Upon installing #VSCode ("insiders edition", their nightly build), it:
- Immediately opened my web browser without my permission and instantly loaded a URL with various parameters (what did it just send to Microsoft?!)
- Tried to connect to at least 4 different domains, including one for "bing search results" when I tried searching *inside the text editor*
- Still continued to connect to 3 domains, including Bing search, after I disabled all "telemetry" settings
Not worth it.
And if you try building it locally , the gulp task will attempt to connect to marketplace.visualstudio.com mid-build for some reason, and will fail to finish the build if you prevent it.
It downloads who knows what code and injects it into the built product:
Meaning, the source code in the git repo isn't the only thing that your "custom built" VSCode instance will be running.
Shady Microsoft doing shady things.
Something tells me this will blow up in their user's faces. #vscode
@taoeffect Yeesh. Reminds me of Google downloading the voice detection binaries into chrome. VScode seems to be MIT license, but I wonder if the downloaded bits are too. That could put companies in hot water if they build against it.
It's true that #words are just words.
But you know, I'm a #programmer, I need a precise language to work with.
So I'm going to use the term with the meaning that they seem to have, not with the ambiguous meanings that are exploited by corporates.
@downey thats really cool ^^
@taoeffect looks like your #3 is a dupe, setting is workbench.settings.enableNaturalLanguageSearch
wonder if that's exposed in the UI anywhere 🤔
Update on #VSCode:
Less than 24 hours later, the "Build process injects unknown code into artifact" issue has been closed:
Downloading mystery code during the build step is something Microsoft does in other projects as well, see CoreCLR:
@taoeffect "curl has HTTPS CA trust-issues less often than wget, so lets try that first."
@algorev Talk about backwards reasoning
@taoeffect I don't want to protect Microsoft's "reputation", but for this case after digging a little into the source code AFAIK it seems clear what would be downloaded during the build process as is shown in https://github.com/Microsoft/vscode/blob/master/build/lib/builtInExtensions.js and https://github.com/Microsoft/vscode/blob/master/build/gulpfile.vscode.js#L260. The configuration file is also present in the repository https://github.com/Microsoft/vscode/blob/master/build/builtInExtensions.json which could be edited and disabled anyway.
@PeterCxy It's a bizarre thing to do. I can't think of a good reason for it. Also strange is the config file says the extensions are located on github, yet they're being downloaded from Microsoft's servers.
"MS ❤ open source" my ass 😑
@taoeffect probably the best part of the discussion: "vscodebot locked and limited conversation to collaborators"
@taoeffect what happens if you try to build while being offline?
@taoeffect Keep in mind those bing domain names might not be what it's actually talking to, just whatever the IP address first resolved to. Might just be downloading modules at runtime.
(No, it wouldn't surprise me to see hardcoded IP addresses, specially on a nightly build)
Not defending them, fwiw, as clearly they need to communicate much better what it's going on, just pointing out it's not necessarily connecting to Bing.
What did you expect? It's Microsoft.
@taoeffect Would be interesting to do the same tests with Atom
@taoeffect among other nasty things Electron can listen to you mic and watch your cam without your permission. Electron is cancer
@taoeffect Sounds like a Microsoft product all right. I can't remember last time any Microsoft product did NOT automatically make random connections.
@taoeffect No shit! 🙀 I installed this stuff a week ago to try it.
@taoeffect I didn't experience something like that with my Windows installation (stable version) 🤔
@taoeffect well, that’s sounds terrifying.
Fast, secure and up-to-date instance, welcoming everyone around the world. Join us! 🌍
Up since 04/04/2017. ✅
Why should you sign up on mstdn.io?
This instance is not focused on any theme or subject, feel free to talk about whatever you want. Although the main language is english, we accept every single language and country.
We're connected to the whole OStatus/ActivityPub fediverse and we do not block any foreign instance nor user.
We do have rules, but the goal is to have responsible users. So far we haven't had any issue with moderation
The instance uses a powerful server to ensure speed and stability, and it has good uptime. We follow state-of-the-art security practices.
Also, we have over 300 custom emojis to unleash your meming potential!
Looking for a Kpop themed instance? Try kpop.social