If only the company behind VSCode, the company behind NPM and the company behind GitHub could get together and figure out a solution to this.
If only the company behind VSCode, the company behind NPM and the company behind GitHub could get together and figure out a solution to this.
Perfectly demonstrating the truth of the "Microsoft org chart" cartoon.
https://bonkersworld.net/organizational-charts
At first I though the Apple one had a half-dozen departments actually coordinating on something, but then I took a closer look and realized it's just more micromanagement.
I think the chart is still from the Steve Jobs era, who definitely was known to be a micromanager.
I've seen this a million times, but aren't the Amazon and Apple ones kinda the same, just differently shaped?
One has 1:2 fanout, the other has 1:50 fanout.
Also, Apple has master micromanager overriding managers.
Well, it certainly wasn't for lack of warning about the glaring risks...
https://github.com/microsoft/vscode/issues/52116
It is also company behind NuGet.
Guess what they did a year ago.
They removed 700 or so packages from NuGet proactively but those turned out to be false positives.
It is hard to do the right things.
It is hard for Microsoft to do the right things*
FTFY
In fairness, there was a time when I was unable to have a computer sort search results so the default hit was the plugin with 1000x more downloads than all the others combined.
Not trolling here but these things are by design cesspools ready for compromise. Any fully open ecosystem where contributions are not strictly reviewed is open to this problem. If you don't like it, don't use editor extensions and use a well audited editor.
If you want to use extensions or node packages or pypi packages without doing a detailed review you're accumulating technical debt. You're assuming a risk in order to ship rapidly. You can either pay that down at some point under control, or bear the interest when it comes due.
Extensions never had to be given unsandboxed access to everything. That's a choice that they actively made.
I mean I don't think some sort of "access control" within the editor is going to really address this. People edit sensitive text in their code editor and no matter what that is going to be available to most useful extensions. Even if you don't lose a credential or get some arbitrary script running to mine crypto on your machine you could have an extension function as a key logger and exfil code you really think is valuable.
its easy to complain, words are cheap. fork it and change it if you don't like it
It's easy to wave a magic wand and have one developer do better than a corporation of tens of thousands. There is a reason I don't use Microsoft products: I can't do it myself and do won't do it for me.
Then you lose access to the VSCode marketplace which kind of defeats the purpose.
[dead]
i mean, then you say it like that…
Microsoft is the inverse hand of Midas, turns everything into shit.
Mierdas, as they say.
With $101 billion in profit last year I wish I could turn things into $hit as well as they do.
You could, with a large enough captive audience.
Everything Microsoft makes sucks. If they decided to make vacuum cleaners though, they wouldn’t suck, they would blow.
Just five years ago this opinion was heresy on HN. Those of us who still remembered their behavior in the 80s/90s were belittled.
"They have changed, gramps. This really smart Satya Nadella is CEO. They are the good guys now. Don't be so bitter over old stuff like systematic use of illegal tactics to attempt to kill all of its competitors including Linux."
Also: Note that the headline undersells the news dramatically. The article begins with:
"GitHub has confirmed that roughly 3,800 internal repositories were breached after one of its employees installed a malicious VS Code extension."
Pretty sure that was astroturfing.
I always wondered what the division of pro-MS astroturfing was betweeen:
a) Waggener Edstrom (now: WE Communications) or similar
b) Microsoft employees
c) Third-party Microsoft-only developers/IT people (with an obvious vested financial interest)
these days it's just Microslop