[kweingar]

I think there's a bit of a difference between a bug that went undiscovered for years and vetting third-party software to see if its telemetry compromises your employees or IP.

I mean, sure, if you want to avoid log4j from happening, you can write all of your software from the ground up in-house with no third party dependencies (or audit every line of code for every third-party program you do use), but I don't see how that's relevant to a discussion about whether VSCode is compromised to a degree that other editors aren't.

[sophacles]

The point was that people thought "Oh surely log4j was vetted by the big companies that depend on it - I mean it must be OK if AcmeCorp uses it!". (or openssl, or sendmail, or ...). That's not too different from "Oh look at all these big tech companies using it, they must have vetted the telemetry".

Maybe a little extra caution is warranted.