[AlienRobot]

Just prevent VS Code from accessing the entire $HOME.

The idea is that a well-made, modern desktop operating system would extremely limit an executable's access to user files and provide intuitive tools to allow access. Most applications shouldn't even need any access beyond their own configuration directory and maybe something like ~/Document/Source Code for source code editors and IDE. It shouldn't need to access ~/Pictures, ~/Videos, ~/Downloads, etc.

The problem is that Windows would rather sell you OneDrive, and Linux is very far from a well-made modern desktop OS, so a transitive dependency on a linter installed by a VS Code plugin can rm -rf $HOME, I guess.

[neop1x]

For linux we have bubblewrap, firejail, apparmor and selinux (popular ones, there are far more). But it is often complicated and annoying to set up. Normally one would expect sw developers would write security rules for their apps but it is difficult due to amount of different sandboxing tools and various distro-specific configuration changes.

It would be nice to have it sorted out somehow. Actually Snap is an interesting example of something done in that regard.

[AlienRobot]

Yes, and I wish Linux developers would see their own hypocrisy.

Linux users love to say that "fragmentation is good" but they also depend fully on root, sudo, users/groups, and RWX file permissions. Those are "standards" enforced by having only 1 way of doing something, the kernel.

[skydhash]

Don’t forget that Linux is Unix inspired. And unix were meant to be used on servers and mainframe where root were used by a trained sysadmin. Users were not meant to install applications, and their actions has little impact on the system integrity (if they’re not actively attacking it)

But now with PC, you are root on your local machine, and some abuse that power without even knowing what it entails. You could easily sandbox npm, by creating a user for your js dev persona. But that’s not convenient, so no one does it.

[nurple]

Don't forget user accounts!