I remember when the FSF had dire warnings about using the Sun JDK. I ignored it and kept on using Java, and nothing bad happened. The JDK was eventually GPLed, and by then I decided I didn't like Java anymore and moved on to better languages anyway.
I feel kind of the same about VS Code. Binary product? Telemetry? Centralized marketplace? Some plugins are closed source? Eh, whatever. That stuff doesn't get in my way and I suspect that nothing particularly bad will happen to developers. Someday a better IDE will become popular, perhaps built on some of the code and standards spun off by VS Code (like the language server protocol), perhaps not. This editor will do until that happens.
The politics isn't as good as I'd like, but often the politics never actually materializes as a bad user experience, despite the complaints.
I wonder did the drive behind people creating open source JDKs have nothing to do with Sun open sourcing theirs? I wonder in an alternative world where Sun locked down Java as hard as possible and sued anyone and everyone, would they not have been bought by Oracle?
Are we sure that an editor will be able to displace VS Code in the future, if it's given away for free and so feature-packed? Browsers are another example of this. Or would the VS Code successor look like an Apple/Google/Amazon fork of VS Code?
But ultimately these applications are still winning based on merit. If somebody created a new editor or browser that was substantially better, nothing's really stopping everyone from moving to it.
Now- we can talk about how it's a problem that nobody can afford to build something good enough to compete with what these megacorps can afford to develop and give away for free. But that's a different, older, much bigger discussion.
You and GP's point is that these applications win on the merits of their user experience. That's not wrong, in fact I'd say that's absolutely true.
But it's important to call out that the user experience most people care about has almost nothing to do with whether or not software is open/hackable.
Because of that, I would suggest it is realistic that a decade or two from now we could largely lose that feature, and find we have 100% proprietary cloud-based IDEs.
>But it's important to call out that the user experience most people care about has almost nothing to do with whether or not software is open/hackable.
For software developers I think that's a damn shame. Craftsmen have always made their tools suit themselves. If you aren't hacking your development tools, you're missing out, and if that opportunity is lost due to closed IDEs, that really sucks.
Yes, we could end up in a world some day where most people are using 100% proprietary cloud-based IDEs.
But then, at worst, we're back where we started. All the open-source foundations we have now will still be there (plus any open bits from the cloud editors, like Monaco and LSP). Anyone sufficiently motivated to avoid using these cloud-based IDEs will have just as many options as they do today, and probably more. I just don't see how this is a loss.
They did not sue as such, but never provided Apache Harmony with their TCK compliance test suite.
Oracle haters worshiping Sun, keep forgeting Java was only free beer until Java 6. Sun went bankrupt shortly after Java 6 (which still had a couple of comercial stuff like Swing fonts rendering engine), and only Java 7 released after Oracle's acquisition was fully open source.
Given that no one else bothered to acquire Sun, Java would have died with Java 6, partially open source.
Maybe Apache Harmony would kept going at it, but I don't expect the amount of language changes, JIT or GC improvements to happen as they did.
> The politics isn't as good as I'd like, but often the politics never actually materializes as a bad user experience, despite the complaints.
"The Wheel of Time turns, and Ages come and pass, leaving memories that become legend. Legend fades to myth, and even myth is long forgotten when the Age that gave it birth comes again. "
I had to use VS Code it briefly for a class, and was kind of shocked by the telemetry stuff, and that it's just ignore-accepted by both the students and the instructors.
But what turned me off more was this janky feeling around the whole application, something I don't remember experiencing in many other Microsoft tools, such as VB. It feels like it was designed from the code up rather than from the interface down, and everything I do feels like I'm accommodating the program rather than the other way around.
Anyway, the author of this article was right, I still did have it installed in my dev environment, left behind from those classes. I decided to use this opportunity to `pacman --remove code`.
The situation with bad application behaviors being "baked into the code" and propagating to all the "free" distributions is very sad, similar to what's happening with both Chrome and Firefox.
For example, HSTS is now baked into the all the standard distributions and there's absolutely no way (that I've found) to turn it off. I understand the "security" reasons behind it for regular users, but as someone mindful and often completely unable to access a website only because their certificate has expired, I am quite miffed.
> The situation with bad application behaviors being "baked into the code" and propagating to all the "free" distributions is very sad, similar to what's happening with both Chrome and Firefox.
> For example, HSTS is now baked into the all the standard distributions and there's absolutely no way (that I've found) to turn it off. I understand the "security" reasons behind it for regular users, but as someone mindful and often completely unable to access a website only because their certificate has expired, I am quite miffed.
I triple checked because I wanted to be absolutely sure: HSTS is a response header (Strict-Transport-Security) sent by the server. It is expressed as the intent of the website you’re trying to visit that it shouldn’t be accessed insecurely. The “bad application behavior” is honoring the site’s express intent and the standard, voluntarily adopted by the server you’re trying to access.
You’re certainly welcome to use or write your own HTTP client which ignores the intent of resources you want to access. You’re just as welcome to write your own browser which ignores CORS and all manner of other client/user protections. It’s baffling that you feel entitled to have people do that work for you. Particularly because nearly all of the work already has been done for you, and you’re still miffed because they didn’t cater to your preferences in the exact way you want.
They aren't the only one; many people have similar opinions (including myself), that it should do what the end user specifies instead of what the server specifies. Better web browsers will need to be written, and it isn't so simple to do. (I have some ideas about it, though.)
(You are right that HSTS is a response header, but I think that it is a bad idea. Even though I have a old version of Firefox, I had to edit one of the files to make it unable to recognize that response header, and change many other things.)
> Even though I have a old version of Firefox, I had to edit one of the files to make it unable to recognize that response header, and change many other things.
You can edit newer versions too. It’s fully open source, the world is your insecure oyster!
> You are right that HSTS is a response header, but I think that it is a bad idea.
Fortunately for both of us, I can enjoy the good idea and you can enjoy exposing yourself to potentially compromised websites! Hopefully no one is harmed.
About HSTS that is only true sometimes. Google helpfully enabled HSTS on all .dev domains by putting it on the hsts preload list. Now I cannot practically serve HTTP from a .dev domain even if I wanted to. That's hardly voluntary.
Baffling to me is that one would assume .dev domains are being used for development adjacent purposes. I might, for example, have a piece of in-development software or infrastructure where it is not convenient or even possible without significant effort to get a valid SSL certificate. Now I just can't use that with my .dev domain. Can't use self signed certs on a "development" domain either - who would want to do that though! :)
/**
* This allows errors to be skippped by typing a secret phrase into the page.
* @param {string} e The key that was just pressed.
*/
function handleKeypress(e) {
// HTTPS errors are serious and should not be ignored. For testing purposes,
// other approaches are both safer and have fewer side-effects.
// See https://goo.gl/ZcZixP for more details.
var BYPASS_SEQUENCE = window.atob('dGhpc2lzdW5zYWZl');
if (BYPASS_SEQUENCE.charCodeAt(keyPressState) == e.keyCode) {
keyPressState++;
if (keyPressState == BYPASS_SEQUENCE.length) {
sendCommand(SecurityInterstitialCommandId.CMD_PROCEED);
keyPressState = 0;
}
} else {
keyPressState = 0;
}
}
>The net-internals events viewer and related functionality has been removed. Please use chrome://net-export to save netlogs and the external netlog_viewer to view them.
I was using "Kiwi Browser" on mobile to ensure I had the right address, which is a Chrome fork that allows extensions (I think they're forking Chrome instead of "just" Chromium since it looks and feels like regular Chrome otherwise). In here, I still have it available. Might be high time to check for something similar on the desktop.
Could we say that "virality" is reversed with the MIT license compared to the GPL? With the MIT license, additional license agreements can hamper the distribution of the source code or make it useless to the user. Examples: Android AOSP and the Google services, VS code (this article). To the contrary the open-sourced code is still useful to its owner: reputation, occasional free bug-fixes. In the end the MIT license is used by corporations to gain market-shares and sell proprietary SW, hence the reversed virality.
GPL also allows additional license agreements. This is not a fault of the MIT license. You have to understand the totality of the licensing on some piece of open source to understand the implications.
> In the end the MIT license is used by corporations to gain market-shares and sell proprietary SW, hence the reversed virality.
Permissively-licensed open source is often used in proprietary products, yes. So what? Often the author(s) of the open source version don't mind and/or want that to be possible -- it's a perfectly legitimate choice for them to make. There seems to be a very judgmental vein in GPL fan thinking that authors who choose permissive licenses are at fault for not all open source being copyleft, and that those authors are "bad". The choice of license is always a "business" decision, even when it's made by an individual acting on their own behalf and not a corporation's!
This is a good summary of the playing field, but I think they're way overblowing the panic
In summary Microsoft has:
- Made an incredibly good web-based code editor which is 100% OSS, no strings attached
- Made an extensions repository and a bunch of really high quality first-party extensions that have restricted licenses
Sure, in a perfect world the whole thing would be fully OSS. But in the worst-case, where people some day decide they want to fork or whatever, we're still much better off than before VSCode. The editor project is a net gain, even if forking means building some of the other bits yourself. This is still a net increase in value for everyone- even if you exclude the restricted parts; not a decrease, much less an apocalypse.
I think some concern is warranted simply because few people are aware that the default VS Code distribution has spyware and proprietary addons in it, and you do need to use something else if you prefer a fully FLOSS ecosystem.
I didn't know the addons were proprietary, so I was glad to learn about that
But I think anybody who even knows what FLOSS means would know to at least do some research before installing an application from Microsoft if that's something they're worried about
All in all, I still don't see a reason for panic. The author makes it sound like Microsoft is going to kill the entire open-source editor ecosystem and prevent anybody from ever creating an alternative to their worse and worse "venus flytrap" of a tool. I just don't see a pathway to that.
Yes, that is sort of a string attached, but I’m not sure it has any real cost. Has anyone ever been harmed or even inconvenienced by VS Code telemetry? I usually turn it off, but it doesn’t actually make any difference to me. Seems like it’s just politics.
I'm not quite as sure. To me, its kind of like saying "well, we don't have to worry about global warming, oil is awesome and if it gets too bad we always have Mars". Which, I can explain a little bit because that analogy maybe only make sense in my head.
I can't think of very many, if any, examples in computing history where a project, open source or not, followed the path of "dominating a domain" -> "sponsor does something crappy" -> "the community rallies around a fork" -> "the fork becomes a dominating force in its domain". I'm really sitting here trying to think of examples to help disprove this thesis, and would love to hear them. LibreOffice may be a good example. I can also see an argument for Oracle/proprietary SQL vs MySQL/Postgres. The NodeJS/iojs situation from years ago is, I think, a hallmark case-study in open source that more-so skips the "rally around the fork" step, but is nonetheless worth mentioning. There's probably dozens of examples in the "random esoteric npm library" domain, but those aren't hitting a thousandth the scale that the gigaprojects like VSCode do.
There's a far more common path for projects, however. I'll pick on MongoDB as an example; they did something kind of crappy, with their GPL-wearing-a-trenchcoat-proprietary license which, in my experience, all but killed the database for some companies I've contracted with. These companies (users) took that opportunity to move to a truly open source solution, like MySQL. The move, in all cases, was long; arduous; cost a lot of development time; and they were happy in the end.
Circling back to the metaphor; there's a hypothetical migration path for anything. Its near-laughably trivial to even list that as a triaging factor for "well, they could be evil, they could turn evil, burning oil could destroy our planet, but at least we have Mars." Computers are turing machines, anything can be rebuilt. That's not the point. If we opt in to an environment which is only deemed acceptable because of a Plan B, it behooves anyone with investment in that environment to think critically about the probability of being forced to implement Plan B, and the cost of that implementation.
Circling back to the examples: one is behooved to analyze this through the lens that Plan B may not be the Plan B one thinks it is. If VSCode jumps the shark; will vscodium take its place? MongoDB jumped the shark, and no one was there to catch it; those people who were left wading in the water had to invest significant engineering time transitioning to something entirely different. VSCode is more than just Code; its the users, its the marketing, its the trademark, its the extension standards, its the governing body, maturity, maybe even patents, its all these things which vscodium does not have.
> I can't think of very many, if any, examples in computing history where a project, open source or not, followed the path of "dominating a domain" -> "sponsor does something crappy" -> "the community rallies around a fork" -> "the fork becomes a dominating force in its domain".
In addition to LibreOffice which you mention, once upon a time the classic example was GCC vs EGCS; the fork was so successful that it became the original thing. It might be harder to consider Firefox an example, since Chrome has taken over, but it was also a fork of Mozilla because Mozilla was too heavy under the weight of Netscape-mandated legacy features. The X.org fork of XFree86 took over because the project behind XFree86 brought in a licence that was not GPL compatible.
In only one of these cases was the sponsor a for-profit company - and it was basically dead - but I think that's because it's a fundamentally recent phenomenon that for-profit companies feel free to release their source code under a free licence. There just hasn't been the time. It takes time to develop a good project, attract a generation of users who take it as the norm, betray trust and motivated people to fork. If the time wasn't there, then they might just pick up what they'd used before or develop something genuinely new.
I was reading [this](https://news.ycombinator.com/item?id=27687450) yesterday, and somebody said something to the effect that we should trust Microsoft, because they've turned around on OpenSource. That we should judge them by their "years now" actions, instead of the past.
I tried to formulate a response to this which explained why we couldn't trust them, and it was all a slow-burn ruse, but gave up. This article explains my feelings well though, especially this part:
> Visual Studio Code is a ramp to move the developer tooling ecosystem towards an end-to-end consumable services model of software development tools, and GitHub Codespaces is a white label of an existing service called Visual Studio Online aka Microsoft Dev Box aka Microsoft Azure DevTest Labs
That perfectly explains what I've been feeling is coming. Yes, they're playing "nice" now, but it's only so they're allowed through the door. The old model of "embrace, extend, extinguish" has run dry, so now it's "embrace, extend, subscribe".
I don't really understand this post. I'm a supporter of open source and free software and I can also understand wanting to avoid vendor lock-in. However I don't understand how this is Microsoft's fault for building closed source tooling. I'm upset with Microsoft's hypocritical stance on .NET and C# being open source without all tooling being open source as well but when it comes to useful tooling like Codespaces, Pylance, or the Java debugger in VSCode I don't see why Microsoft should be blamed them being closed source. Microsoft came into the Java and Python space and made tooling that is being accepted by developers.
The author does touch on why companies like Microsoft are able to succeed against open source software. It's because they have the money to pay their own developers to make good software.
Disclaimer: I work at Microsoft but not under DevDiv or Azure.
It is an App Store monopoly problem. Take Google Android as a counterpart.
Android Open Source Project = VS Code (MIT codebase(
Android at Samsung and dozens other = VS Code with Microsoft EULA
Enforced Play Store in vendor phones = VS Code Extension Market Place (not accessible to any other competition)
Google offering dominant services = Microsoft Language Packages (both proprietary => user lock in)
Google abusing it (eg by marketing, subscriptions, ...) = Microsoft abusing it
So what is explained in that article is how you run a monopoly on an open source project. Julia and the DevDiv is doing that. That is understandable (she has to make money to get her bonus) but not good for the rest of us.
A major material difference is that unlike phone world wherein a duopoly controls the market and supply chain is also similarly locked. We have a very functional ecosystem of competing products. I can choose to use IntelliJ, Eclipse, Vim, Emacs ... without completely disrupting my life.
Tomorrow Intellij may decide to launch paid LSPs for Java/Go/... and MS is already using same components for VSCode and Visual Studio. Or author of GitLens can port his plugin to Intellij or Eclipse
Personally, I wouldn't actually care if Visual Studio Code was completely proprietary with zero open source element. I think the imagined consequences tend to mostly be not that significant for the vast majority of people, at most it would be a blip in the timeline as people switch to something else. The actual consequence (as implied by this article) seems to be people who build their business around these tools, they are entering a particular ecosystem backed by a large corporate and they are leveraging on the big corporates ability to make that ecosystem popular. That kind of is what it is. Pros and Cons.
The consequences for the majority are such that, over time, leading language ecosystems become tied to Microsoft services.
One example in the article is the availability of alternative editors and IDEs decreasing over time in favor of extensions to VSCode. Essentially, we are driving towards a monoculture - either you are using VSCode and adjacent services, or you choose an alternative, pay the price of compatibility, and experience paper cuts.
> leading language ecosystems become tied to Microsoft services
until a free alternative is developed. Making a freely-licensed language plugin is not inherently hard, it's just a lot of work. You're paying for convenience.
Their strategy is a mixed bag. They want to maintain that in an open source way but they work very hard that their experience is the best so they can capitalize on that. Not a new playbook.
Is it really "on the other hand"? LSP has paved the way for 'hybrid-source' (part closed part open) IDEs. Technically you can close down all the good parts of the IDE and open-source the bare minimum client-side functionality.
I guess, but LSP has been a huge boon to every single code editor that isn't already developed by a for-profit company.
"Hybrid-source" has already existed in pretty much every plugin ecosystem for a closed-source product ever (e.g. JetBrains, Sublime Text, Google Chrome, et multa alia) other than the Microsoft Office suite (where people sell proprietary plugins for $50).
> close down all the good parts of the IDE and open-source the bare minimum client-side functionality.
This is still a material improvement over closing down all the good parts of the IDE and not open-sourcing the bare minimum client-side functionality!
The hardest part by far is the "bare minimum", turning the NxM problem into an N+M problem. That was always the original selling point of LSP.
And language servers (even and including the source-available ones developed by Microsoft) tend to be a lot more than "bare minimum" anyway. So Pylance (whatever that actually is) is closed-source, but Pyright and Debugpy are excellent tools and are open-source.
Yes, Microsoft has made a good strategic maneuver here. Their obvious ploy is to garner general goodwill, launder their well-deserved filthy reputation, and establish themselves as the go-to company for software developer tooling, which will hopefully translate into juicy enterprise sales as well as lots of telemetry and platform lock-in for later value extraction, not to mention free bugtesting & developer contributions from the public.
But let's not make the perfect the enemy of the good. Don't forget that they are investing heavily in something that benefits the entire ecosystem. By open-sourcing the most important core elements, they have left the door open for people to fork and redistribute their software if and when they try to go for an EEE maneuver.
The only thing that makes me a little squeamish about LSP is that the protocol itself is controlled by Microsoft and I guess also Sourcegraph. But even then, the community can easily tell Microsoft to go fuck themselves if they try to pull off something like what Google is doing with its Manifest v3.
> The actual consequence (as implied by this article) seems to be people who build their business around these tools
But there aren't really even consequences for those. The core editor really is free to use however you want; you can use the auxiliary bits which are proprietary, or you can not use them and fill the gaps yourself. That's up to you.
Even developers are taken for a ride. Just like WhatsApp and Chrome, it all comes down to ripple effects of "If others didn't use it, I can't". I have given a number of examples of this stubborn sticky monopoly below.
Every newbie while learning to code: scared of reviews on internet like "I couldn't get help with this editor online or with colleagues and I can't risk being stuck on this project so I switched to VS Code"
Every newbie while interviewing: impress interviewers even by a little chance that they use the "industry standard" tool to code.
Every experienced developer, even on this HN post, says "It doesn't have excellent support like VS CODE, in remote development, centralized marketplace, etc."
I have pieced together and my conclusion comes from the observation below. There is a reason enterprise, rather than startup world use M$ products. The power and money to fight for fairness.
Their C#/.NET compiler is open source and excellently designed but with a secret tunnel to nefarious practices to use when needed[ like closed source]
VSCODE is open source but with a secret tunnel to nefarious practices to use when needed[ like telemetry and extensions where the real power lies, being closed source]
Phone and App market but to with a secret tunnel to nefarious practices to use when needed[ it is going to be based on android like Edge on Chromium]
VStudio is best IDE but to with a secret tunnel to nefarious practices to use when needed[ like telemetry + closed source extensions + Heavy + slow + whatnot!]
MAUI is Wowza! tool with a secret tunnel to nefarious practices to use when needed[ like repackage old Xamarin in new branding]
OneNote is the best note taking app ever but with a secret tunnel to nefarious practices to use when needed[ like lock in using obscure format and closed source]
Every company they acquire but with a secret tunnel to nefarious practices to use when needed[ Embraaace Exteeend Extin...]
> VStudio is best IDE but to with a secret tunnel to nefarious practices to use when needed[ like telemetry + closed source extensions + Heavy + slow + whatnot!]
It’s telling that you needed help from “whatnot” to pad out this list.
In what world is “Heavy + slow” a nefarious practice? Even assuming this is true, all of us have written software that was far from perfect. There wasn’t anything nefarious about either situation, it was only people trying to ship software under time constraints. That you ascribe evil intentions to some software being slow says more about you than them.
Telemetry - so much digital ink has been spilled on this. Not one person I’ve asked can actually explain what’s wrong with this. What would actually go wrong if performance and usage metrics are sent to their server. “But they can be deanonymized!” Ok, let’s assume they can. Now we know it takes your computer 40ms to load the side bar, 20ms to create a new in-built terminal, and the version control screen crashes every time you open it. What now? How does this actually change anything?
You folks complaining about telemetry think your job is done when you say “telemetry is nefarious”. But I can’t see a path for exploitation of this data in any way. No doubt you’ll tell us how. When doing so, please let’s assume that Microsoft is compliant with GDPR.
Lastly closed source extensions - OP makes a compelling case that this is how we’ll end up with just one online editor. Yeah, I definitely see it. That’s the one thing I’ve been convinced of.
I appreciate your good nature around telemetry, but as we have seen meta-data is trivial to abuse. The military kills people with metadata. Performance and usage metrics can tell the server when the client is being used and for how long. Combined with a license tied to a real name (or a billion other ways of IDing a person and computer), telemetry is just another way to die by metadata.
Nevermind the face-value argument of performance and usage data turns into "give me a debuglog that includes every program you have open, a whole bunch of personal computing hardware information which can be trivially tied to PII".
The argument that telemetry and server-side knowledge is safe entirely depends on reducing the argument down to an idealized metaphor that doesn't exist in practical reality, and then rejecting all forms of evidence that don't fit the mould.
Unfortunately in this scenario, telling the truth about what needs to be kept private, is in itself, a clue to what is being kept private. So no communication can happen back up the chain if the client wants to keep something private. When the server becomes untrustworthy, so must the client.
> telemetry is just another way to die by metadata.
If your threat model is a cruise missile from the military, then I actually agree - don’t use VSCode. For the rest of us who don’t live in fear of being murdered by a violent government at any moment, it’s a reasonable trade-off.
I don’t see how I could be de-anonymised by these logs but I’m happy to be proven wrong. If you could cite which metrics are being collected and how you would de-anonymise someone with that data, that would be great.
I agree I have nothing to fear from the military. I would have hoped that example would show not that I am afraid of cruise missiles, but instead that very serious decisions at the highest level of government are being made from this information. You can bet your bottom dollar that all other high-levels of management, government, religious groups, ect have the same mindset towards the "privacy of metadata". I'm sure you'll plead ignorance of direct evidence of offenses right now and not historical, as reason enough to ignore practical truth..
There was another talk by a german lady where they de-anommed everybody in their data set, including a german judge who was looking at porn during his chambers sessions, almost like he was addicted. They brought this information to him and it was kept under wraps.
Nobody is safe from this stuff, it only takes 3-4 peices of unique information (not matter how tiny) to statistically add up a probable identity with a high degree of confidence.
I’m not saying de-anonymisation is impossible. Obviously it is.
I’m asking you to
1. Tell us what VSCode collects that’s so sensitive
2. Show us how you’d de-anonymise a person with that information (but I’m willing to concede that this is possible)
3. Demonstrate harm from knowing that a specific person is tied to a set of VSCode logs.
Don’t hand wave #3 away. Don’t assume that it’s self-evident that the harm is high. You’re talking in such vague terms that it’s impossible to respond. So be clear and concrete. What specific harm comes from the specific data that VSCode collects, assuming that it’s de-anonymised? Don’t talk about a random German judge. Talk about me, a developer using VSCode.
I rewrote this comment a couple times before posting, as getting through to your perspective rules out what I consider logical common sense. You're still asking the wrong questions because you don't get the process.
VSCode could collect anything at all, but let's be hypothetical, yet specific so you understand the process. I'm going to use these two pages as reference [0]This RoboLeary blog post describes what VSCode collects (more than just performance, but we'll leave that for now) and [1]This Github repo shows an example log file of just the telemetry data you can voluntarily opt out of.
In the github example log file, there's 9k lines of code, with thousands of xml style entries with properties. Those properties can be any value you want for the purposes of de-anom. It doesn't matter what it is.
Your database back at Microsoft HQ (or wherever this stuff goes) will have a huge ocean of telemetry logs, so how do we find out which one is yours? See below.
In those thousands-of-entries, some of them will differ statistically from the average of all log reports. It could be the time it takes for a menu to load in milliseconds, it could be the filepath of an extension, it could be a specific hardware report, it could be a collection of exceptions that keep throwing. It doesn't matter what it is, it matters that it differs from everyone else.
Some of those reports that differ from the herd (statistical average) can be collected together to make a fingerprint of an individual machine. Maybe your machine always takes slightly longer than average to open a menu, or has a different extension set, whatever. The tiniest difference is still a difference.
This fingerprint of your machine can be correlated statistically to be likely the same machine again and again across telemetry logs, across time. Your fingerprint keeps showing up across multiple logs, across multiple days, we know a time of computer usage. The fingerprint does not need to be perfectly separated from every other fingerprint in the bell curve, but we can solve that later on. As long as it's narrow enough (only so many conflicting fingerprint reports) we can narrow it down with added metadata.
How do we know who is running VSCode and doing this work on this fingerprinted machine? All the other 'harmless' metadata like IP address, VS licenses, Microsoft accounts, linked email addresses, and most importantly all the data harvesting Microsoft will not let you turn off.
So this isn't a problem right? Who cares if Microsoft can trivially (and likely automatically) de-anonymize me. No junior engineers have access to the data, only Edward Snowden et al. can see it, so who cares?.
Management can easily take access to the database of fingerprints and build analysis tools and programs the end user and the junior engineer alike, cannot see or understand what decisions are being made from it. So if you and I (assuming we're both grunts in software) can implement a perfect telemetry system that collects "no useful category of information" and the database is kept from public eyes, we can both still lose out on what management does with that information, as there is more to be revealed in it than we want.
So if military is happy to kill people based on metadata and our advertising data is being sold left-right and centre and insurance and health data is going haywire, what assurance does any computer user on a windows machine, or VSCode user have, that their data is not going to be used to make decisions arbitrarily (from the end user perspective) against their will?
If I don't want VSCode to know that I'm working on a project at 3am, that's my business and revealing what Harm that causes and why I might want to keep that private, reveals a clue about what is being kept private, and thus cannot be shared. Steve Jobs would have completely removed the collection of meta-data from secret product development teams and no-one would have batted an eye. When a random joe does it, there's all these questions about what Harm does it do, as if someone had no reason to keep a secret after Steve died.
If you want transparency from the rank-and-file, get it from what decisions management is making with metadata too and tell me what Harm Does It Cause Microsoft Management To Reveal Their Truth. Heaven forbid I suggest reality is a two-way street.
Thank you for taking the time to type this out. I've been uncomfortable about telemetry data for a while but this makes it clear to me that it can be used to do a lot more than just drive ui changes. Google has been fingerprinting in this way for decades. Of course Microsoft can do the same.
I've been thinking about trying VSCode. I'm the only dev I know at my org that doesn't use it and I guess it's going to stay that way.
I really don't understand the mindset of some folks. In this dynamic Microsoft has all the power and therefore the burden of transparency and proof of good will should be on them. Why would you give away information about yourself freely to an entity with no oversight. There is no reason to trust a corporation with your personal data.
Ok so what I’m getting from your comment is that since this data could be linked to you … bad things could happen. Unclear what those bad things are, but it could be anything, even a cruise missile. Unclear why someone would do this thing, but sure.
I get that this seems common sense and logical to you, but it doesn’t to me. Just because it’s possible doesn’t mean it’s going to happen. And arguably, 60%+ of all developers dont seem convinced either.
If you’re concerned about this and want industry level change, you need to work on this pitch. It’s not very convincing.
>In what world is “Heavy + slow” a nefarious practice?
In M$ world and Apple's world( XCode). 2022's version was the first one to do a 64-bit release and became news titled - "awesome!", "Woah!", "amazing!", etc. [0]
VStudio had nothing unique to it that the Rider din't have, but corporates and developers loved it because they could compensate by throwing some costly hardware and I must point out that it is usually from Intel that M$ is in monopoly in consumer and enterprise market. Apple is just the same, but it gets away being close to the *nix world.
"performance improvements and bug smashes" are just fodder for despair that masquerades as hope, which could have been done away with long ago. Users report them and even showed what exactly could be done down to bits and bytes, but these thigs sleep there for a decade. All you need to do is create a developer account and search "for 10 years" or "since a decade" in their forums. Frustrations pour out and in galore.
> because they could compensate by throwing some costly hardware and I must point out that it is usually from Intel that M$ is in monopoly in consumer and enterprise market.
It’s unclear what you mean by this sentence. Are you saying Microsoft somehow benefits if we buy more Intel? So there’s a developer at Microsoft who wrote in their performance review “yes, I’m proud to say that I worsened the experience for Microsoft users, but it’s ok because that leads to sales for Intel”.
Leaving aside that Intel is playing catch up in the processor market now, do you actually believe this?
Anyone else reading this comment - this is why it’s impossible for me to take these folks seriously. They concoct these conspiracy theories that are only slightly more logical than flat earth.
Does eMacs have a good remote editing and debugging system comparable to VSC? I’ve tried pycharm and nvim, but both were clunky and did not work as well if at all for remote debugging and editing with navigation, autocomplete, linting etc. VSC does all that with very little manual configuration required.
> Does eMacs have a good remote editing and debugging system comparable to VSC?
Emacs has a remote editing system sort of similar to VSCode, but much older, less slick, and a bit quirkier. But imo it's quite good. It's called TRAMP mode: https://www.emacswiki.org/emacs/TrampMode
I haven’t used the VSC remote thing. I believe it requires to install things on the remote computer, and if those are unavailable you’re out of luck. Tramp makes do with whatever is there.
Editors mostly talk to LSP servers via pipes (usually just stdin/stdout, since the editor starts the lsp server), so running them on the remote server via TRAMP is generally not a problem. In principle should just work automatically, though sometimes in practice it does not.
I would only consider moving away from emacs for something faster and equally extensible. VSCode always felt slow to me and it seems like a really bad idea to even invest in extending it.
I did like the whole idea of LSP and have liked the changes that it has brought to emacs in unifying autocomplete and syntax highlighting even though it doesn't always work and can be rather slow. Too bad that it was Embrace Extend Extinguish all along.
The more diversity of tools programmers use, the merrier. We can't all pile up on one Big Tech™ thing and then no one dares to innovate or build another tool. I use vim and sublime text.
Similarly, I'd like to see more hardware besides every dev studio using Macbooks. Close to 100% marketshare of macbooks, if that happens, would be terrifying.
Microsoft, Apple are awesome. Just that they're now the size of nation states.
one of the most "game of thrones" moves ever is the Julia Liuson promotion for DevDiv. i'm just a rando outsider so I have no context at all (in particular i dont wanna discount Julia's achievements), but just from the outside Nat seemed to be set to run devdiv and potentially be future Microsoft CEO .
I respect that that is a very different job than probably what Nat wanted anyway. Just seemed like the rare "tech exec who 1000% gets developers" that you'd hope takes over Microsoft after Satya.
I understand Visual Studio Code as a sophisticated Language Server Protocol frontend, and it generally does a good job at that. The IDE of the future will have Jetbrains grade UX with a heavy emphasis on LSP interfaces that "just work", rather than requiring some investigation about what setting needs to be set to which value and why basic stuff breaks mysteriously.
Interestingly, JetBrains offer Community Edition IDEs with the same extension interface as the paid versions. You could (and likely already can) support LSP integration through that.
(What JetBrains sell is the depth of knowledge of a language and its ecosystem, advanced and specific code manipulation tools, and general polish and attention to detail. This is not impossible but pretty hard to reproduce in an open-source product, sadly.)
> Fleet provides a polyglot experience, offering smart support for many languages and technologies out of the box, with support for even more planned via dedicated plugins. With the help of LSPs you will also be able to use other language services in Fleet.
> Fleet is designed to automatically detect your project configuration from the source code, maximizing the value you get from its smart code-processing engine while minimizing the need to configure the project in the IDE.
Meanwhile Google and Facebook internally use VS Code based IDEs as their official developer tooling. Pretty sure their legal teams have considered any legal risks with licensing.
Microsoft can’t seem to kick the old Microsoft no matter how hard they try. They embraced, extended, and now are extinguishing with the python extension.
Good article. The author makes a compelling case about how Microsoft’s strategy isn’t on the up and up. I was never convinced that telemetry was inherently evil, but I do see the downsides of non-OSS language servers.
But it does point out one critical point: if you start using the whole ecosystem because of convenience, you may end up reliying on MS Codespace, and therefore lock yourself in.
The solution seems simple to me: don't put your entire stack in codespace. Make sure you can easily use your whole stack on your own computer, and migrate easily.
This is rather scary and disheartening. I finally switched from 12+ years of Eclipse to vscode just last year. After a disproportionate amount of hand wringing and testing. I'd rather move houses twice before moving to a new IDE. But it's true that since running VSCode I feel less like I actually own my environment. I would never rent an IDE or do my work in the cloud, just on basic principle. I really like VS now that I've wrangled it, though, and I'm hoping to not have to bail and find a new platform in the next 10 years or so.
The Codium build mentioned in OP is fully free. You don't have to use the proprietary version unless you're actually relying on the few extra custom features/addons it provides over the open source one.
...Microsoft in true Microsoft form of moving ever so slowly and doing it over a generation of people as not to spook them has been transitioning their customer base into consumers of services offered by Microsoft.
A company like Microsoft is changing the software industry by moving developers to a SaaS model, and articles like this suggest this is a terrible thing because we're losing control over what we do, they're is mining all our data, and locking us in to their platform.
There's an amusing irony that articles like this get posted to HN. This is the exact strategy that we would celebrate any HN startup for cleverly 'disrupting' any other industry - when someone launches a startup to make farming or shipping more efficient through killing off old paper based work flows, improving SaaS tools, giving customers insights through ML over millions of pieces of data, and also quietly sells those insights to boost revenue and locking customers in by making it hard to export their data, HN loves that. Do it in the software industry though and the comments are a lot less positive.
The HN crowd i'm used to loves open source, self-hosting, prefers privacy, frowns upon the prevalence of subscription-based SaaS, and yearns for the times when the internet was less laden with advertising and attempts to make a quick buck.
Maybe you mistake HN for Y Combinator, the company that runs it? I'd say that Y Combinator is picky, relative to other VCs, and I don't remember hearing about any sleazy business they'd be backing, unlike, sadly, some other well-known VC companies.
A key distinction: We all want basic libraries, fundamental tools, the building blocks, dev frameworks; the construction materials of software to be free and open source. The SaaS-biz is orthogonal to that in that it is the end product created by aforementioned easy-to-access, robust and cheap tooling. The latter can be a great subscription based business, creating enormous value for the world. So the startup engine is getting healthier and HN's community takes are pretty much inline with that goal.
To be fair, I think it's a lot different to see a startup disrupt a market, than to see one of the biggest companies of all time do it.
Anti-competitive behaviors from a behemoth are scary. From a startup? I mean... what can they do? Usually nothing. So it's kind of fun seeing the underdog make some noise!
the ones praising that kind of SaaS product are more likely to be the ones responding "Eh, whatever" in here. I would never want my company's business model to be reliant on a SaaS product.
You comingle HN and Ycombinator maybe? I dislike VCs and startup culture while I work in a 150yo bank ... I still like HN and shit on the model you described.
Ahahah you know how it goes, they split and they merge, and you need to draw the line somewhere.
And I think HN is now near as ubiquitous as StackOverflow among programmers as a source of IT news or as a forums on stuff that concern us all.
Why should we like venture capitalists ? The people I met who had to deal with them weren't too happy abt their deal with the devil, it's not like it always works out 's
In the software biz, where one day--Allah willing--we may find ourselves in direct/indirect competition with Microsoft, integrating one of their data probes into the heart of the business does not seem like the best move.
Holy hell, this blog is virtually unreadable. Article content aside, the fact that after pretty much every single paragraph there's 1-2 giant links to some other article and/or an ad is just infurianting and makes it impossible to focus. I stopped reading after the first few and will be adding this site to my blocklist.
I'm glad I'm not the only one who thought this, I actually gave up reading it halfway through because the ads fracture the content far too much - it just doesn't flow.
I likewise found this annoying. The giant link previews are especially disruptive on mobile where two in a row can literally take up most of the screen, although they're also obnoxious on the desktop.
When I first saw them I thought maybe they were ads, or there was a mistake and I ran into the end of the article early.
I liked the post, though! Geoffrey, please reconsider this citation style where you have an ellipsis and then giant link previews. I think it distracts from good content. Could similar link previews upon hover still scratch the itch that drove you to try these link previews?
This is what happens when you build software on another company's platform. Why put your time making plugins for VS Code when rug can be pulled from under any time?
> Why put your time making plugins for VS Code when rug can be pulled from under any time?
Because VSCode is a huge step forward for the vast majority of people.
For example, it took the might of Microsoft to force everybody onto a Language Server Protocol which is how things should have been done everywhere but nobody wanted to work together to implement it until they were forced to by VSCode eating their market share.
As a further example, VSCode is sweeping aside a whole bunch of absolutely garbage embedded programming environments, and I assure you nobody is crying any tears for them.
Furthermore, if you make your own plugin and distribute it, Microsoft can't pull the rug out from under your plugin. The core of VSCode is open source.
Unfortunately, the most popular plugins are proprietary and Microsoft can and will rip the rug out from under people at some point.
However, the problem is that nobody is throwing the resources behind the open source plugins that Microsoft is throwing behind the proprietary ones. While I find the current situation distasteful, I also see it as "Pony money up or shut the hell up."
Sadly, the world of open source seems to be populated by a bunch of cheapass whiners. So, yeah, Microsoft gonna pwn.
> As a further example, VSCode is sweeping aside a whole bunch of absolutely garbage embedded programming environments, and I assure you nobody is crying any tears for them.
Quick point about embedded: in my short summer internship where I was working on some STM32 hardware, I was quickly exposed to the plethora of semi-proprietary embedded IDEs which were themselves based on FOSS IDEs and editors (STM32CubeIDE, MBED Studio, etc).
Why do these even exist? It boggles the mind. These companies (NXP, STM, Infineon, TI, Nordic, MBED, etc) spend money on maintaining all this software and paying their own developers/contracting this IDE development work out. In the end, they're just glorified Makefile + C/C++ linters and editors.
On the other hand, I had a particularly pleasant time writing embedded and remote C++ with CLion (it's still proprietary, but it's really good). I was writing a client C++ application running on the Raspberry Pi (cross-compiled, and remotely debugged) to communicate with an STM32 (also cross-compiled, and debugged with a probe).
The debugging experience was glorious. One breakpoint in the client triggered another in the STM32, and everything was just completely seamless.
Because there existed a time before ARM, 32-bit processors, and gcc made embedded a monoculture like x86. Because there existed a time before IDEs converged via Language Server Protocol.
This was predictable back when VSCode first came out. Microsoft was pouring more development resource into VSCode that many of those semiconductor companies entire revenue. Either you got on the VSCode train or you were going to get swept aside.
The fact that everybody is whining about proprietary Microsoft remote development plugins while emacs tramp lsp-mode remains broken for an enormous number of cases for years says it all (this is finally what pried emacs out from under my fingers as I got tired of debugging it).
The same could be said about many other platforms: Apps for iPhones and android, chrome and Firefox extensions. Yet people still write them, and some get screwed when their app or extension is removed or doesn’t evolve to the next API change.
I have grown to appreciate HTML and the Web for this reason. If done carefully, one can write an application which is accessible to dozens of different client software and hardware options, and no one vendor can screw you over.
Yeah, it sucks what's happening with browser extensions and configurability in general. Opera 3, released in 1997, allows the user to override author styles with their own. Same for IE6, released in 2001.
But that's a different aspect of the platform -- the browser itself.
At least for the time being, on the Web side, there are so many different other browsers, that Chrome cannot break step with all of them at once.
And so if I write basic HTML and test it thoroughly, I can accommodate almost any user on any device, browser, and configuration. And this makes me very happy.
> there are so many different other browsers, that Chrome cannot break step with all of them at once.
i dont think this is true any more - chrome has such a high market share that they can basically dictate the standards, and force other browser vendors to follow suit.
They can do it for new things, but not for traditional HTML. A p tag is a p tag, and a table is a table. The trick is to use only things that everyone already supports, and enhance on top of them.
I personally use test with over 50 different browsers, most of which are quite usable.
The web is now big enough that I can build my own little nooks and use the sites I like while avoiding others.
It's so freeing to realize that anytime a site gives me a newsletter modal, or an ad, or a cookie consent, I can just close it and move on.
True but the alternative is rolling and maintaining every aspect of your environment yourself. Build environments in particular. If you even have that kind of time, you have to weigh it against shipping a product.
Can't use my mouse with it. And it doesn't look nice. And it requires a shortcut palette different than the OS conventions. I bought VS Code with $0.00 and sent the rest to needy kids in Uganda.
Vi predating certain paradigms explains why it doesn't follow them. But it doesn't make it any easier for a random developer who grew up in the context of those paradigms. A new developer wondering whether they should adopt some modern vi is not being unreasonable for searching out something that does follow the prevailing customs. (But they are on a fools errand, because there are exactly zero good general purpose developer environments and the question I have is which of gvim, intellij or vscodium pisses me off least today.)
Thanks forkfork. I'm _absolutely_ not an NFT shill and my avatar is funny af because NFT/Web3 is meant to be decentralised but it's built on central platforms. The avatar/pfp that I use received a DCMA takedown thus is an doubley illegal NFT [this will make sense if folks are aware of the RRBAYC lawsuit] that I can't change. It exists in "my wallet" but it can't be used anywhere.
ps. The first ever Crypto Policy Symposium (with other critics like myself) is in 5 days - https://crypto-policy.tech/
NFT's (and crypto) are unregistered securities. How they are being peddled into the masses is dodgy af and is definitely not funny af. What's going down with RRBAYC (using NFT's to destroy NFTs) is funny af:
As far as I understand, it's not a big deal as this is sort of the dumb end of the IDE- just the text editor part, not the compiler or debugger. Correct me if I'm wrong. I don't know why anyone would bother using a microsoft text editor on linux, but if you are using windows you're already getting screwed pretty hard with telemetry
If a windows-using colleague asks me what text editor to use, I just tell them to use notepad++ or geany. The hard part is moving them away from MSVSC++ to some command-line compiler or debugger (like msys/mingw) so they can make reliable/extensible build scripts.
One reason I chose VS is because I'm a small dev shop, often working alone, and it's one of the only good IDEs around with plugins for syncing via sftp. In many cases that saves me having to use a separate client or configure cloud rollouts for minor code changes. Small devs are the target audience for vscode and also the most likely to be negatively impacted if the environment fractures.
See, what I would do in my case is I would just make a bash script for sftp.
I'm not even sure if small devs benefit from such a bloated editor: the time you have to invest in writing a script or learning a command-line tool is to some extent time invested in learning a fungible skill, whereas time you invest in learning a graphical tool is usually not as extensible or reliable.
A major time-sink in a previous job site was just setting up the environment for new developers, renewing licenses, configuring plugins, dealing with unexpected errors due to the environment, etc.
The upshot of such a graphical IDE for me is basically lots of panes and windows to rapidly search in. I might have one library I've branched 7 times for 12 projects and need to have a few open and jump quickly to which version some line of code is referencing. It also helps with keeping version control and history right next to the working files. A bash script would be fine for syncing but it's not going to give me a diff on each file before I upload to a production environment. Playing it that close requires tooling in some red and green to make sure you don't hit the wrong button.
Emacs buffer management and Git integration is excellent for the use cases you describe. Doom Emacs is a great starter kit if you know the absolute basics of vim cursor movement.
Your workflow sounds particular, if you want to upload hodgepodges of multiple branches to various environments manually. But I think you could do the same kind of thing pretty well with lsyncd + git-worktree with a checkout for each environment, plus additional checkouts for whatever you're developing. Check out a different version of a file in the worktree associated with staging, and lsyncd automatically syncs that change to staging.
(It sounds like VSCode serves you very well for now, so I'm not urging you to change or anything. Just thinking aloud about some alternatives and what using them might look like for use cases similar to yours.)
.NET is 20 years old now, according to Wikipedia. I've never seen the point of it, and have avoided using it in anything I've cared about. If people are foolish enough to use it, I'm not going to be able to stop them.
I've tried Visual Studio (to compile my forth project with), but it just doesn't work for me anyway. There's too big an impedance mismatch.
I'll stick with NotePad++ for non-pascal stuff, and Lazarus for the rest.
What does .NET (and Visual Studio for that matter) have to do with Visual Studio Code? The latter is an IDE based on web technologies that shares naming with Visual Studio proper in the same way Java shares a name with JavaScript.
> I've never seen the point of it
Well if we're talking .NET, it's OSS now and runs on Mac/Linux/Docker. It's legitimately a great platform for writing backend services. C# is a java-like that has a lot of really nice benefits over java (in a similar vein to Kotlin). C# also pioneered the async/await syntax you see everywhere now, and as such has first class async and streaming support which is a real boon for workloads.
I feel kind of the same about VS Code. Binary product? Telemetry? Centralized marketplace? Some plugins are closed source? Eh, whatever. That stuff doesn't get in my way and I suspect that nothing particularly bad will happen to developers. Someday a better IDE will become popular, perhaps built on some of the code and standards spun off by VS Code (like the language server protocol), perhaps not. This editor will do until that happens.
The politics isn't as good as I'd like, but often the politics never actually materializes as a bad user experience, despite the complaints.