[theobr]

Hey y'all, I made the most prominent fork of this extension "Material Theme (But I Won't Sue You)"

The maintainer went off the deep end last year. He pulled the (originally apache 2) source offline, then started threatening to sue people for hosting alternative versions, including them in other IDEs, etc. Genuine lunatic.

Out of an abundance of precaution, I've taken the following action on my fork:

1. I have the VS Code team auditing it as we speak, and I've given them full permission to immediately pull it from the marketplace & force uninstall it from users if they find ANYTHING malicious.

2. I have audited the code base thoroughly (nothing seemed malicious)

3. I have removed ALL code related to changelogs, analytics, Open Collective and html rendering.

The only thing that seemed slightly concerning was the html + sanity loader for changelogs, so I gutted it entirely. Two PRs removed almost all the deps and over 7,000loc (mostly package-lock)

Repo is here if anyone else would like to audit https://github.com/t3dotgg/vsc-material-but-i-wont-sue-you

[zelphirkalt]

To me it seems ridiculous, that a theme could even accumulate such things as analytics and even lots of dependencies. A theme is usually something self-contained. And even more ridiculous, that anyone can, as you write, "force uninstall" anything from my machine. So glad I am not a VS Code user. It seems all the typical corporate BS is happening with its marketplace and plugins.

[bmicraft]

Try Qt themes, they're binaries compiled from C++ code :)

[qbane]

If one can "force uninstall" for safety, then it implies that automatic upgrading an extension with the user's consent is unsafe at the first place.

[Cthulhu_]

It is, but that's the reality of today - auto-updates, "evergreen" releases. This was popularised by Chrome, and IMO fixed a LOT of headaches and allowed for much faster and more agile release cycles - the reality before was that a company like Microsoft would have to provide support for older versions of their software for X years and deal with the fallout of security issues with remaining older versions. (Web) developers had to be careful about adopting newer features because X% of their user base would still be on older versions of the runtime, leading to the invention of transpilers and the start of what is still a very complicated system in web front-end world.

[account42]

It doesn't fix any headaches it just outsources them to the users who get surprise breakages of their workflow in the middle of an important project.

[qbane]

* without the user's consent

[e40]

Isn't the problem that VS Code has no permission model (restricting of them), so all extensions can do anything?

[tabony]

While it is, the same issue exists in Sublime, Vim, Emacs, Gedit, pico/nano[1], IntelliJ, Android Studio, Eclipse, and every editor.

[1] https://threatpost.com/researchers-show-how-popular-text-edi...

I think Xcode may be the exception but Xcode plugins also can’t do much.

[e40]

I think Emacs and Vim will be lower probability targets than VS Code, though.

[knowitnone]

yeah. I hope you leave malicious code running on your computers to prove your point.

[notwhereyouare]

how is there not a single screenshot of what it looks like either in the repo or on the marketplace page? Or did I just miss them?

[drywipes]

it's ugly, don't worry.

however, I found this from the malware creator's website itself: https://framerusercontent.com/images/G17CYe9tTL2GP1Rw4mUI8YC...

[thatgerhard]

thank you!

[c048]

Thank you