Build process injects unknown code into artifact

[taoeffect]

• VSCode Version: current
• OS Version: irrelevant

Steps to Reproduce:

1. run gulp vscode-[architecture]-min

Does this issue occur when all extensions are disabled?: Irrelevant?

---

Gulp will connect to marketplace.visualstudio.com during the build and download additional code not found in the git repo, and inject that code into the final artifact.

This makes it very unclear what code is actually powering VSCode, and also makes it impossible to build the software without an Internet connection.

[marekr]

This makes it very unclear what code is actually powering VSCode,

The beauty of open source.
You can actually look at it.

vscode/build/lib/extensions.ts

Line 74 in 67cd925

base: 'https://marketplace.visualstudio.com/_apis/public/gallery',

vscode/build/lib/extensions.ts

Line 54 in 67cd925

export function fromMarketplace(extensionName: string, version: string): Stream {

vscode/build/lib/builtInExtensions.js

Line 45 in 838f402

function syncMarketplaceExtension(extension) {

vscode/build/lib/builtInExtensions.js

Line 59 in 838f402

function syncExtension(extension, controlState) {

vscode/build/lib/builtInExtensions.js

Line 107 in 838f402

streams.push(syncExtension(extension, controlState));

vscode/build/lib/builtInExtensions.js

Line 103 in 838f402

for (const extension of builtInExtensions) {

vscode/build/lib/builtInExtensions.js

Line 21 in 838f402

const builtInExtensions = require('../builtInExtensions.json');

https://github.com/Microsoft/vscode/blob/838f4024b30ffc477ea6fbc1eba8e21afc3aff2e/build/builtInExtensions.json

You can see its downloading node debug extensions to prepackage.

[marekr]

This makes it very unclear what code is actually powering VSCode,

The beauty of open source.
You can actually look at it.

vscode/build/lib/extensions.ts

Line 74 in 67cd925

base: 'https://marketplace.visualstudio.com/_apis/public/gallery',

vscode/build/lib/extensions.ts

Line 54 in 67cd925

export function fromMarketplace(extensionName: string, version: string): Stream {

vscode/build/lib/builtInExtensions.js

Line 45 in 838f402

function syncMarketplaceExtension(extension) {

vscode/build/lib/builtInExtensions.js

Line 59 in 838f402

function syncExtension(extension, controlState) {

vscode/build/lib/builtInExtensions.js

Line 107 in 838f402

streams.push(syncExtension(extension, controlState));

vscode/build/lib/builtInExtensions.js

Line 103 in 838f402

for (const extension of builtInExtensions) {

vscode/build/lib/builtInExtensions.js

Line 21 in 838f402

const builtInExtensions = require('../builtInExtensions.json');

https://github.com/Microsoft/vscode/blob/838f4024b30ffc477ea6fbc1eba8e21afc3aff2e/build/builtInExtensions.json

You can see its downloading node debug extensions to prepackage.

[rebornix]

We don't put every extension into our core code base right now, which requires a download step for extensions like node debug.

[rebornix]

We don't put every extension into our core code base right now, which requires a download step for extensions like node debug.

[taoeffect]

The beauty of open source.

This isn't open source, and that's the problem.

You're downloading unknown code from Microsoft's servers during the build step.

I did look at the files you mentioned, and they reference URLs that point to GitHub, but these URLs are ignored completely, and instead the mystery code is fetched from Microsoft's servers at the last minute.

@rebornix closed this an hour ago

You are welcome to treat your project and your users with this level of disrespect. It's your project and your call to do so, but I will not be using VSCode, and I'm seriously considering instituting a company-wide policy for all of our developers to avoid using it as well.

[taoeffect]

The beauty of open source.

This isn't open source, and that's the problem.

You're downloading unknown code from Microsoft's servers during the build step.

I did look at the files you mentioned, and they reference URLs that point to GitHub, but these URLs are ignored completely, and instead the mystery code is fetched from Microsoft's servers at the last minute.

@rebornix closed this an hour ago

You are welcome to treat your project and your users with this level of disrespect. It's your project and your call to do so, but I will not be using VSCode, and I'm seriously considering instituting a company-wide policy for all of our developers to avoid using it as well.

[RyanCavanaugh]

@taoeffect the person you're quoting does not work at Microsoft or on the VS Code team

[RyanCavanaugh]

@taoeffect the person you're quoting does not work at Microsoft or on the VS Code team

[taoeffect]

@RyanCavanaugh Thanks, I edited my comment to make it clearer that I was replying to both @marekr and @rebornix.

[taoeffect]

@RyanCavanaugh Thanks, I edited my comment to make it clearer that I was replying to both @marekr and @rebornix.

[RyanCavanaugh]

Please don't interpret a closed issue as a sign of disrespect. The question was asked - why is VS Code downloading something - and answered. From a repo maintainer's perspective, there is no additional action and thus the correct state of the issue is closed. This doesn't mean "go away", it is just a metadata bit in a database that repo maintainers use to track the state of an issue.

[RyanCavanaugh]

Please don't interpret a closed issue as a sign of disrespect. The question was asked - why is VS Code downloading something - and answered. From a repo maintainer's perspective, there is no additional action and thus the correct state of the issue is closed. This doesn't mean "go away", it is just a metadata bit in a database that repo maintainers use to track the state of an issue.

[taoeffect]

Please don't interpret a closed issue as a sign of disrespect. The question was asked - why is VS Code downloading something - and answered.

I'm sorry, this wasn't meant to be an issue about me having a question.

Rather, it's an issue about VSCode doing something dangerous that it shouldn't be. Closing this issue would involve not doing said shady/dangerous thing, which, is apparently a pattern in Microsoft projects.

Please respect your developers and users and do not download unknown code during the build step. Just because there's a config file that claims it's "nodejs debugging stuff", doesn't mean that's what gets downloaded, and certainly doesn't mean this project is "open source" when it's obfuscating what source actually gets run.

[taoeffect]

Please don't interpret a closed issue as a sign of disrespect. The question was asked - why is VS Code downloading something - and answered.

I'm sorry, this wasn't meant to be an issue about me having a question.

Rather, it's an issue about VSCode doing something dangerous that it shouldn't be. Closing this issue would involve not doing said shady/dangerous thing, which, is apparently a pattern in Microsoft projects.

Please respect your developers and users and do not download unknown code during the build step. Just because there's a config file that claims it's "nodejs debugging stuff", doesn't mean that's what gets downloaded, and certainly doesn't mean this project is "open source" when it's obfuscating what source actually gets run.

[RyanCavanaugh]

This is fundamentally no different from running git submodule update or npm install, both of which are normal tasks you'll find in many large projects' build scripts.

Just because there's a config file that claims it's "nodejs debugging stuff", doesn't mean that's what gets downloaded

I don't understand the implication here. How would it download something else?

doesn't mean this project is "open source" when it's obfuscating what source actually gets run.

It's a multi-repo build system. VS Code is not intentionally obfuscating anything - it says right there what it's doing, and the builtInExtensions.json file lists the GitHub repos for the packages it downloads: https://github.com/Microsoft/vscode/blob/838f4024b30ffc477ea6fbc1eba8e21afc3aff2e/build/builtInExtensions.json

[RyanCavanaugh]

This is fundamentally no different from running git submodule update or npm install, both of which are normal tasks you'll find in many large projects' build scripts.

Just because there's a config file that claims it's "nodejs debugging stuff", doesn't mean that's what gets downloaded

I don't understand the implication here. How would it download something else?

doesn't mean this project is "open source" when it's obfuscating what source actually gets run.

It's a multi-repo build system. VS Code is not intentionally obfuscating anything - it says right there what it's doing, and the builtInExtensions.json file lists the GitHub repos for the packages it downloads: https://github.com/Microsoft/vscode/blob/838f4024b30ffc477ea6fbc1eba8e21afc3aff2e/build/builtInExtensions.json

[taoeffect]

This is fundamentally no different from running git submodule update.

Let's see...

• git submodule update is something the developer does before the build step
• git submodule update represents a completely different trust model
• git submodule update actually gives developers a chance to inspect the code that goes into the final product

Indeed, doing git submodule update instead of the nonsense it's currently doing would have been a great way to close this issue.

It's a multi-repo build system. VS Code is not intentionally obfuscating anything - it says right there what it's doing, and the builtInExtensions.json file lists the GitHub repos for the packages it downloads:

The GitHub repos that it completely ignores... yes.

[taoeffect]

This is fundamentally no different from running git submodule update.

Let's see...

• git submodule update is something the developer does before the build step
• git submodule update represents a completely different trust model
• git submodule update actually gives developers a chance to inspect the code that goes into the final product

Indeed, doing git submodule update instead of the nonsense it's currently doing would have been a great way to close this issue.

It's a multi-repo build system. VS Code is not intentionally obfuscating anything - it says right there what it's doing, and the builtInExtensions.json file lists the GitHub repos for the packages it downloads:

The GitHub repos that it completely ignores... yes.

[marekr]

@taoeffect Well incidentially....the .vsix format for extensions it downloads is just a renamed zip file....and inside are just js files ;) So you could inspect it rather freely hehe.

I don't think the vscode team really want to play with fire when it comes with git submodules...they don't scale beyond single developers really well as a single dev could easily break them by committing to them by accident in the parent repo. Heck even switching between branches at different points in times cause git submodule problems as git has a habit of not updating the submodule on a pull or rebase unless you keep telling it to every single time. Its why big projects create their own "git submodule alternative" to dealing with multiple repos.

Also the other problem is the extensions are still distributed in the extension "marketplace". By downloading the git repo and building the extension locally, they would no longer have a local version that matches the upstream. And as reproducible as the builds should be.......that just adds a undesirable factor when dealing with bug reports.

[marekr]

@taoeffect Well incidentially....the .vsix format for extensions it downloads is just a renamed zip file....and inside are just js files ;) So you could inspect it rather freely hehe.

I don't think the vscode team really want to play with fire when it comes with git submodules...they don't scale beyond single developers really well as a single dev could easily break them by committing to them by accident in the parent repo. Heck even switching between branches at different points in times cause git submodule problems as git has a habit of not updating the submodule on a pull or rebase unless you keep telling it to every single time. Its why big projects create their own "git submodule alternative" to dealing with multiple repos.

Also the other problem is the extensions are still distributed in the extension "marketplace". By downloading the git repo and building the extension locally, they would no longer have a local version that matches the upstream. And as reproducible as the builds should be.......that just adds a undesirable factor when dealing with bug reports.

[eligrey]

@rebornix One of the issues brought up by @taoeffect is that the build process fails without an internet connection. I feel like this issue should be reopened and renamed to "build fails without internet connection". I understand that you don't wish to fix this issue at this time, but it should be in a later milestone instead of a 'wontfix'.

[eligrey]

@rebornix One of the issues brought up by @taoeffect is that the build process fails without an internet connection. I feel like this issue should be reopened and renamed to "build fails without internet connection". I understand that you don't wish to fix this issue at this time, but it should be in a later milestone instead of a 'wontfix'.

[lnicola]

I think you're underestimating how some people distrust Microsoft when it comes to PII and applications randomly connecting to your servers.

I can give a lot of other examples, but I've seen an Office installer that connected to Microsoft to send stuff like the installer location even before showing a window. That's not unlike a Code feature of intentionally sending a telemetry ping at start-up, even if the telemetry was disabled.

So yes, some will assume that if the build system connects to a Microsoft server, it's exactly because Microsoft wants to know who is building Code -- and most likely will, by correlating that with telemetry from other Microsoft products. GitHub can store release artefacts, and is safer from some shady stuff that Microsoft could -- in theory -- do.

And of course, I agree with @eligrey that not requiring an internet connection would probably be best.

[lnicola]

I think you're underestimating how some people distrust Microsoft when it comes to PII and applications randomly connecting to your servers.

I can give a lot of other examples, but I've seen an Office installer that connected to Microsoft to send stuff like the installer location even before showing a window. That's not unlike a Code feature of intentionally sending a telemetry ping at start-up, even if the telemetry was disabled.

So yes, some will assume that if the build system connects to a Microsoft server, it's exactly because Microsoft wants to know who is building Code -- and most likely will, by correlating that with telemetry from other Microsoft products. GitHub can store release artefacts, and is safer from some shady stuff that Microsoft could -- in theory -- do.

And of course, I agree with @eligrey that not requiring an internet connection would probably be best.

[auchenberg]

Today's "Want free VS Code? Build it from source" HN discussion: https://news.ycombinator.com/item?id=17346492

[auchenberg]

Today's "Want free VS Code? Build it from source" HN discussion: https://news.ycombinator.com/item?id=17346492