Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Build process injects unknown code into artifact #49159

Closed
taoeffect opened this issue May 4, 2018 · 13 comments
Closed

Build process injects unknown code into artifact #49159

taoeffect opened this issue May 4, 2018 · 13 comments

Comments

@taoeffect
Copy link

taoeffect commented May 4, 2018

  • VSCode Version: current
  • OS Version: irrelevant

Steps to Reproduce:

  1. run gulp vscode-[architecture]-min

Does this issue occur when all extensions are disabled?: Irrelevant?


Gulp will connect to marketplace.visualstudio.com during the build and download additional code not found in the git repo, and inject that code into the final artifact.

This makes it very unclear what code is actually powering VSCode, and also makes it impossible to build the software without an Internet connection.

@marekr
Copy link

marekr commented May 4, 2018

This makes it very unclear what code is actually powering VSCode,

The beauty of open source.
You can actually look at it.

https://github.com/Microsoft/vscode/blob/67cd9258fd0ed429ddc626d488d48bd65c2f2283/build/lib/extensions.ts#L74

https://github.com/Microsoft/vscode/blob/67cd9258fd0ed429ddc626d488d48bd65c2f2283/build/lib/extensions.ts#L54

https://github.com/Microsoft/vscode/blob/838f4024b30ffc477ea6fbc1eba8e21afc3aff2e/build/lib/builtInExtensions.js#L45

https://github.com/Microsoft/vscode/blob/838f4024b30ffc477ea6fbc1eba8e21afc3aff2e/build/lib/builtInExtensions.js#L59

https://github.com/Microsoft/vscode/blob/838f4024b30ffc477ea6fbc1eba8e21afc3aff2e/build/lib/builtInExtensions.js#L107
https://github.com/Microsoft/vscode/blob/838f4024b30ffc477ea6fbc1eba8e21afc3aff2e/build/lib/builtInExtensions.js#L103
https://github.com/Microsoft/vscode/blob/838f4024b30ffc477ea6fbc1eba8e21afc3aff2e/build/lib/builtInExtensions.js#L21

https://github.com/Microsoft/vscode/blob/838f4024b30ffc477ea6fbc1eba8e21afc3aff2e/build/builtInExtensions.json

You can see its downloading node debug extensions to prepackage.

@rebornix
Copy link
Member

rebornix commented May 4, 2018

We don't put every extension into our core code base right now, which requires a download step for extensions like node debug.

@rebornix rebornix closed this as completed May 4, 2018
@taoeffect
Copy link
Author

taoeffect commented May 4, 2018

The beauty of open source.

This isn't open source, and that's the problem.

You're downloading unknown code from Microsoft's servers during the build step.

I did look at the files you mentioned, and they reference URLs that point to GitHub, but these URLs are ignored completely, and instead the mystery code is fetched from Microsoft's servers at the last minute.

@rebornix closed this an hour ago

You are welcome to treat your project and your users with this level of disrespect. It's your project and your call to do so, but I will not be using VSCode, and I'm seriously considering instituting a company-wide policy for all of our developers to avoid using it as well.

@RyanCavanaugh
Copy link
Member

@taoeffect the person you're quoting does not work at Microsoft or on the VS Code team

@taoeffect
Copy link
Author

@RyanCavanaugh Thanks, I edited my comment to make it clearer that I was replying to both @marekr and @rebornix.

@RyanCavanaugh
Copy link
Member

Please don't interpret a closed issue as a sign of disrespect. The question was asked - why is VS Code downloading something - and answered. From a repo maintainer's perspective, there is no additional action and thus the correct state of the issue is closed. This doesn't mean "go away", it is just a metadata bit in a database that repo maintainers use to track the state of an issue.

@taoeffect
Copy link
Author

Please don't interpret a closed issue as a sign of disrespect. The question was asked - why is VS Code downloading something - and answered.

I'm sorry, this wasn't meant to be an issue about me having a question.

Rather, it's an issue about VSCode doing something dangerous that it shouldn't be. Closing this issue would involve not doing said shady/dangerous thing, which, is apparently a pattern in Microsoft projects.

Please respect your developers and users and do not download unknown code during the build step. Just because there's a config file that claims it's "nodejs debugging stuff", doesn't mean that's what gets downloaded, and certainly doesn't mean this project is "open source" when it's obfuscating what source actually gets run.

@RyanCavanaugh
Copy link
Member

RyanCavanaugh commented May 4, 2018

This is fundamentally no different from running git submodule update or npm install, both of which are normal tasks you'll find in many large projects' build scripts.

Just because there's a config file that claims it's "nodejs debugging stuff", doesn't mean that's what gets downloaded

I don't understand the implication here. How would it download something else?

doesn't mean this project is "open source" when it's obfuscating what source actually gets run.

It's a multi-repo build system. VS Code is not intentionally obfuscating anything - it says right there what it's doing, and the builtInExtensions.json file lists the GitHub repos for the packages it downloads: https://github.com/Microsoft/vscode/blob/838f4024b30ffc477ea6fbc1eba8e21afc3aff2e/build/builtInExtensions.json

@taoeffect
Copy link
Author

taoeffect commented May 4, 2018

This is fundamentally no different from running git submodule update.

Let's see...

  • git submodule update is something the developer does before the build step
  • git submodule update represents a completely different trust model
  • git submodule update actually gives developers a chance to inspect the code that goes into the final product

Indeed, doing git submodule update instead of the nonsense it's currently doing would have been a great way to close this issue.

It's a multi-repo build system. VS Code is not intentionally obfuscating anything - it says right there what it's doing, and the builtInExtensions.json file lists the GitHub repos for the packages it downloads:

The GitHub repos that it completely ignores... yes.

@marekr
Copy link

marekr commented May 5, 2018

@taoeffect Well incidentially....the .vsix format for extensions it downloads is just a renamed zip file....and inside are just js files ;) So you could inspect it rather freely hehe.

I don't think the vscode team really want to play with fire when it comes with git submodules...they don't scale beyond single developers really well as a single dev could easily break them by committing to them by accident in the parent repo. Heck even switching between branches at different points in times cause git submodule problems as git has a habit of not updating the submodule on a pull or rebase unless you keep telling it to every single time. Its why big projects create their own "git submodule alternative" to dealing with multiple repos.

Also the other problem is the extensions are still distributed in the extension "marketplace". By downloading the git repo and building the extension locally, they would no longer have a local version that matches the upstream. And as reproducible as the builds should be.......that just adds a undesirable factor when dealing with bug reports.

@eligrey
Copy link

eligrey commented May 5, 2018

@rebornix One of the issues brought up by @taoeffect is that the build process fails without an internet connection. I feel like this issue should be reopened and renamed to "build fails without internet connection". I understand that you don't wish to fix this issue at this time, but it should be in a later milestone instead of a 'wontfix'.

@lnicola
Copy link
Contributor

lnicola commented May 5, 2018

I think you're underestimating how some people distrust Microsoft when it comes to PII and applications randomly connecting to your servers.

I can give a lot of other examples, but I've seen an Office installer that connected to Microsoft to send stuff like the installer location even before showing a window. That's not unlike a Code feature of intentionally sending a telemetry ping at start-up, even if the telemetry was disabled.

So yes, some will assume that if the build system connects to a Microsoft server, it's exactly because Microsoft wants to know who is building Code -- and most likely will, by correlating that with telemetry from other Microsoft products. GitHub can store release artefacts, and is safer from some shady stuff that Microsoft could -- in theory -- do.

And of course, I agree with @eligrey that not requiring an internet connection would probably be best.

@vscodebot vscodebot bot locked and limited conversation to collaborators Jun 18, 2018
@auchenberg
Copy link
Contributor

Today's "Want free VS Code? Build it from source" HN discussion: https://news.ycombinator.com/item?id=17346492

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

No branches or pull requests

7 participants