Greg Slepak 🐢 is a user on mstdn.io. You can follow them or interact with them if you have an account anywhere in the fediverse. If you don't, you can sign up here.
Greg Slepak 🐢 @taoeffect
Follow

Upon installing ("insiders edition", their nightly build), it:

- Immediately opened my web browser without my permission and instantly loaded a URL with various parameters (what did it just send to Microsoft?!)

- Tried to connect to at least 4 different domains, including one for "bing search results" when I tried searching *inside the text editor*

- Still continued to connect to 3 domains, including Bing search, after I disabled all "telemetry" settings

Not worth it.

· Web · 52 · 32

And if you try building it locally [1], the gulp task will attempt to connect to marketplace.visualstudio.com mid-build for some reason, and will fail to finish the build if you prevent it.

[1] github.com/Microsoft/vscode/is

It downloads who knows what code and injects it into the built product:

github.com/Microsoft/vscode/bl

Meaning, the source code in the git repo isn't the only thing that your "custom built" VSCode instance will be running.

Shady Microsoft doing shady things.

Something tells me this will blow up in their user's faces.

@taoeffect Yeesh. Reminds me of Google downloading the voice detection binaries into chrome. VScode seems to be MIT license, but I wonder if the downloaded bits are too. That could put companies in hot water if they build against it.

@ultimape @taoeffect quick correction *chromium, which is kinda an important distinction bc chromium is supposed to be open source

@Shamar @prydt @taoeffect oh yeah well the licensing angle would just be a different way to stink about the fact that there's unverifiable code being downloaded from a third party without being able to verify its signature or even what it does.

@Shamar @prydt @ultimape @taoeffect #OpenSource is a label. It doesn't necessarily capture the motivations or values of the people using it -- one must always look closer.

@downey @Shamar @ultimape @taoeffect inb4 someone posts the Stallman "open source misses the point of free software" essay

@prydt @Shamar @ultimape @taoeffect Case in point, RMS still awarded me the free software award, despite our use of the term "open source" (although he did take a moment to hassle me about it!)

@downey @prydt @ultimape @taoeffect

It's true that #words are just words.

But you know, I'm a #programmer, I need a precise language to work with.

So I'm going to use the term with the meaning that they seem to have, not with the ambiguous meanings that are exploited by corporates.

#OpenSource is a #marketing tool, used by some companies to challenge the adversaries or to enter a niche.

#FreeSoftware is an #hackers' pursuit for applicable #knowledge, a byproduct of #curiosity.

@downey @Shamar @ultimape @taoeffect whoa... that's really cool... I'm curious as to what you what you got it for! :)

@taoeffect looks like your #3 is a dupe, setting is workbench.settings.enableNaturalLanguageSearch

wonder if that's exposed in the UI anywhere 🤔

Update on :

Less than 24 hours later, the "Build process injects unknown code into artifact" issue has been closed:

github.com/Microsoft/vscode/is

Downloading mystery code during the build step is something Microsoft does in other projects as well, see CoreCLR:

lobste.rs/s/orc6nw/vscode_stil

@taoeffect "curl has HTTPS CA trust-issues less often than wget, so lets try that first."

@taoeffect i dislike any build process that makes a network connection. seen a few that wget some packages during `make install` (even on a rebuild, it doesn't check whether the files are already there) instead of telling me what dependencies to grab beforehand.

@taoeffect I don't want to protect Microsoft's "reputation", but for this case after digging a little into the source code AFAIK it seems clear what would be downloaded during the build process as is shown in github.com/Microsoft/vscode/bl and github.com/Microsoft/vscode/bl. The configuration file is also present in the repository github.com/Microsoft/vscode/bl which could be edited and disabled anyway.

@PeterCxy It's a bizarre thing to do. I can't think of a good reason for it. Also strange is the config file says the extensions are located on github, yet they're being downloaded from Microsoft's servers.

@taoeffect probably the best part of the discussion: "vscodebot locked and limited conversation to collaborators"

@taoeffect what happens if you try to build while being offline?

@taoeffect What program is this? Might come in useful for me at work.
@taoeffect On Windows I see NetLimiter and Windows Firewall Notifier. The former takes my interest though not as fancy as Little Snitch. The techies here have turned off UAC and the firewall but at least I know they're there for a reason.

@taoeffect Keep in mind those bing domain names might not be what it's actually talking to, just whatever the IP address first resolved to. Might just be downloading modules at runtime.

(No, it wouldn't surprise me to see hardcoded IP addresses, specially on a nightly build)

Not defending them, fwiw, as clearly they need to communicate much better what it's going on, just pointing out it's not necessarily connecting to Bing.

@taoeffect among other nasty things Electron can listen to you mic and watch your cam without your permission. Electron is cancer

@taoeffect Sounds like a Microsoft product all right. I can't remember last time any Microsoft product did NOT automatically make random connections.

@taoeffect No shit! 🙀 I installed this stuff a week ago to try it.
Well, scrubbing.

@taoeffect I didn't experience something like that with my Windows installation (stable version) 🤔