[mikepurvis]

It's always been a discussion in packaging, around build/install/configure time, think like setup.py, Debian's postinst, etc.

The rise of editors that will own your system just by browsing to the wrong folder without opening or running anything is relatively speaking newer, but I think most people in HN audience should be able to intuit some of the risks, especially when untrusted PRs and semi-trusted LLM bots are in the mix with your "trusted" codebase.

[pixl97]

>but I think most people in HN audience should be able to intuit some of the risks

Only a small subset of the worlds programmers are on HN, and one might assume they are more security aware then those that are not. Which means there's a shit load of people opening stuff they shouldn't be.

[bpt3]

> The rise of editors that will own your system just by browsing to the wrong folder without opening or running anything is relatively speaking newer, but I think most people in HN audience should be able to intuit some of the risks, especially when untrusted PRs and semi-trusted LLM bots are in the mix with your "trusted" codebase.

This is kind of my point. People are doing things that are objectively stupid from a security perspective on a daily basis, and actively rejecting the idea of protecting themselves because they keep doing it after either identifying some risk themselves, being told about it directly, or being told about how others were negatively impacted by the same actions.

And in my opinion, the benefits they get from these changes to their dev environment are negligible, and that's not even getting into how every file is potentially executable code to an LLM.