Upon installing ("insiders edition", their nightly build), it:

- Immediately opened my web browser without my permission and instantly loaded a URL with various parameters (what did it just send to Microsoft?!)

- Tried to connect to at least 4 different domains, including one for "bing search results" when I tried searching *inside the text editor*

- Still continued to connect to 3 domains, including Bing search, after I disabled all "telemetry" settings

Not worth it.

Β· Web Β· 0 Β· 52 Β· 28

And if you try building it locally [1], the gulp task will attempt to connect to mid-build for some reason, and will fail to finish the build if you prevent it.


It downloads who knows what code and injects it into the built product:

Meaning, the source code in the git repo isn't the only thing that your "custom built" VSCode instance will be running.

Shady Microsoft doing shady things.

Something tells me this will blow up in their user's faces.

@taoeffect Yeesh. Reminds me of Google downloading the voice detection binaries into chrome. VScode seems to be MIT license, but I wonder if the downloaded bits are too. That could put companies in hot water if they build against it.

@ultimape @taoeffect quick correction *chromium, which is kinda an important distinction bc chromium is supposed to be open source

@Shamar @prydt @taoeffect oh yeah well the licensing angle would just be a different way to stink about the fact that there's unverifiable code being downloaded from a third party without being able to verify its signature or even what it does.

@Shamar @prydt @ultimape @taoeffect #OpenSource is a label. It doesn't necessarily capture the motivations or values of the people using it -- one must always look closer.

@downey @Shamar @ultimape @taoeffect inb4 someone posts the Stallman "open source misses the point of free software" essay

@prydt @Shamar @ultimape @taoeffect Case in point, RMS still awarded me the free software award, despite our use of the term "open source" (although he did take a moment to hassle me about it!)

@downey @prydt @ultimape @taoeffect

It's true that #words are just words.

But you know, I'm a #programmer, I need a precise language to work with.

So I'm going to use the term with the meaning that they seem to have, not with the ambiguous meanings that are exploited by corporates.

#OpenSource is a #marketing tool, used by some companies to challenge the adversaries or to enter a niche.

#FreeSoftware is an #hackers' pursuit for applicable #knowledge, a byproduct of #curiosity.

@downey @Shamar @ultimape @taoeffect whoa... that's really cool... I'm curious as to what you what you got it for! :)

@taoeffect looks like your #3 is a dupe, setting is workbench.settings.enableNaturalLanguageSearch

wonder if that's exposed in the UI anywhere πŸ€”

Update on :

Less than 24 hours later, the "Build process injects unknown code into artifact" issue has been closed:

Downloading mystery code during the build step is something Microsoft does in other projects as well, see CoreCLR:

@taoeffect "curl has HTTPS CA trust-issues less often than wget, so lets try that first."

@taoeffect i dislike any build process that makes a network connection. seen a few that wget some packages during `make install` (even on a rebuild, it doesn't check whether the files are already there) instead of telling me what dependencies to grab beforehand.

@taoeffect I don't want to protect Microsoft's "reputation", but for this case after digging a little into the source code AFAIK it seems clear what would be downloaded during the build process as is shown in and The configuration file is also present in the repository which could be edited and disabled anyway.

@PeterCxy It's a bizarre thing to do. I can't think of a good reason for it. Also strange is the config file says the extensions are located on github, yet they're being downloaded from Microsoft's servers.

@taoeffect probably the best part of the discussion: "vscodebot locked and limited conversation to collaborators"

@taoeffect what happens if you try to build while being offline?

@taoeffect What program is this? Might come in useful for me at work.
@taoeffect On Windows I see NetLimiter and Windows Firewall Notifier. The former takes my interest though not as fancy as Little Snitch. The techies here have turned off UAC and the firewall but at least I know they're there for a reason.

@taoeffect Keep in mind those bing domain names might not be what it's actually talking to, just whatever the IP address first resolved to. Might just be downloading modules at runtime.

(No, it wouldn't surprise me to see hardcoded IP addresses, specially on a nightly build)

Not defending them, fwiw, as clearly they need to communicate much better what it's going on, just pointing out it's not necessarily connecting to Bing.

@taoeffect Sounds like a Microsoft product all right. I can't remember last time any Microsoft product did NOT automatically make random connections.

@taoeffect No shit! πŸ™€ I installed this stuff a week ago to try it.
Well, scrubbing.

Sign in to participate in the conversation

Fast, secure and up-to-date instance, welcoming everyone around the world. Join us! 🌍
Up since 04/04/2017. βœ…

Why should you sign up on

This instance is not focused on any theme or subject, feel free to talk about whatever you want. Although the main language is english, we accept every single language and country.

We're connected to the whole OStatus/ActivityPub fediverse and we do not block any foreign instance nor user.

We do have rules, but the goal is to have responsible users. So far we haven't had any issue with moderation

The instance uses a powerful server to ensure speed and stability, and it has good uptime. We follow state-of-the-art security practices.

Also, we have over 300 custom emojis to unleash your meming potential!

Looking for a Kpop themed instance? Try