This is what I hate about vscode, and they at least ask for consent. Some of the stuff vscode needs for golang are (to me) developed by Random Joe on github. It's just a matter of time before it is abused for supply chain attacks.
> Some of the stuff vscode needs for golang are (to me) developed by Random Joe on github.
Pretty much all of it seems to be on golang.org, github.com/google, or are by people working on gopls. The suggestions that there are tons of dependencies from random people is just not true.
Comment states some of the tools, not tons of dependencies. Your comment that "pretty much all" is not a contradiction of what the parent comment said.
yea I was recently dismayed to find vscode extensions have full network access and there's no way to prevent it. It's been an open issue since 2018 and not on the roadmap.
Is that something people really expect of their IDEs these days?
In my mind, an IDE needs to be able to read all the files I can read myself, it needs to be able run arbitary tools like compilers and linkers then run the resulting compiled code, it needs a debugger that can attach to running processes and mess with them, it needs to be able to pull from the language's package repository when you ask it to, it needs to talk to your git server when needed, it needs access to your SSH keys to do that. About the only thing the IDE doesn't need is to run as root - and if you're working with Docker it basically needs that too.
The idea of an IDE with pluggable language support safely running plugins from untrusted sources? I can't imagine how such a thing could even be possible?
I'm a data scientist, intrinsic to my job is to work with private data that is usually vital to the company or 3rd party, the thought of running any plugins/software from untrusted sources is just insane in this environment.
Basically anything that isn't in the internal repository is a big no, so that rules out the pulling from the language package repository.
Access to the git server is handled at network level outside the workstation, I can only access a few services anyway, not regular internet access, the ssh keys are only valid for a period of time & current project, preconfigured in an image.
Having network access from within the IDE so I can use tools that reach out to package managers and remote git servers - yes, of course that is expected behavior.
If I want to install an extension that gives me syntax highlighting and code intelligence for an obscure template language, why should I expect that extension to have unfettered network access to exfiltrate my ptivate files?
Like the dead guy said, when working with private customer data it's just not on the table to take the risk, I am stuck running vanilla vs code.
A different (Visual Studio Code) example that uses network access and runs executables from untrusted sources: embedded development. You have everything from tools like PlatformIO, that manages the toolchain for microcontrollers from multiple vendors; to ESP-IDF, that manages the toolchain for microcontrollers based upon multiple architectures; to Raspberry Pi Pico, which uses the IDE as a simplified installer for their toolchain.
With some compilers leaning on user side, rather than system side, toolchain management (e.g. Rust), I would imagine that plugins managing that would be desirable as well.
Keep in mind, computers are about automation. We should be able to reap the benefits of that automation to the greatest degree possible. Alas, we can't due to bad actors.
Well a permission model is one way, like OSes have. Another is something like elm with controlled effects, so you can just search the source code and see if something is off.
The idea of everything on a system having open net access is going to have to go, not just for this reason but also privacy. It’s kind of amazing it’s still the default everywhere.
Also supply chain attacks are a freight train barreling down the tracks. The gate is down and the crossing bells are dinging but our car is stuck on the tracks.
Ever since the xz thing almost worked every black hat group on the entire planet is trying their hand at this. The days of software dev as a high trust environment are going to be over fast.
Go suppport on VSCode was originally done by an intern at Microsoft, and then later there was an agreement with Google, for Google Go team to take over it.
No wonder. Of all the languages I code in in VSCode, Golang is the most frustrating to use as I can’t jump to definitions with Cmd + Click the way I can in JS, PHP or Java.
It there a decent alternative for Golang on the Visual Studio Code marketplace?
I can confirm it is frustrating experience overall, I've moved on to GoLand and later to IntelliJ with Go plugin for Go development and never looked back. Sadly IDEA products fall apart for me in projects where multiple technologies are used, i.e. tailwind, Ruby, anything with JS, so I can't ditch VSCode yet...
Can you elaborate on that, at least for js? We are a large (1k) fullstack development company and do all of our js / typescript SPAs and others on Intellij and I am not aware of it being an unpleasant experience.
I do not have much experience with this as I've switched just a month ago, but for my codebases the editor tends to turn all project files red a few times a day and I have to use the "Restart IDE" and "Invalidate caches" quite often, this never happens with just Go codebase. It's a shame these actions have to even exist in IDE, it's like they know there's a bug in caching mechanism but can't find it, and no, I'm not using any fancy networked filesystems, just native macOS directories.
On another point I spent 2 hours setting up a Ruby interpretter because no matter what I did Intellij would not recognise my RVM ruby, I think compiling without yjit and setting up a specific gemset for the project plus a few Restart IDE and Invalidate caches later did it, but not sure.
For tailwind specifically the extension is lacking compared to VSCode, I do not have color squares for my color classes and the classes are not recognized in more difficult filetypes (i.e. erb templates). Many other extensions seem much less loved than on VSCode, i.e. continue.dev, you can read their reviews and quickly get a sense that it's much more niche ecosystem.
I love the editor experience overall and especially for Go projects, but can't switch fully yet.
> Of all the languages I code in in VSCode, Golang is the most frustrating to use as I can’t jump to definitions with Cmd + Click the way I can in JS, PHP or Java.
Odd, what extensions are you using? I use only go.dev extension and intellisense has been working great for golang dev for years.
Their ideavim plugin is pretty good. I didn't know at first, but it support an .ideavimrc file that allows you to set your own commands. Pretty much anything that you can do in a jetbrains product is connected to a command id that you can connect to a vim shortcut.
Include the most popular vim plugins as well. Easy motion and Nerdtree. Doesn't support language specific plugins, but core jetbrains products covers that
I do the same (not for golang tho). However, vim plug-ins also "have network access", in fact they can just "system()" and call anything. No sandboxing at all. At least the source code of these plug-ins are not obfuscated/compressed.
However, this makes me wonder how much of a surface attack this is.
Exactly. By the way, use F12 instead of clicking :).
Even on emacs, using gopls, `Meta+.` (go to definition) works.
I use some VS Code (when I need to do web stuff besides Go), some emacs, and both use gopls so support is pretty much equivalent in terms of functionality.
I think they must have, it's not quite on the level of Goland, but VSCode with all the necessary extensions works well for Go, and doesn't eat 32GB of my RAM to do it.
That would be quite funny. In a thread about additional components being installed without prompts, a user jumps out to complain about missing functionality in another editor because they refused to install an additional component when prompted.
Quite. VSCode asks with a little pop-up in the bottom right (for me, on Gnome) when you open a project that might benefit from a particular component, and you can accept or decline it.
It tells you what/why it's needed, it's up to you to accept or decline, but you should accept that things won't work well if you don't.
I'm no Microsoft fan (quite the opposite), but VSCode handles this about as well as anything could.
oh come on, if an extension comes with no source code it means it comes with a native binary (because otherwise it's JavaScript and there, are, no, good, JavaScript, obfuscation, in, this, world, period), and does it really matter if it has network access ??? it may as well just inject cryptominer to your ~/.bashrc.
Not sure if it was always like that, the C/C++ extension used to download the language server and some tools during startup as well. They now bundle it with the extension, which is a lot better especially in an offline environment.
I just want a dumb text editor that doesn't bundle shitton of crap I don't want (like LLMs), doesn't phone home, isn't bloated and slow. I feel that still the only good editor that does this apart from vim+emacs is sublime text.
I've been using Sublime more and more lately when I'm not in a JetBrains IDE. I can't feel a difference between it's speed and Zed's on my machines. If I could get Supermaven in it I'd SWITCH completely.
