Upon installing #VSCode ("insiders edition", their nightly build), it:
- Immediately opened my web browser without my permission and instantly loaded a URL with various parameters (what did it just send to Microsoft?!)
- Tried to connect to at least 4 different domains, including one for "bing search results" when I tried searching *inside the text editor*
- Still continued to connect to 3 domains, including Bing search, after I disabled all "telemetry" settings
Not worth it.
And if you try building it locally , the gulp task will attempt to connect to marketplace.visualstudio.com mid-build for some reason, and will fail to finish the build if you prevent it.
It downloads who knows what code and injects it into the built product:
Meaning, the source code in the git repo isn't the only thing that your "custom built" VSCode instance will be running.
Shady Microsoft doing shady things.
Something tells me this will blow up in their user's faces. #vscode
It's true that #words are just words.
But you know, I'm a #programmer, I need a precise language to work with.
So I'm going to use the term with the meaning that they seem to have, not with the ambiguous meanings that are exploited by corporates.
Update on #VSCode:
Less than 24 hours later, the "Build process injects unknown code into artifact" issue has been closed:
Downloading mystery code during the build step is something Microsoft does in other projects as well, see CoreCLR:
@taoeffect I don't want to protect Microsoft's "reputation", but for this case after digging a little into the source code AFAIK it seems clear what would be downloaded during the build process as is shown in https://github.com/Microsoft/vscode/blob/master/build/lib/builtInExtensions.js and https://github.com/Microsoft/vscode/blob/master/build/gulpfile.vscode.js#L260. The configuration file is also present in the repository https://github.com/Microsoft/vscode/blob/master/build/builtInExtensions.json which could be edited and disabled anyway.
@taoeffect Keep in mind those bing domain names might not be what it's actually talking to, just whatever the IP address first resolved to. Might just be downloading modules at runtime.
(No, it wouldn't surprise me to see hardcoded IP addresses, specially on a nightly build)
Not defending them, fwiw, as clearly they need to communicate much better what it's going on, just pointing out it's not necessarily connecting to Bing.