[OutOfHere]

JetBrains IDEs are better than VSCode, but due to Copilot integration in VSCode, I moved away from JetBrains. I don't see myself going back to JetBrains.

Secondly, the free JetBrains IDEs also lack devcontainer support which is readily present in VSCode. To not use devcontainer is a substantial security hazard.

[anstarovoyt]

>Secondly, the free JetBrains IDEs also lack devcontainer support

Actually, there is a significant difference between the community versions (e.g. for PyCharm) and the versions available for non-commercial use. The latter are full versions of the products without any reduced functionality, whereas the community editions have certain features trimmed.

[OutOfHere]

JetBrains simply is uncompetitive. It doesn't make sense to have to pay for an important feature (container integration via devcontainer or docker) that is already free in a competing IDE (VSCode).

[simion314]

>Secondly, the free JetBrains IDEs also lack devcontainer support which is readily present in VSCode. To not use devcontainer is a substantial security hazard.

Can you elaborate? Is VS Code making containers for you so you are safe from packages or from random plugins you have to install?

[OutOfHere]

Why do I have to elaborate? It is well known that a container offers a sandbox and process isolation. The risk from not using one can be severe. The risks include but are not limited to packages and plugins.

[lolinder]

> Why do I have to elaborate?

Because some of us have never heard of devcontainers as a named concept with its own spec until now. I've been running my dev servers inside containers for a long time now (using JetBrains IDEs!), but have never heard of this before.

> It is well known that a container offers a sandbox and process isolation.

No, actually, it's well known that containers don't do that. It's one of the first things you learn when you start learning about containers—they are not virtual machines and are not suitable for running untrusted code, because they share a kernel with the host.

I just read through the introduction to devcontainers and there are lots of benefits it discusses but security isn't one of them:

https://containers.dev/

[OutOfHere]

> security isn't one of them

Oh but it is. If there is harmful data-stealing software running in the container, it will remain isolated to the container. And if the kernel is shared with the host, that's a read-only share.

[simion314]

>Oh but it is. If there is harmful data-stealing software running in the container, it will remain isolated to the container. And if the kernel is shared with the host, that's a read-only share.

And what protects the production server when you deploy the evil packages?

[fragmede]

> remain isolated to the container.

Assuming the code that implements the containerization is 100% bug free and there are no container escapes. I would not bet my user's safety purely on that assumption.

[acdha]

This is as useful as saying that seat belts do not make you safer because people still die in crashes. Containers are not perfect but if you’re starting from the conventional position where you’re one wrong package install away from an attacker having arbitrary access to your account and data, they’re a significant immediate improvement and a good foundation for further improvement.

[lolinder]

I think you're missing my point: you are saying that it is one of the benefits, but they don't because it isn't one. Containers are not a security solution for running untrusted code. You saying they are does not make it so.

> And if the kernel is shared with the host, that's a read-only share.

No, it's not, the kernel is reading and writing files constantly for the container. A bug in the kernel could be exploited to break the sandbox, which isn't possible in a true VM.

[OutOfHere]

There is no such thing as perfect security. Partial security is much better than none at all. Containers go a long way in this regard. All code is untrusted.

[jasonlotito]

> Why do I have to elaborate?

It's well known that the comments on HN are great for having discussions. You don't have to participate, despite your belief that you are required to. But, it's well known that having a discussion is a two way street, with people commenting and asking questions, and people replying.

[simion314]

So you are afraid of evil packages but then you deploy them in production? So you are safe and screw your users ?

[acdha]

Here’s a scenario: my development pipeline scans every package in the build but I can’t reach into a developer’s local shell session to prevent them from making a typo. Using a dev container changes that from “the attacker gets their data, keys, and anything their session credentials can access” to a more limited exposure and gives your other safeguards a chance to catch it.

[simion314]

So you force your devs to use your favortie IDE rhater then the best one? why not force them to use soem better stuff for this security purpose like virtual machines, docker , something that would be usefull for them to have experience with

[acdha]

This does use Docker - it’s literally just working in a container so it’s both useful experience and overlaps with your deployments so you avoid multiple layers of waste from VMs: everything is reproducible, people don’t hit problems due to untracked local state, and they don’t spend time on sysadmin work which isn’t directly related to what you deploy.

[OutOfHere]

Huh. That makes no sense. If I am experimenting with something, I won't necessarily deploy it.

[simion314]

I am 100% sure that everything you deploy you review? Maybe is safer to setup a secure environment for your system and for production if you use dangerous packages.

[appplication]

I used to think containers were they way and maybe they are, but so far my experiences with them has been really poor and marked by confusing interfaces and unnecessary GUI ops vs e.g. git ops.

If someone could explain to me how to programmatically perform all lifecycle features with a container (e.g. rebuild etc) without ever having to touch VSC’s special in-IDE command palette that would be incredible.

The current iteration is too much magic at the expense of too little control and visibility.

[Larrikin]

Copilot works just fine in JetBrains? Microsoft has an official plug-in.

[OutOfHere]

Is the completion generation equally good in JetBrains as it is in VSCode? User reviews suggest otherwise.