[CodeWriter23]

PSA: every package you install from any package manager from browser extensions to npm/composer etc presents the risk of malware. Because the open source community lacks the financial resources to vet every single version of every package. Demanding this level of security from software provided at no cost that relies on open contributions is wholly unreasonable. If you need that, buy an IDE from a company financially capable of ensuring security and accept the limitations of their offering.

Mitigations like running in a VM might protect your dev workstation. But not code you put into production that relies on third parties.

[lolinder]

> Demanding this level of security from software provided at no cost that relies on open contributions is wholly unreasonable

VS Code isn't some kind of hobby project by a couple of dudes on laptops with nothing but the best interests of the community at heart. It's a flagship IDE produced by one of the most valuable tech companies in the world, released for free as a loss leader in service to very specific corporate goals.

When a tech behemoth releases a free IDE as a loss leader and it drives out all of the scrappy open source projects one by one, I think it's reasonable to hold that tech behemoth to tech behemoth standards rather than scrappy open source project standards.

[rafaelmn]

> VS Code isn't some kind of hobby project by a couple of dudes on laptops with nothing but the best interests of the community at heart.

Which is why I'm pretty confident in first party packages and don't install third party plugins from random authors.

[mr_toad]

> I think it's reasonable to hold that tech behemoth to tech behemoth standards

You’d end up with Apple-style reviews and then people complaining about them. You can’t really win.

[rat9988]

The marketplace isn't operated on a paid contract for vetted extensions. You vet the extensions you use. Most don't, and it's ok. Don't shift the blame and the cost on microsoft though, they don't have to offer it.

[homebrewer]

Yet Mozilla, for all the flak it gets, isn't paid a dime by its users, but does find resources to vet the most popular extensions. Everything I use is checked by them.

Raymond Hill (of ublock fame) wasn't really impressed with how it is performed, but it's still much better than nothing (which is what MS apparently does).

VSCode is an IDE in name only, it's a glorified text editor, and pretty mediocre one at that. I in "IDE" stands for "integrated", like what you'd expect from JetBrains' products. Or even the real visual studio.

[nkmnz]

What functionality or property makes JetBrains' products an IDE while VSCode isn't? Honest question, I've never used any of their products.

[CodeWriter23]

Paid JetBrains user here. What JetBrains gives you is self-implemented add-ons in their marketplace. These are perceived to have the same level of trust as the base product. Then there is the similar level of “might be malware” or “steal your infoware” from (possibly adapted) open source and third parties available on their marketplace.

[mindcrash]

As a example: Rider (https://www.jetbrains.com/rider/) - a IDE - comes with everything you could possibly need to build and compile .NET apps out of the box, while VSCode - a code editor - relies on extensions (and thus mostly the community surrounding VSCode) for this.

Or to make things more succinct:

* VSCode is a extendable code editor (like vim, neovim, Zed and Sublime)

* Jetbrains Rider is a fully equipped Integrated Development Environment (like Microsoft Visual Studio or its direct sibling Jetbrains IntelliJ IDEA)

And while extensions are optional within a IDE (and often solely used for increased productivity), more often than not they are a necessity in a code editor to even become productive.

[lolinder]

I'm a big JetBrains fan, but this distinction is just silly. If you look at the way that JetBrains IDEs are packaged, the differences between IDEs all come down to extensions—which are enabled by default, which are available to install at all. IntelliJ Ultimate can be made to have all the features of PyCharm with the right extension combo. And occasionally they break out a new IDE by taking an extension and making it no longer available for installation elsewhere (like RustRover). The entire architecture is one of plugins.

"Integrated" isn't meant to contrast with a plugin-based system (otherwise JetBrains wouldn't count!), it's meant to contrast with a dev environment built out of a bunch of individual tools and terminal commands run separately.

[CodeWriter23]

Apples to oranges or should I say Advertising Revenue vs. Freemium Revenue models

[forgotpwd16]

>Everything I use is checked by them.

How you know that?

[ajross]

> Because the open source community lacks the financial resources to vet every single version of every package.

I made the point elsewhere, but this seems to fail in the face of Debian and Red Hat and Canonical who have been publishing mostly-secure distros of exclusively open source software for decades now.

There's a reason why MS and NPM get caught by this sort of shenanigans, but it's not "open source".

[vlovich123]

Because the attack surface is smaller and more difficult to extract value out of. I think it’s been shown time and time again the more motivated your attacker the more difficult it is to defend and very visible popular platforms see more attacks. NPM and MS represent drastically larger platforms.

[ajross]

Uh... no. There is far (far) more code[1] shipped in the package repository of any Linux distro than in all the world's vscode extensions. Are you being serious? NPM arguably gets a little closer, but only a little.

No, the reason Linux is safe and modern distributors aren't is the "packaging" step. Debian volunteers package software that they understand to be high quality via existing community consensus. You can't just show up to Fedora and say "ship my junkware app", you need to convince the existing community that your stuff doesn't suck.

And that's worked extremely well for decades now, going all the way back to 2BSD being shipped above V7 Unix. The reason MS and NPM et. al. abandoned it isn't just pure experience[2]. They don't want to wait for their repos to fill with good software, they want all the software in it now so that they don't get beaten by whoever their competitors are.

And this is the inevitable result. If you allow anyone to distribute software to your users then you allow everyone to distribute software to your users. And everyone includes a lot of bad people.

[1] With vastly more capability! The distro ships everything from firmware blobs and kernel drivers up through browser glitz and desktop customization. Talk about "attack surface"!

[vlovich123]

Remember, when we're triggered our reading comprehension goes down and we confuse emotion for facts. Did I say they ship more/less code? No, first I was talking about the user base size and the economic incentives for malicious users.

For the most popular package:

Debian: ~253K installs per month [1]

NPM: ~236M installs per month [2]

VSCode: ~158M installs total [3]

Obviously VSCode is hard to compare, but the most popular Debian package would need 52 years to achieve the total VSCode numbers so I'm sure it's safe to say VSCode beats Debian significantly on installs and NPM wins even more convincingly.

Ok, but let's take a look at how much code is shipping which was your metric:

Debian: 242k submissions per month for amd64 [4]

NPM: ~50k new non-spam packages per month, ~800k new version submissions per month [5]

VSCode: No data available

I don't know how VSCode compares, but clearly NPM beats Debian which makes sense because of how open it is and more importantly how many orders of magnitude there are JS developers vs Linux developers and how much more frequently they update their packages because the overhead is lower for creating a submission.

It's really easy to forget that the number of JS developers or people using IDEs is much larger than the number of Linux users. So NPM still beats Debian on this front. As for the security assumption and how good a job maintainers are doing, I'm not so sure on that either. The xz utils backdoor into SSH was found by a Microsoft employee (i.e. the community) not by Debian maintainers. It's not hard to imagine that the lack of notable security issues (particularly attempts recorded) actually indicates very little review, not that there's a higher bar because the maintainers are more talented or have better incentives for "reasons" - there's a reason Chrome was perceived as having better security than IE (it did - architecture was better) and STILL they see regular successful attacks bypassing all the mitigations.

Again, to reiterate in case the above got you triggered again - NPM & VScode have significantly more users than Debian and that creates economic incentives for attackers. The capabilities of a vulnerability matter less unless you're a state actor because capabilities do not track economic results as strongly. This has so much evidence it shouldn't even need this kind of explanation. Remember when people said that Mac had better security? Well turns out Apple is dealing with all the same vulnerability and spam issues on a closed down system when their popularity went up; again, economic incentives.

[1] https://popcon.debian.org/main/by_inst

[2] https://www.npmjs.com/package/lodash

[3] https://marketplace.visualstudio.com/items?itemName=ms-pytho...

[4] https://popcon.debian.org/

[5] https://blog.sandworm.dev/state-of-npm-2023-the-overview

[ajross]

The "triggered" bit is just flaming. Please stop that.

But I'm not following how you get from popularity numbers to "attack surface". The latter is a term of art that reflects the amount of complexity on the "outside" of a software system that can be interacted with by an attacker. It correlates well with "amount of code". I don't see that it has any relation at all to number of installs.

[vlovich123]

I originally used attack surface imprecisely in terms of how many people you compromise with a single vulnerability. In other words the economic value of the attack. But also in the formal term of art, it's still true that NPM has a larger attack surface with many more weak points than something like Debian has. VSCode is trickier since it's a single application, so may not be from that perspective. However, it is basically running Chrome so it is still quite a large attack surface area.

But sure, let's use "amount of code" as a proxy. Debian has ~123GiB of source code [1] across ~65k packages [2] while NPM has 74 GiB [3] if I'm reading it correctly (other sources say 128 GiB) across 3.3 M packages [4]. Given that JS requires less code than C for equivalent functionality (due to a richer runtime & no memory management), any way you slice it, NPM is a much larger attack surface both in terms of number of opportunities and how valuable the attack is.

[1] https://www.debian.org/mirror/size

[2] https://www.debian.org/doc/manuals/debian-faq/basic-defs.en....

[3] https://replicate.npmjs.com/

[4] https://en.wikipedia.org/wiki/Npm#Registry

[vlovich123]

It presents a risk sure. But your browser sandboxes those extensions. VSCode runs extensions with the same permissions that VSCode itself has.

[LocalH]

You do realize this is Microsoft we're talking about here? Not merely a couple dudes in their bedroom doing this in their spare time? I guarantee you that a non-zero percentage of the code in VSCode was paid for.

[rat9988]

Who ever paid to use the extensions marketplace?

[LocalH]

I meant on the development side, not that end users paid for anything.

[rat9988]

Then why should end users expect anything? Microsoft is already paying for developpers.

[wildzzz]

Then they can pay those developers to sandbox vscode extensions at the very least. I like using vscode sometimes but I'm sure as shit not going to use it if my work bans installing extensions due to security risks.

[CodeWriter23]

> You do realize this is Microsoft we're talking about here?

Fiscal responsibility: required

> Not merely a couple dudes in their bedroom doing this in their spare time?

Fiscal responsibility: optional

I would also point out, the malware-infested extension we are talking about presents more as the “two guys in a bedroom” model (though possibly a state-sponsored actor).