Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Source code installation downloads and runs binary code without permission #45978

Closed
helgihg opened this issue Mar 16, 2018 · 6 comments
Assignees

Comments

@helgihg
Copy link

@helgihg helgihg commented Mar 16, 2018

I noticed that during the installation, "ffmpeg" and "electron" are downloaded in binary form during the source code installation process. The user should at least be made aware of this and given the option of backing out.

@joaomoreno

This comment has been minimized.

Copy link
Member

@joaomoreno joaomoreno commented Mar 19, 2018

What do you mean by source code installation? There is no such thing.

Downloading ffmpeg and electron are part of the development process of Code. They are necessary components of VS Code.

@joaomoreno joaomoreno closed this Mar 19, 2018
@helgihg

This comment has been minimized.

Copy link
Author

@helgihg helgihg commented Mar 19, 2018

See, this is why Microsoft's code cannot be trusted, even when it's open-source.

@joaomoreno I simply cannot believe that you are in any way confused over what I mean by "source code installation". I'm obviously talking about building the project from source. Were you honestly confused about this? Really?

The issue also does not regard whether these components are necessary or not. I'm sure they are important and implied nothing to the contrary.

I was pointing out that when a user like myself, who has chosen to use only open source software builds your project, then your project downloads binary code, without notifying the user. That's the problem. Just notify the user, so that those of us who actually believe in open source software can use our computers the way we like, and those of you who don't really care, can use it the way you like. Everyone wins.

@joaomoreno

This comment has been minimized.

Copy link
Member

@joaomoreno joaomoreno commented Mar 19, 2018

There is no installation happening when you run ./scripts/code.sh. We download all dependencies which we don't inline in the repository; they are placed within the repository. There is no opting out. Code can't run without them.

We don't need to notify the user at this point in time. This is what third party notices, license files and miscellaneous legal paraphernalia is for. You'll find all of that in this repository.

@helgihg

This comment has been minimized.

Copy link
Author

@helgihg helgihg commented Mar 19, 2018

You're not listening. The user should be warned, so that they can opt out of the process entirely. There should be a warning to the user, that the code that he/she is about to run, is not compiled from source but downloaded in binary form.

But whatever. You just stay doing your Microsoft thing and I'll just keep staying the heck away from it.

@joaomoreno

This comment has been minimized.

Copy link
Member

@joaomoreno joaomoreno commented Mar 20, 2018

@helgihg I am listening and you're being rude.

If you are downloading our sources and attempting to compile and build VS Code, you are not a user; you're a developer, just like me. Go around a few other open source projects and try to get their sources and compile them; they will also download binaries in order to do so. They won't notify you of this, since it's part of the development process, not of any user flow. Google Chrome and Atom are good examples. Are Google and GitHub "doing the Microsoft thing"? Can't they be trusted, just like Microsoft, even when it's open-source?

@helgihg

This comment has been minimized.

Copy link
Author

@helgihg helgihg commented Mar 20, 2018

No, you're not listening and no, I'm not being rude. I've been trying to explain to you something that you constantly brush to the side as if you don't understand, which is in fact rude, although painfully common in IT. It's perfectly okay to disagree, but you started this conversation by pretending to not understand what I meant by "open source installation" and you've been sidestepping the conversation ever since.

And given that the information you've provided on Chrome and Atom is correct, then no, obviously they cannot either be trusted by those of us who don't just blindly trust random binaries from wherever. The main reason that most serious open source software users use open source software in the first place, is precisely that they don't trust random binaries downloaded from wherever.

All that's needed, is to warn the user, tell them "Hey, I'm about to download some binaries to build this awesome thing. Cool? (y/n)".

But I can see that you simply don't care, and that's totally your right. Microsoft has no obligation toward me. I was actually trying to help make the software better for all of us by pointing out something that could easily be better, but seeing your reaction, I'll simply not consider running anything from Microsoft on my computer in the future. It's fine by me and clearly it's fine by you. Life goes on.

That said, I hope that this exchange won't negatively impact your day. Even though we clearly disagree on this point and it seems we'll continue to disagree and I'll continue to distrust Microsoft, you're probably doing lots of awesome things for lots of other people. Participation in open source development is fundamentally honorable whether you get paid for it or not. There was a time when essentially nothing from Microsoft was open source and you're helping to change that, and I deeply respect that, despite our disagreement. Have a good day and take care.

@vscodebot vscodebot bot locked and limited conversation to collaborators May 3, 2018
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
2 participants
You can’t perform that action at this time.