[camkego]

The security model, or almost lack of any whatsoever in VSCode drove me to only install MSFT extensions, then use Code Server in a docker container, but I decided I didn’t like using my editor in a browser.

Finally I have decided to start using Zed, which isn’t perfect on the security front, but much better IMHO. The combination of WASM extensions, and the ability to put language servers, etc, in dev-containers seems like a great step forward.

I hope Zed continues to improve their extension and language server security model. Actually I hope VSCode does too, but honestly, I am not optimistic.

[Balinares]

Wait, how do you arrive at the thought that Zed is more secure? The one time I gave it a try, it tried to silently run npm -- yes, THIS[1] npm -- in the background without telling me, and I noped the heck out. Did I miss something?

[1] https://www.reddit.com/r/programming/comments/1tapmvi/mass_n...

[camkego]

Maybe I am wrong about this, but I think Zed will run the npm stuff on the dev-container if you are using dev-containers. That can be your isolated virtual machine image or docker instances. But I believe you do need to use Zed (stdio or ssh) dev containers to get that security isolation. I know it’s a pain, but for me, I am going to pay the logistics price for security until a better solution comes along.

[insanitybit]

Zed plugins execute in wasm. LSPs execute outside of any sandbox, but that's still an obvious win. Your link isn't particularly relevant to an LSP unless the LSP itself is compromised.

Hopefully the system matures with time, but at least they're taking the problem seriously.

[nbf_1995]

Not defending the default behavior of zed, but it is possible to disable this. Setting `"lsp.<server>.binary.path": <some-path>` will stop zed from trying to install that server.

On my machines, the "languages"/"node" directories for zed are empty and owned by root and the lsp servers are provided by nix. But you could also pin known good versions with npm.

As far as I know Vscode has no equivalent way to do this.

[giancarlostoro]

Pretty sure any IDE worth anything that has JS support pulls NPM packages at some point to lint code, no? You're not giving me much to be outraged about without more information. Zed tries to set things up for you so you're not wasting hours trying to figure out how to set them up in a brand new editor.

[Balinares]

I do not use JS and certainly was not doing anything JS-related, and I do very much not expect my tooling to silently run code from insecure Internet sources on my machine. Which does not seem like an outlandish position to me? If you consider that acceptable, yourself -- fair enough, that's your call and it's your machine, but let's please not label that anything but grossly insecure?

[jay_kyburz]

No doubt an unpopular opinion, but if I install an app that is going to do things in the background, I'm going to hold that apps developers responsible for any breaches. If Zed needs javascript to do its job, it probably should be downloading it from their own servers, or even better, just ship the editor with all the code it needs to do its job.

[fc417fc802]

Yes, please ship everything that's needed because otherwise when I run your app in an isolated network namespace it will break. This also applies to builds. If I can't build your project from a clean git repo without internet access you are doing something wrong. (Yes I am aware that I likely just accused the majority of software devs of being wrong. I don't care I'm yelling at clouds here.)

[srcoder]

I don't have node running on my pc, I either put it in a container or i don't use it.

Software that is mostly an electron app. I start using my browser for a web edition, or run it in a container/sandbox!

[miroljub]

I think we reached the point where it's not reasonable to expect that Microsoft is capable of improving anything. Their products all go in the same direction.

The best case for Microsoft software I hope for is that they do only some minor UI cosmetic changes, but even that often goes catastrophically wrong.

[aa-jv]

>The security model

I just don't use VSCode and I discourage its use in any environment in which I have to work. It has already been demonstrated that it is a major security hole - not just through the public extensions, but also in terms of the telemetry data transmitted back to Microsoft in order that they can invest millions in it and yet charge nothing for it...

[zuhsetaqi]

I'm also currently trying to switch from VS Code to Zed and my biggest hope was a better performing editor. The startup time is way better but the typing input is so laggy on my 2018 MacBook Pro 15". It's far worse than VS Code. Also the power usage of Zed is high.

[coldtea]

If it uses npm plugins, it's the same crap you get with vscode, just with a rust facade.

[insanitybit]

Zed plugins are wasm / somewhat isolated. LSPs are not sandboxed, but that's a massive reduction - trusting the LSP is far different from trusting arbitrary extensions.

The system is immature but it's directionally correct.

[galangalalgol]

Is helix too minimalist? No js, just rust and tree sitter queries. Full lsp integration and everything just works.

[mfro]

FWIW VScode can be used in a docker container or remote server from the local client. See devcontainers and VSCode over ssh.

[jon-wood]

At least some of your extensions will still run in the client editor instance, not on the server side. That limits exposure a bit but when colour themes have been known attack vectors in VSCode it’s far from a panacea.

[no-name-here]

> … use Code Server in a docker container …

I'm guessing you're referring to https://coder.com/docs/code-server ?

[rrvsh]

most likely - used this for 6 months before dropping vs code and loved it if you don't mind using the browser

[IshKebab]

> I hope Zed continues to improve their extension and language server security model.

To be honest I doubt there's much that they can do. Many many language servers cannot run in WASM, or it would be super hard to compile them to WASM. So Zed either has to allow running arbitrary binaries like VSCode, or accept that they're going to have really poor extension support.

[notnullorvoid]

Running binaries I already have installed in a containerized environment is fine, automatically installing them on host machine and/or container is not.

I should be able to limit what binaries extensions have access to though.