_still_sends_search_keystrokes#c_va9isr
@taoeffect "curl has HTTPS CA trust-issues less often than wget, so lets try that first."
@algorev Talk about backwards reasoning
@taoeffect I don't want to protect Microsoft's "reputation", but for this case after digging a little into the source code AFAIK it seems clear what would be downloaded during the build process as is shown in https://github.com/Microsoft/vscode/blob/master/build/lib/builtInExtensions.js and https://github.com/Microsoft/vscode/blob/master/build/gulpfile.vscode.js#L260. The configuration file is also present in the repository https://github.com/Microsoft/vscode/blob/master/build/builtInExtensions.json which could be edited and disabled anyway.
@PeterCxy It's a bizarre thing to do. I can't think of a good reason for it. Also strange is the config file says the extensions are located on github, yet they're being downloaded from Microsoft's servers.
@taoeffect
"MS β€ open source" my ass π
@taoeffect probably the best part of the discussion: "vscodebot locked and limited conversation to collaborators"
@taoeffect what happens if you try to build while being offline?
@taoeffect this is why I do all of my dev on an airgap.
@taoeffect sounds like OpenCandy, neither open nor sweet. #malware
@taoeffect Keep in mind those bing domain names might not be what it's actually talking to, just whatever the IP address first resolved to. Might just be downloading modules at runtime.
(No, it wouldn't surprise me to see hardcoded IP addresses, specially on a nightly build)
Not defending them, fwiw, as clearly they need to communicate much better what it's going on, just pointing out it's not necessarily connecting to Bing.
@taoeffect
What did you expect? It's Microsoft.
@taoeffect Would be interesting to do the same tests with Atom
@taoeffect among other nasty things Electron can listen to you mic and watch your cam without your permission. Electron is cancer
@taoeffect Sounds like a Microsoft product all right. I can't remember last time any Microsoft product did NOT automatically make random connections.
@taoeffect No shit! π I installed this stuff a week ago to try it.
Well, scrubbing.
@taoeffect I didn't experience something like that with my Windows installation (stable version) π€
@taoeffect well, thatβs sounds terrifying.
And if you try building it locally [1], the gulp task will attempt to connect to marketplace.visualstudio.com mid-build for some reason, and will fail to finish the build if you prevent it.
[1] https://github.com/Microsoft/vscode/issues/60#issuecomment-161792005