[bcardarella]

I just don't buy this argument. None of what you've listed gives the right to install binaries without permission. A simple opt-in notification could resolve this but they decided against this for ease of use. Free or not, pre 1.0 or not, small team or not this puts users at risk for a pretty bad attack vector.

[alberth]

If DockYard.com had a security incident for a free/beta service, I'm sure you'd want users to show some compassion.

(It doesn't make it right, all I'm saying is - showing compassion goes a long way with developers while they re-evaluate)

[bcardarella]

Actually, I'll do one better. For a rather large framework we are developing an engineer at DY introduced a somewhat similar problem. A binary was being installed, from a trusted source in this case but a binary was being compiled/installed none the less. It never made its way to an actual release and I personally took the time to change this approach so that we weren't installing binaries on people's machines without their permission. We now pre-compile and vendor. This approach likely isn't what Zed can do as in this case we can target just Intel/Apple Silicon machines but the point here is I recognized the problem and rather than just hand-wave dismiss it as a #wontfix I took responsibility for it and fixed it myself. It cost money, it cost time. I still fixed it because that's the right thing to do.

https://github.com/liveview-native/liveview-client-swiftui/p...

Compassion for those putting others in harms way is such a stupid take.

[threatofrain]

For security, what’s the difference between prepackaging a binary vs downloading later?

[bcardarella]

Vendoring the binary guarantees that I control what is running. It isn't installed, just run locally from the lib. I'll quote the OP issue on GH:

> Now I found that it downloads (here) even some proprietary binary from https://supermaven.com, i.e. unaudited and unauditable code, without any verification (except TLS)!

This opens Zed up to Man In The Middle attacks and Supply Chain attacks. And now that Zed has indicated that they won't fix the door is wide open to these vulnerabilities.

[bcardarella]

I'll add that security incidents through mistakes happen. Conscious decisions to punt on user security in the name of faster release cycles isn't something I am willing to have compassion on.

[bcardarella]

We don't cut corners like this so no, that wouldn't happen

[yamumsahoe]

oh god, no. users exist to give you money and feedback, not emotional support.

when your software enters other people's personal devices, their concern is their safety, security, and privacy, not your feelings.

[AA-BA-94-2A-56]

I actually completely agree with you, although at the very least users can be expected to not be rude. Although, I don't think anyone in this thread (so far) has been rude.