A member of the community did a deep security analysis of the extension and found multiple red flags that indicate malicious intent and reported this to us.
Our security researchers at Microsoft confirmed this claims and found additional suspicious code.
We banned the publisher from the VS Marketplace and removed all of their extensions and uninstalled from all VS Code instances that have this extension running. For clarity - the removal had nothing to do about copyright/licenses, only about potential malicious intent.
Letting you know that VSCode is unable to uninstall the extension. It prompts me to uninstall, but when I confirm the window refreshes and the extension is still there, triggering the same "is problematic" prompt. This is an infinite loop. Same behavior when trying to uninstall the usual way from the extensions panel.
I had to manually delete the extension's folder in %USERPROFILE%\.vscode\extensions and delete the entry from the json (%USERPROFILE%\.vscode\extensions\extensions.json).
Any update on this? I am not directly impacted, but am unsure about others in my company. Assuming that they may be:
* Any specifics on the (potential) impact for affected users?
* What they should do to get it removed?
Edit: There does seem to be a little bit more information available over at Bleeping Computer[1], but the precise nature of what the malware does is unclear at this time other than that it may be some type of "supply chain attack". It would be good to hear more about the specifics.
> A member of the community did a deep security analysis of the extension and found multiple red flags that indicate malicious intent and reported this to us.
> As a reminder, the VS Marketplace continuously invests in security
If you’re relying on the community to alert you to the issues in the marketplace, perhaps you’re not investing enough in auditing popular extensions yourself?
I would also suggest that the trust model for VSCode is fundamentally broken - you’re running arbitrary third party code on client machines without any form of sandboxing. This is a level of security you would not deploy into Azure, so why is “run arbitrary 3p code on someone else’s machine” appropriate for VSCode?
While I appreciate the work that the VSCode team does and I use it, the lack of any form of sandboxing has always bothered me.
PSA: every package you install from any package manager from browser extensions to npm/composer etc presents the risk of malware. Because the open source community lacks the financial resources to vet every single version of every package. Demanding this level of security from software provided at no cost that relies on open contributions is wholly unreasonable. If you need that, buy an IDE from a company financially capable of ensuring security and accept the limitations of their offering.
Mitigations like running in a VM might protect your dev workstation. But not code you put into production that relies on third parties.
> Demanding this level of security from software provided at no cost that relies on open contributions is wholly unreasonable
VS Code isn't some kind of hobby project by a couple of dudes on laptops with nothing but the best interests of the community at heart. It's a flagship IDE produced by one of the most valuable tech companies in the world, released for free as a loss leader in service to very specific corporate goals.
When a tech behemoth releases a free IDE as a loss leader and it drives out all of the scrappy open source projects one by one, I think it's reasonable to hold that tech behemoth to tech behemoth standards rather than scrappy open source project standards.
The marketplace isn't operated on a paid contract for vetted extensions. You vet the extensions you use. Most don't, and it's ok. Don't shift the blame and the cost on microsoft though, they don't have to offer it.
Yet Mozilla, for all the flak it gets, isn't paid a dime by its users, but does find resources to vet the most popular extensions. Everything I use is checked by them.
Raymond Hill (of ublock fame) wasn't really impressed with how it is performed, but it's still much better than nothing (which is what MS apparently does).
VSCode is an IDE in name only, it's a glorified text editor, and pretty mediocre one at that. I in "IDE" stands for "integrated", like what you'd expect from JetBrains' products. Or even the real visual studio.
Paid JetBrains user here. What JetBrains gives you is self-implemented add-ons in their marketplace. These are perceived to have the same level of trust as the base product. Then there is the similar level of “might be malware” or “steal your infoware” from (possibly adapted) open source and third parties available on their marketplace.
As a example: Rider (https://www.jetbrains.com/rider/) - a IDE - comes with everything you could possibly need to build and compile .NET apps out of the box, while VSCode - a code editor - relies on extensions (and thus mostly the community surrounding VSCode) for this.
Or to make things more succinct:
* VSCode is a extendable code editor (like vim, neovim, Zed and Sublime)
* Jetbrains Rider is a fully equipped Integrated Development Environment (like Microsoft Visual Studio or its direct sibling Jetbrains IntelliJ IDEA)
And while extensions are optional within a IDE (and often solely used for increased productivity), more often than not they are a necessity in a code editor to even become productive.
I'm a big JetBrains fan, but this distinction is just silly. If you look at the way that JetBrains IDEs are packaged, the differences between IDEs all come down to extensions—which are enabled by default, which are available to install at all. IntelliJ Ultimate can be made to have all the features of PyCharm with the right extension combo. And occasionally they break out a new IDE by taking an extension and making it no longer available for installation elsewhere (like RustRover). The entire architecture is one of plugins.
"Integrated" isn't meant to contrast with a plugin-based system (otherwise JetBrains wouldn't count!), it's meant to contrast with a dev environment built out of a bunch of individual tools and terminal commands run separately.
Good point. In the old times if someone had Eclipse but installed plugins for different language than Java we wouldn't suddenly downgrade Eclipse that it is a text editor.
> Because the open source community lacks the financial resources to vet every single version of every package.
I made the point elsewhere, but this seems to fail in the face of Debian and Red Hat and Canonical who have been publishing mostly-secure distros of exclusively open source software for decades now.
There's a reason why MS and NPM get caught by this sort of shenanigans, but it's not "open source".
Because the attack surface is smaller and more difficult to extract value out of. I think it’s been shown time and time again the more motivated your attacker the more difficult it is to defend and very visible popular platforms see more attacks. NPM and MS represent drastically larger platforms.
Uh... no. There is far (far) more code[1] shipped in the package repository of any Linux distro than in all the world's vscode extensions. Are you being serious? NPM arguably gets a little closer, but only a little.
No, the reason Linux is safe and modern distributors aren't is the "packaging" step. Debian volunteers package software that they understand to be high quality via existing community consensus. You can't just show up to Fedora and say "ship my junkware app", you need to convince the existing community that your stuff doesn't suck.
And that's worked extremely well for decades now, going all the way back to 2BSD being shipped above V7 Unix. The reason MS and NPM et. al. abandoned it isn't just pure experience[2]. They don't want to wait for their repos to fill with good software, they want all the software in it now so that they don't get beaten by whoever their competitors are.
And this is the inevitable result. If you allow anyone to distribute software to your users then you allow everyone to distribute software to your users. And everyone includes a lot of bad people.
[1] With vastly more capability! The distro ships everything from firmware blobs and kernel drivers up through browser glitz and desktop customization. Talk about "attack surface"!
Remember, when we're triggered our reading comprehension goes down and we confuse emotion for facts. Did I say they ship more/less code? No, first I was talking about the user base size and the economic incentives for malicious users.
For the most popular package:
Debian: ~253K installs per month [1]
NPM: ~236M installs per month [2]
VSCode: ~158M installs total [3]
Obviously VSCode is hard to compare, but the most popular Debian package would need 52 years to achieve the total VSCode numbers so I'm sure it's safe to say VSCode beats Debian significantly on installs and NPM wins even more convincingly.
Ok, but let's take a look at how much code is shipping which was your metric:
Debian: 242k submissions per month for amd64 [4]
NPM: ~50k new non-spam packages per month, ~800k new version submissions per month [5]
VSCode: No data available
I don't know how VSCode compares, but clearly NPM beats Debian which makes sense because of how open it is and more importantly how many orders of magnitude there are JS developers vs Linux developers and how much more frequently they update their packages because the overhead is lower for creating a submission.
It's really easy to forget that the number of JS developers or people using IDEs is much larger than the number of Linux users. So NPM still beats Debian on this front. As for the security assumption and how good a job maintainers are doing, I'm not so sure on that either. The xz utils backdoor into SSH was found by a Microsoft employee (i.e. the community) not by Debian maintainers. It's not hard to imagine that the lack of notable security issues (particularly attempts recorded) actually indicates very little review, not that there's a higher bar because the maintainers are more talented or have better incentives for "reasons" - there's a reason Chrome was perceived as having better security than IE (it did - architecture was better) and STILL they see regular successful attacks bypassing all the mitigations.
Again, to reiterate in case the above got you triggered again - NPM & VScode have significantly more users than Debian and that creates economic incentives for attackers. The capabilities of a vulnerability matter less unless you're a state actor because capabilities do not track economic results as strongly. This has so much evidence it shouldn't even need this kind of explanation. Remember when people said that Mac had better security? Well turns out Apple is dealing with all the same vulnerability and spam issues on a closed down system when their popularity went up; again, economic incentives.
The "triggered" bit is just flaming. Please stop that.
But I'm not following how you get from popularity numbers to "attack surface". The latter is a term of art that reflects the amount of complexity on the "outside" of a software system that can be interacted with by an attacker. It correlates well with "amount of code". I don't see that it has any relation at all to number of installs.
I originally used attack surface imprecisely in terms of how many people you compromise with a single vulnerability. In other words the economic value of the attack. But also in the formal term of art, it's still true that NPM has a larger attack surface with many more weak points than something like Debian has. VSCode is trickier since it's a single application, so may not be from that perspective. However, it is basically running Chrome so it is still quite a large attack surface area.
But sure, let's use "amount of code" as a proxy. Debian has ~123GiB of source code [1] across ~65k packages [2] while NPM has 74 GiB [3] if I'm reading it correctly (other sources say 128 GiB) across 3.3 M packages [4]. Given that JS requires less code than C for equivalent functionality (due to a richer runtime & no memory management), any way you slice it, NPM is a much larger attack surface both in terms of number of opportunities and how valuable the attack is.
You do realize this is Microsoft we're talking about here? Not merely a couple dudes in their bedroom doing this in their spare time? I guarantee you that a non-zero percentage of the code in VSCode was paid for.
Then they can pay those developers to sandbox vscode extensions at the very least. I like using vscode sometimes but I'm sure as shit not going to use it if my work bans installing extensions due to security risks.
> You do realize this is Microsoft we're talking about here?
Fiscal responsibility: required
> Not merely a couple dudes in their bedroom doing this in their spare time?
Fiscal responsibility: optional
I would also point out, the malware-infested extension we are talking about presents more as the “two guys in a bedroom” model (though possibly a state-sponsored actor).
Idk if they removed the malicious theme (or if they have it at all), but if MS isn't doing anything beyond just responding to user reports, you might as well switch to an open registry that probably does the same level of security work, and avoid giving them yet another monopoly.
Remember, this is Microsoft! A friend told me of a fairly major corporate firm that found MSFT had arbitrarily pushed an AI tool to run on their SharePoint, scooping up site data outside of any formal agreement to do so. MSFT are no doubt covered by a general agreement but this seems underhand/inept and yet a remarkably common flaw in their approach (I've seen similar behaviour with Teams apps)
> If you’re relying on the community to alert you to the issues in the marketplace, perhaps you’re not investing enough in auditing popular extensions yourself?
I think that's sort of unfair. Of course MS should be relying on the community! That's arguably the best single practice for detecting these kinds of attacks in open source code. Objectively it works rather better even than walled garden environments like the iOS/Android apps stores (which have to be paired with extensive app-level sandboxing and permissions management, something that editor extensions can't use by definition).
The reference case for best practice here is actually the big Linux distros. Red Hat and Canonical and Debian have a long, long track record of shipping secure software. And they did it not on the back of extensive in-house auditing but by relying on the broader community to pre-validate a list of valuable/useful/secure/recommended software which they can then "package".
MS's flaw here, which is shared by NPM and PyPI et. al., is that they want to be a package repository without embracing that kind of upstream community validation. Software authors can walk right in and start distributing junk even though no one's ever heard of them. That has to stop. We need to get back to "we only distribute stuff other people are already using".
I think you missed the part where I’m asking why the extensions aren’t sandboxed whereas they do invest into sandboxing when it comes to renting out their own machines in the cloud. Even browsers try to do sandboxing of extensions. It’s a jarring disconnect and VSCode is well beyond the prototype stage at mass adoption - the lack of sandboxing is confusing and worrying.
> you’re running arbitrary third party code on client machines without any form of sandboxing. This is a level of security you would not deploy into Azure, so why is “run arbitrary 3p code on someone else’s machine” appropriate for VSCode?
More and more, I am starting to think I need to run my development environment (for both work and personal projects) in a VM.
I am on MacOS, so UTM or Parallels would work pretty well I think. Sadly, I think my work explicitly forbids us from running VMs or accessing our services from them.
VSCode in cloud would be great, GitHub tried something similar with GitHub.dev , I haven’t tried it in a while but it didn’t feel quite ready at the time, maybe things have changed
Thanks. Our security researchers will review this today and we might take it down.
We reached out to the new author and he does not have malicious intent, and agreed that we just take down the new extension if we see something is off.
Hi Isidor, excited for this! At Open VSX, we'd love to take a look and potentially flag the extension as malicious on our side as well. Are you aware of the version range that the malicious code was included in? I'm asking because https://open-vsx.org does not have any version published since the extension went closed-source.
Is it possible for you to add color theme/icon theme/keymap only extensions, without any executable code? I think, it will improve the security situation a bit. I don't see why the mentioned kinds of extensions should have any code.
This is really confusing to me. The original discussion was about changing licenses, but somehow (coincidentally?) there was malicious code discovered shortly after? Are these related?
Should be added that the malicious part is often done by a third party that takes over an open source project when the original developer doesn't have the time/energy/money to maintain their open source/free work. Many Chrome extensions end up being sold for thousands or just hundreds of dollars because there's no money in them and the dev isn't all that interested.
Society as a whole could easily avoid this by funding open source/free utilities to the point where malware makers need to spend significant cash to outbid yearly community support, but unfortunately maintaining anything available online for free is a thankless job that barely covers the electricity required to maintain the code.
In this case too, the developers behind the theme seemed to want to monetise their work, which had attained almost 4 million installs, in the past, but found themselves with a rather unwilling customer base. I don't know if they snapped and uploaded something malicious or if they're intentionally making it hard for forks to copy their work, but either way the lesson learned is that if you want to make money you should just abandon your free projects and start something else.
Every time piracy or Youtube ads come up, HNers grandstand on how they don't even pay a dime to the content creators making the hundreds of hours of videos they watch.
GGs if you want a buck for the VSCode theme you made.
I proudly block ads while giving directly to the people that make the stuff I like.
I know I'm in the minority, but I block ads because of memetic hygiene. I don't want to deprive artists but I'm not sitting through adslop for a podcaster's sake.
With Youtube at least, you can buy Youtube premium, so you don't have to sit through Youtube ads without needing an ad blocker (though you'll still have to sit through any ads the Youtuber directly adds into the video itself).
Does the ad blocker do anything on Youtube since you have premium? It'll of course do things on other sites, but I'm wondering if it has any impact on Youtube.
At £12/month YT Premium feels rather expensive for what we'd get out of it (though we have considered it for our Dad who uses it for music and train videos a lot) compared to other subscription services.
Also note that while it takes away the ads, it does nothing about the stalking (which bothers me much more than the adverts themselves) the results from which will be used to serve ads if you cancel in future (and in any case may be made available, directly or otherwise, to third parties, unless that part of the terms has changed).
Netflix 1080p: $18/mo. Netflix 4k: $25/mo. No annual plan.
Youtube Premium, which offers 4k, is $14/mo, or $120/yr for the annual plan (which averages to $12/mo).
UK prices:
Netflix 1080p: £13/mo. Netflix 4k: £19/mo. No annual plan.
Youtube Premium: £12/mo. No annual plan.
It's interesting how in the Youtube Premiums discount over Netflix is smaller in the UK than the US, and how Youtube Premium lacks an annual plan in the UK.
>Also note that while it takes away the ads, it does nothing about the stalking
> > Also note that while it takes away the ads, it does nothing about the stalking
> Does an ad blocker change that?
In many places, yes. Youtube? Less so, but it depends on which blocker(s) are in play.
A DNS based blocker won't help completely as some of the ad/track related requests are coming from their main domain or sub-domains that are used for other things so can't be blocked wholescale. It will block JS and other resources pulling from *.doubleclick.net though.
A browser/add-on based blocker may do much better by being able to more selectively block resource that are tracking related. It will also be able to block data passed via embedded videos in other sites. They can, and probably do, still track based on what you are actually watching via requests to the main domain, no ad blocker can do much about that without blocking the whole site.
When it comes to embedded videos, that reminds me of youtube-nocookie.com . If the website does an embed using youtube-nocookie.com , that prevents I believe what is being described as "stalking".
>The Privacy Enhanced Mode of the YouTube embedded player prevents the use of views of embedded YouTube content from influencing the viewer’s browsing experience on YouTube. This means that the view of a video shown in the Privacy Enhanced Mode of the embedded player will not be used to personalize the YouTube browsing experience, either within your Privacy Enhanced Mode embedded player or in the viewer’s subsequent YouTube viewing experience.
>If ads are served on a video shown in the Privacy Enhanced Mode of the embedded player, those ads will likewise be non-personalized. In addition, the view of a video shown in the Privacy Enhanced Mode of the embedded player will not be used to personalize advertising shown to the viewer outside of your site or app.
I did a thorough combing of the code base when I forked. Just did another audit and still not seeing anything suspicious. Gutting all of the opencollective and changelog code to be 1000% sure.
The only potential risk was the use of sanity to render a changelog. I didn't want to risk it, so I gutted that and a ton of other stuff. Just published a new, stripped down version.
The extension file is still available to download directly from MS.[0] (Which, why if you pull it from users are you still allowing downloads first of all.)
I downloaded the file, and unzipped it. On a cursory glance I see obfuscated code but zero "red flag" level code, has anyone seen the malicious code claimed?
TBH, no criticism on the developers, but the VS Code release notes haven't been interesting or relevant to how I used the editor for years. I think I checked out when they added a terminal client to it and it dominated the release notes for ages.
AI features is one of the bigger innovations in editors in years, I fully understand the enthusiasm, especially given it can be linked to an earnings model. That said, before AI stuff I would've expected them to push integration with Github and Azure more.
Well, I used Emacs for 15-20 years. It has problems of its own -- mostly that it is effectively locked into an antediluvian view of how editors work, and that to use it effectively you end up maintaining large and complex configuration files.
I still use it for some things, but what we really need is a new, different edition of Emacs that has the same basic architecture but a more modern take on all the stuff that dates from the 1980s.
It's not "a problem," it's a difference in philosophy. Sure, VSCode comes accessible out of the box with minimal configuration needed and a GUI-first settings interface. But that comes with its own price - your config is more restricted in what you can do and fragmented across json files, settings menus, and extension options.
In contrast, with Emacs I can change any behavior of any function and command - built-in or third-party with amazing granularity. I can change specific parts of a function without rewriting it, and I don't even need to save that - I can just write a piece of Elisp in a scratch buffer, evaluate it, and test it out immediately.
Also, you are completely wrong with your notion that Emacs is outdated. Modern Emacs tools allow you to do things in a way no other editors let you - you can control video playback, read and annotate PDFs, search through your browser history, and automate things with LLMs.
Not to mention that the problem similar to the one being discussed in the thread would never happen in the Emacs world - nobody would ever get to publish a package with obfuscated Elisp code in it. You always will have full control over the code you download to use.
git uses "plumbing" and "porcelain" commands, referring to victorian-era plumbing systems. Adobe and other publishing tools use terms like "slug", "gutter", "folio", "pica". Debugging tools use terms like "trap", "dump", "patch". You're annoyed with what Emacs calls "window" and "frame"? And what about Tmux's "pane" and "window"; or "session" - "an ancient" term from the time of timesharing systems? Oh boy, if you afraid of words don't ever try to get into Haskell - those FP-crazies do use some real fancy words for their stuff.
> knowledge of Elisp, which has zero other benefits
The same way the knowledge of sql, or awk, or bash, or vim motions, or ssh, or tmux has zero benefits outside of their respective domains? What are you even talking about? I, for one, get daily gains, benefiting from knowing elisp - anything that has to do with text, just about anything can be automated with ease.
Just the other day - watching my colleague over Zoom, I decided to fix that for my note-taking. It took me fifteen minutes to write a piece of Elisp that OCRs any piece of text from a screenshot. Instead of disrupting my teammates all the time, I would now take a screenshot of a screen area with Flameshot, run my custom command and voilà - the text appears in my editor, and I can quickly grab it and use it in my notes.
I don't know where exactly "you've been" and what "you've done", but it really sounds like you haven't seen modern Emacs in practice. When one sees what people can do these days in it, it's hard not to get impressed.
XEmacs Tried to do that, it has been attempted to rewrite the backend of emacs into Rust twice, Guile has tried to interpret emacs lisp twice. The biggest problem is basically how large the user base is and the ability of people to want to perform the port so actually improving the editor is more likely.
GTK+ and webkit has been integrated into emacs and it has a package manager now and configuration is still a problem.
this is not about who they vote for, it's the system that is neoliberal in that allows and incentivizes only maximum profit and puts very little barriers
There will never be some permission model. Like in VBA there is after all this years nothing. VBA would be much less problematic if you could restrict VBA to just one Excel sheet or so
Given that it's been automatically removed from all VS Code instance, is there any way to check if it was previously installed? It's concerning that there's now no way to check if a sytem has been compromised by this
I am in European time and I do not know what happened on that post (since I was sleeping). I assume it were some heated arguments between maintainer and community about license/copyrights/open source maintenance.
But they didn't murder their own customers. Their customer, a government, did the murdering.
As long as government claims the right to a monopoly on violence, it is reasonable to hold them to far, far higher standards than anyone else, including corporations. There is only so much damage one company or one cartel can do, but with government, the downside is unbounded. As I suspect we're about to see for ourselves.
Git is a fairly mild insult though, roughly equivalent to calling someone annoying. I'm sure at least a few of us have thought Git (the tool) to be aptly named, from time to time.
35+ years ago, my friend insisted it meant the UK definition and, until now, every time I heard the word, I'd think of the time my, otherwise smarty-pants, friend didn't know what the most basic, least offensive, slang meant.
It's pretty mild, but still offensive in the UK. Your friend was right to believe that much. That everyone thinks it means that? No - the US uses it differently for a region of the body slightly less offensive. It's a bit like spunk, which is also fairly offensive in the UK, and fag, which despite having an offensive meaning in the US, is actually traditionally not offensive here, though the US meaning is known and sometimes used - it means "cigarette" here mostly, and "faggot" means something less offensive too (a bunch of sticks or a type of meatball like dish.)
Might be regional but fanny is definitely slang in the US as well, but very quaint/dated, meaning butt. Would generally be used in some sort of context like a grandma telling a kid, 'Get your fanny over here right this second!'
It would never be offensive or used with sexual connotation. It's kind of like the equivalent of wiener.
If you dig into the code on GitHub [1] , you can see it's the same author as the Material Theme. But I'm not sure how the marketplace folks are supposed to track that.
Hey y'all, I made the most prominent fork of this extension "Material Theme (But I Won't Sue You)"
The maintainer went off the deep end last year. He pulled the (originally apache 2) source offline, then started threatening to sue people for hosting alternative versions, including them in other IDEs, etc. Genuine lunatic.
Out of an abundance of precaution, I've taken the following action on my fork:
1. I have the VS Code team auditing it as we speak, and I've given them full permission to immediately pull it from the marketplace & force uninstall it from users if they find ANYTHING malicious.
2. I have audited the code base thoroughly (nothing seemed malicious)
3. I have removed ALL code related to changelogs, analytics, Open Collective and html rendering.
The only thing that seemed slightly concerning was the html + sanity loader for changelogs, so I gutted it entirely. Two PRs removed almost all the deps and over 7,000loc (mostly package-lock)
To me it seems ridiculous, that a theme could even accumulate such things as analytics and even lots of dependencies. A theme is usually something self-contained. And even more ridiculous, that anyone can, as you write, "force uninstall" anything from my machine. So glad I am not a VS Code user. It seems all the typical corporate BS is happening with its marketplace and plugins.
It is, but that's the reality of today - auto-updates, "evergreen" releases. This was popularised by Chrome, and IMO fixed a LOT of headaches and allowed for much faster and more agile release cycles - the reality before was that a company like Microsoft would have to provide support for older versions of their software for X years and deal with the fallout of security issues with remaining older versions. (Web) developers had to be careful about adopting newer features because X% of their user base would still be on older versions of the runtime, leading to the invention of transpilers and the start of what is still a very complicated system in web front-end world.
I don’t think went that hard though? I was just pointing out the discrepancy between what they said and what they mean. Not everyone might know that the marketplace doesn’t need you permission to remove your extensions.
They don't need it. They offered to "notify me before any action is taken" and I politely declined - explicitly telling them to IMMEDIATELY take it down if they find anything at all
Curiously, someone on reddit noticed suspicious changes in this extension 7 months ago [1]. Obfuscation in open source is usually an extreme red flag. Microsoft really needs to rethink their security model for vs code extensions. It has simply become way too profitable to target given whatever they are doing against it. For every dev they ban 10 will come with new malicious extensions.
VS Code is maybe the best product Microsoft has ever released, largely because the extension market. If Microsoft polices the marketplace more, you can probably expect VS Code quality to degrade.
Here's my argument: More scrutiny of the marketplace will lead to less extensions overall (the scrutiny process will reduce the number of extensions overall as barrier to entry will be increased). Less extensions available will create an incentive for Microsoft to add features to VS Code directly. The more features MS adds, the more bloated VS Code will become.
So then, more security auditing in the extensions marketplace will lead to a more bloated VS Code.
All that said, it would be nice if there were better security controls in the extensions marketplace, I just don't trust Microsoft to do anything in a way that actually improves their products for the people who use them.
It took a while, but Microsoft got it pretty much right with Windows Defender. It quietly made all other active scanners obsolete. It's just a question of how much effort they're willing to spend on a free product's infrastructure.
You do not have to police everything, copy what Mozilla is doing: pass the top X extensions through manual audits (including looking at code diffs on every update) and mark them as trusted. Maybe also add a giant warning "this extension may steal your stuff" when installing everything else.
Reading the commentary, this guy seems unhinged. He thinks he owns literal hex codes
he sucks at tech and has driven away everyone good at it. I don't use his software, but I hope he gets out of this episode soon (and learns he didn't invent material!)
Someone else described him as a lunatic. But, this is a security issue, and you shouldn't assume that someone who is successfully putting malicious code into developers' IDEs around the world is unhinged or a lunatic, but rather cunning and deceptive (or a front for an intelligence agency). It's not paranoid to have such suspicions about someone who is getting malicious code into developers' tools.
The original author seemed to talk a lot about funding development/maintenance, so I got curious about what the hell needs to be maintained. I cloned the https://github.com/t3dotgg/vsc-material-but-i-wont-sue-you repo and had a look. Here's a LoC summary:
Among those, 622 lines of TS are hex color definitions for variants in scripts/generator/settings/specific. Most of the rest seems pretty boilerplatey, e.g. look at the 599 lines in scripts/generator/color-set.ts.
So the question remains: what the hell is there to maintain (that takes more than a couple minutes every $godknowshowlong)? I've published and maintained waaaaay more substantial open source projects for years without expectation of any financial contribution.
There's nothing wrong with building proprietary software of a couple of thousand lines of code, including themes. And people should be able to ask for money in exchange for their work.
What's wrong is the bait and switch, as these projects end up being popular because of their FOSS nature.
> There's nothing wrong with building proprietary software of a couple of thousand lines of code, including themes. And people should be able to ask for money in exchange for their work.
The issue is not someone wanting to be financially rewarded for work, however small. That's completely different from saying you need money to "maintain" what is essentially configuration for colors. That's a deceptive use of that word.
Let's call this what it is: a grifter asked people to pay him for the privilege of hacking them.
Morally wrong, legally not so much.
If it is under a permissive license (and it was MIT originally as others have pointed out) you can always cut a proprietary version.
That doesn't take away the right to use the permissively licensed code of course.
Of course, but then, the legality of it is irrelevant.
Free markets work because consumers can exercise their freedom to choose, and in such instances it's easy, given that the reason for why many such projects see wide adoption is their FOSS nature.
What about this clause: "The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software"
It sounds like they went out of the way to remove that copyright notice. Am I misinterpreting that part?
Only if they do hold all the copyrights. If they've removed the notices from other people's open-source contributions (and don't have a CLA or similar that permits them to do so) then that's copyright infringement.
it's a problem. As soon as it became easy to ask for money via Patreon or githib sponsorship, etc... tons of people are going to try to get some for minimal effort. It's just the nature of the beast.
Asking for money isn’t a problem. The problem is this person went out of their way to extract money by harassing people who rightfully use the open source Apache 2 version, switching the marketplace extension to a closed source version with obfuscated code (likely malicious according to MS), and possibly more, all this for doing a quite small amount of work. That’s after already raising $7.6k, apparently.
Making a theme is not minimal effort which is why 99.9999% of everyone uses preexisting themes rather than making their own.
LoC is a red herring. And the fact that thousands of people decided to introduce his LoC as a dependency in their local development environment makes the point.
I'm surprised to see supposed software engineers get this wrong. We tend to dismiss look&feel type things as low effort which is funny because very few of us could make a make a good theme if we tried, yet it's "just" a matter of picking colors.
Maintaining a theme ~a decade after its creation is minimal effort. You can check the commit history yourself and see it's a one line change once in a while among auto dependency bumps thanks to a >10k line package-lock.json, at least half of which is unrelated to core functionality as demonstrated by t3dotgg.
It's also funny to see a "supposed software engineer" shit on other's tools and post veiled personal attacks based on a single Internet comment. If I were you I'd probably insinuate you've never worked on any large code base so don't know LoC definitely correlates with complexity as a rough first signal (not to mention I included a rough analysis of actual code as well), but I shouldn't do that based on a single comment. Anyway I've maintained plenty of open source code bases large and small, popular (>10k stars, yes that's not a very good metric but it's also a useful first signal) or not, so I'm pretty well equipped to evaluate maintenance burden.
Almost all of the work has already been done by other people for other text editors. Porting a theme requires copying files from another project and writing a tiny bit of glue around it. The author of a niche terminal emulator I'm using on small systems was able to add around a hundred themes this way in a short amount of time. Sadly, he wasn't able to raise $7.6k×100 for all that thankless work.
I think effort is irrelevant. Value is what we really look at when deciding what price to pay. It doesn't matter to most people if it took someone a 1000 hours to produce a loaf of bread. They're not going to pay 100x the price of the bread that took 10 hours to produce. Especially, if the products are mostly indistinguishable.
I think the luxury market proves my point. The perceived value of luxury items is much higher as reflected in the price paid. Although, the cost and effort to produce luxury items is roughly the same as a similar non luxury item.
It’s assumed that your contribution will be licensed with the current license (generally). Maintainers can change the license but that wouldn’t affect prior contributions. Basically anything up to that license change would still have the original license. This is what makes forks possible when popular software changes their license.
In order to go back in history and change a license, you need either the consent of your contributors or a document that would grant you the power to do that. A CLA could (but not all CLAs will) grant a maintainer to change a license at will back in time.
Other famous software that has seen a license change: Redis and Terraform. In those cases the license changed but already released software is still available with the old license and that old license allows for forks.
My understanding is that permissive licenses (BSD,MIT) can generally be relicensed. For example you can fork a MIT project under GPL. But to do the same for a GPL project requires agreeement from all copyright owners, or just you if you made everyone sign a CLA. This is the whole point of GPL.
Your general understanding is wrong, as there's nothing in either BSD or MIT that allows for re-licensing, and nothing else gives you that right.
You can incorporate MIT/BSD code in a proprietary project, but that imported code itself remains BSD/MIT licensed. For many projects, this is a technicality, but no, you can't claim copyright on MIT/BSD code that isn't yours.
Technically your statement is incorrect. The MIT license allows dealing without restriction and sub-licensing, but the effect of re-licensing an MIT product as GPL would be a license with many unenforceable terms on the code that is MIT licensed.
> Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:
> The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software.
Note the "deal in the Software without restriction" and "sublicense" permissions and the virality of the terms that require the permission notice must be included with all copies.
One problem with this however is if someone has removed the license from the software like what has happened here, then that software really has no license because the license doesn't specifically state that it applies to derivatives. The Apache 2.0 license is much clearer on that subject of derivative works.
No, it cannot. You can incorporate an MIT licensed work into a work that is licensed differently, but compatibly (not a real problem with MIT), but now you have three works that are under different licenses: the MIT part, the "other" part and the whole. The MIT part stays MIT. Someone can cherry-pick just that file (or file snippet) and use it under MIT, without caring about the license of the whole.
What happens when a file was previously under MIT, the license changes, and a new change is made? Do I need to look at the git blame to find which parts I can use as MIT?
You don't need blame necessarily, just git log. You look at the latest version under your preferred license. That's the one you take your snippets from.
Probably the sublicense wording that many techies confuse with relicensing.
Also sloppy wording in discussions like HN where "relicense" is sometimes used as a shortcut for "combined with a compatibly-licensed work in a larger work that can be used under the whole-work license".
The initial commit was in 2015 and was MIT licensed for a couple of years before it was changed to Apache licensed. It's unclear if any of the other contributors gave permission for this change to happen.
One of the things I love about the internet is learning how different people can be, I perceive it as different than me but I assume everyone has their quirks.
In this case, this is one of the most extreme instances of people installing lots of dependencies. The moment I realized something was different in me was left pad, I already felt that couldn't be me.
The log4j incident hit me different, it COULD have easily been me. A security vulnerability is like death or a terminal illness in my eyes. Successful companies that scale do so without incidents, If you are running a company and you have a vuln you are out of the race. So I tightened up a lot after that.
I realize something similar with sex I just can't fathom putting my whole life on the line just to have sex with somebody and then have nothing to show for it, no relationship, nothing.
And today we see this, people are really risking their companies, their reputation, their pride to have pretty colors on their IDE.
I used to fight it, try to convince people, of course I still keep the pride of being different and weary, but in the end, you will likely be fine, and I only hold a statistical advantage, both are valid strategies of going about life I guess.
A theme is fine - Google has been pushing Material for a while now, after all, so if you come from Google land the colours are familiar and preferred to you, same with themes like Solarized and whatnot.
That said, I do agree that dependency management and reliance is a Problem these days. left-pad was the camel that broke the proverbial camel's back for many people, and it made people realise how ridiculous dependencies in at least NodeJS land has become. It was already silly in Java land since the 2000s, but more from the layers of abstraction and overhead that frameworks like Spring add (which is ironic because Spring was originally conceived to be a lightweight alternative to J2EE, but that's a thread on its own).
I know the general community atmosphere in the Go ecosystem is adverse to adding dependencies and frameworks; it has a good standard library which was complete enough and which isn't yet fully bogged down by design by committee like Java and JS were (to their credit things are moving again), and its users are like "you know, plain Go is good enough", so they are much less likely to add frameworks or DSLs like assertion libraries.
I'd like to know if the same thing is happening in the Rust ecosystem, I've never ventured there before.
It had not occurred to me that a VS Code Theme was a full blown extension, since I've never installed one. I wonder if a lot of people have a mental model of a VS Code theme as a collection of CSS files, which should be relatively safe (even including those that install them).
> The log4j incident hit me different, it COULD have easily been me.
That couldn't be me, because I don't use Java, PHP, Windows APIs, or `xdg-open`. The closest I come to Java-esque "include ALL THE BATTERIES" is the occasional Python script, but I won't use `http.server`. (Incidentally, I don't get very much done.)
> (Incidentally, I don't get very much done.)
Lol, that's definitely part of the tradeoff of security in life.
> I don't use Java
I didn't use Java either, but whatever I was using at the moment (Python) could have been anything, if I stayed in my other job or gotten a different one I could very well been using Java and been the one that installed the thing.
>Python script, but I won't use `http.server`. (Incidentally, I don't get very much done.)
Interesting, I use http.server or the Tcp socket server thing, but I consider myself to be in the extreme, there's still people that use Flask (and I do partake ocasionally) or things like Django, Spring, Next,etc... Same with binaries like Apache, Nginx.
I mean you gotta use something, and if you go too far on the deep end, you get the risk of introducing the vulnerabilities yourself, (in addition to the risk of getting nothing done as you mentioned). I know my limits I wouldn't implement cryptography for example.
I consider it safe to use ASGI / Uvicorn or (if you're careful about which extensions you install) Django. Python has fewer, less-prominent built-in footguns than Java, so even though it's less secure in principle, it's easier to write / audit for security in practice.
Not getting very much done isn't because I practice secure software development. It's easy to write secure software that works. I don't get much done because I try to find new ways to write secure software: experimentation and tool-building takes up a lot of my time, when I should really be writing hacks, documenting them, and moving on.
Never roll your own crypto, unless you understand systems programming on that platform/arch very well: modern systems have all the side-channels, and take great pains to subvert your attempts to mitigate them.
If you do a bit of a repo dive, the repo was initially MIT licensed from its initial commit for at least a couple of years before that license was replaced by Apache 2.0, so there's an argument to be made that that license also applies.
The Apache or MIT license would permit you to continue using it for all versions up to the last commit which used that license. Any later commits under a different license would not be Apache licensed and you would need to follow the new terms if using those newer versions. The new license doesn't prevent you from sharing forks of the older version which was Apache/MIT licensed.
Kinda, it's complicated. When someone other than the owner of the repo contributes code, they own the copyright to that code. When the author changes this repo's license like this they're redistributing the external contributor's copyrighted code. The permission to do so is granted by the Apache 2.0 license and is subject to the conditions of it. Without the permission to distribute the contributed code, the author is engaged in a violation of copyright law. Note the Apache terms:
> "You" (or "Your") shall mean an individual or Legal Entity
exercising permissions granted by this License.
This covers not just the users, but also the "author" here who exercises the permissions granted below:
> 2. Grant of Copyright License. Subject to the terms and conditions of
this License, each Contributor hereby grants to You a perpetual,
worldwide, non-exclusive, no-charge, royalty-free, irrevocable
copyright license to reproduce, prepare Derivative Works of,
publicly display, publicly perform, sublicense, and distribute the
Work and such Derivative Works in Source or Object form.
> 4. Redistribution. You may reproduce and distribute copies of the
Work or Derivative Works thereof in any medium, with or without
modifications, and in Source or Object form, provided that You
meet the following conditions:
> (a) You must give any other recipients of the Work or
Derivative Works a copy of this License; and
So let's interpret that. Regardless of the whatever intent to re-license the code exists in the mind of the author, in order to distribute the code which was contributed by others, the only legal means to distribute this code must comply with the requirements of the license. Technically they could remove all code contributions which were contributed by others (I've done this in the past, it's a pain to do right), or seek permission from the others to add additional grants that are not included in the Apache license here (I've seen various projects do the post-facto CLA thing for this). But that has not happened here.
So (in my opinion) the github repo of the author is a currently infringing the copyright of all the other contributors. Any one of whom could enforce it or raise a DMCA take down notification on the repo.
So given that we're talking about material that is in breach of copyright, it's likely that being able to enforce a license on that as a consumer is not really a thing which is possible as the conditions on what must be included bind the person distributing the material not the person receiving it.
I'm quite happy that nowadays most tools have competently made themes out of the box, so that if someone wants to minimize risks from something like this and keep the extensions/addons they install to a minimum, that's pretty viable.
Of course, it's also nice that it's possible to theme the software to such a degree and improve usability and accessibility in some cases, just that the feature requests about limiting permissions need to be addressed.
I find it curious that themes can be a security risk at all. Clearly, they consist of more than just the colour codes and don't definitions one might assume. Maybe the theming system needs to be tightened.
If the size of your paycheck depends on drama and making a surprised look in a YouTube thumbnail you would possibly insert yourself into the middle of things also
Essentially an internet personality. While they sometimes make interesting points, mostly on X, Twitch, and YouTube, he often seems to interject himself into a lot of things needlessly. Before this Material thing, it was that Wordpress incident.
> reading the review responses by the creator, I don't really trust it anymore. Being rude to others who are concerned over the recent move to closed-source (and without warning!) is pretty disheartening.
> So, uh, the guy who made the VS Code Material Theme is threatening everyone who uses it in their products. He seems to have forgotten it was originally licensed under the Apache License, 2.0.. He wiped the commit history to make it look like it was always his weird fake license.
Real messy. It’s always shocking to me how little people realize - or care - how their behavior - especially their treatment of others reflects on them.
Feel free to check for yourself, but the commits where the repo is licensed as MIT are not reachable from that UI - only the commits where the repo is licensed as Apache 2.0 (and the later self- created license). The earliest available activity entry is from 2023, which bottoms out at an initial commit from 2017. The code base is actually older than that having been started in 2015.
The commits which have the real unadulterated history of the theme are available by taking the same actions on the PRs (browse repo), as they point at commits in other repos where that history has not been erased not the main repo where it has.
I suspect this probably indicates that the GitHub repo was recreated in 2023 with a modified version of the source with the Apache license and a history that was rewritten to not contain the commits where the license was MIT. This aligns with what people are saying about the historical perspective on this.
It seems utterly absurd to me that anybody should be able to issue a copyright claim on a collection of colors and fonts. Copyrights are issued to logos and slogans, not design systems.
It seems utterly absurd to me we litigate the ownership of ideas or their expressions, but here we are.
The founder of Bikram Yoga, tried to copyright a sequence of yoga poses, even though similar sequences have existed for for thousands of years. Monster, the energy drink maker, went after business for using the word "monster" in totally unrelated contexts. Disney trademarked "Hakuna Matata" (a Swahili phrase roughly equivalent to "no worries") after using it in The Lion King, prohibiting African businesses from using a common idiom in their own damn language. Don't get me started on Happy Fucking Birthday.
These colours are their trademarks but I believe they don't own the colour in all domains.. probably just food? If you wanted to make a car company logo that colour you'd be ok?
Because noone has stated an injury and made a complaint about it. It's likely that there's some copyright infringement going on with the current state of the repo (due to lack of the author's adherence to the requirements of the license). That could be subject to a DMCA notice if any of the previous contributors decided to make one.
Conspiracy would be more appropriate, no? Thing is, when you conspire to attack a corporation, you have FBI agents bending over backwards for you and your precious profits. When you conspire to attack a bunch or normal people, you're lucky if anyone does anything at all.
So many people who are otherwise functional in society, for whatever reason just can't play well with others when it comes to online communication. This can be true for both software maintainers and users. People can't just leave their emotions at the door and file a bug report or respond to a help request, without including a little personal jab or passive aggressive snipe. Looking at some of those replies to users, it looks like this guy just couldn't keep himself from including those unnecessary little put downs.
> So many people who are otherwise functional in society, for whatever reason just can't play well with others when it comes to online communication.
So I run a small game that has a couple thousand active users, and part of that is allowing users to chat via written text. The amount of vitriol some users spew just amazes me. If they acted like that in person, I expect they would get punched in the mouth quite often. I also have a suspicion that some of these people are literally mentally ill, and online is basically where they live.
> I also have a suspicion that some of these people are literally mentally ill, and online is basically where they live.
Some of it may be because of this. However, I also think that the absence of risk of being mouth-punched contributes a lot. I feel like lots of people are deeply hateful, distrusting and angry in real life, and the risk of social and legal repercussions is the only thing that's keeping a lid on their disregard for others. I think that if this danger of consequences was removed, they would do unspeakable things.
> I also have a suspicion that some of these people are literally mentally ill, and online is basically where they live.
It's certainly reasonable to expect that there are at least some mentally ill people in any decent-sized community, but the Greater Internet Fuckwad Theory[0] suggests -- and I agree -- that there are many people who just turn into complete assholes when they are anonymous or semi-anonymous, and can hide behind their computer, tens or hundreds or thousands of miles away from the people they interact with.
I don't know the demographics of your game, but this is especially true of teenagers. (But not exclusively true.)
> I don't know the demographics of your game, but this is especially true of teenagers. (But not exclusively true.)
It's just a card game, and I expect that the average age is actually quite a bit older. Which is one of the reasons why I am quite surprised at the rhetoric used, because I would have thought that "adults" wouldn't behave that way. I was very wrong.
There's a fun little MMO-lite that reminds me of Escape Velocity[0]. Its chat system seems to filter and translate on the fly using some tiny ML models, and I think the guy behind it wrote everything himself.
The interesting thing about his implementation is that seeing e.g. Chinese being replaced in-line as it's translated feels way more amazing than knowing a translation has occurred in the background. He's hidden the time difference between paying for a service or running it yourself behind an animation.
It’s off topic but I don’t believe most people are functional in society. I think they are hiding their shitty behavior to themselves and to others, and their true self comes out once in a while.
They hide it mostly to their family, but other human beings are treated like NPCs.
For example I live in the south of France and people are literally crazy on the road but they still avoid accidents by some kind of miracle. These are people from all sex, color, and age. The good middle-aged white father becomes a fucking moron when his car is turned on. The young new mom who pretends to love her children is speeding on the road like an idiot.
Society accepts that or turns its head the other way not to look at it, but it’s definitely around us and I see it every time I go to work.
Some years back, I was driving to the town of Apt, in a hilly area of Provence. I was on a secondary road and going roughly the speed limit, maybe a little more. I was passed on a curvy section of road like I was standing still by a woman who was simultaneously smoking, talking on her phone and examining her face in the mirror. It was an amazing display of needless risk and even though I was alone, I started laughing.
> The young new mom who pretends to love her children is speeding on the road like an idiot.
If everyone is crazy on the road, it's best to reduce the exposure to the road. Speeding decreases time spent on the road. Speeding on the road is genius, not stupid.
Well, no, because speeding increases the energy of potential collisions, and also encourages others to speed. If you have to drive more than once, "speeding" isn't necessarily a dominant strategy.
When driving, you want to keep your velocity relative to other cars as low as possible, while retaining your ability to avoid obstacles / not murder cyclists and pedestrians.
If cars could go at mach 3, then you'd want to avoid roads entirely: it's not feasible to avoid obstacles at that speed, and you certainly don't want to get hit by shockwaves or – worse – actual cars travelling at such relative velocities. So no, you would have worse problems in this hypothetical.
Yes, or relativistic velocities. I figured that harm due to the energy of the collision is limited by death, while time spent on road tends to zero, but your mention of shockwaves brings to mind that a sufficiently high-energy collision would also be a danger to otherwise uninvolved road users, or residents of nearby towns, so my first assumption was incorrect. (I leave aside the problem of maintaining control of a mach 3 road vehicle as an implementation detail.)
People say that the most part of communication is nonverbal. If that's true, written communication would be heavily impaired by the lacking of all the visual cues that we use to interpret someone's words. I tend to agree with them, but that's just my personal experience.
Written text is perfectly capable of communicating all that, as evidenced by zillions of poems, novels, essays, screenplays, etc.
No, I counter that the real problem is that some people are either incredibly bad at communicating their real intent, or incredibly good at communicating their inner asshole nature.
> People can't just leave their emotions at the door and file a bug report or respond to a help request, without including a little personal jab or passive aggressive snipe. Looking at some of those replies to users, it looks like this guy just couldn't keep himself from including those unnecessary little put downs.
My consideration on this is:
A lot of software that at least I write privately is rather a manifestation of some deeper values/opinions that I have. So in some sense the software is just the tip of an iceberg, a manifestation of something deeper. The software might isolatedly be independently useful for other people, but this is not is essence. Its essence is the deeper values/opinions that made the software to be created.
In this sense, it is rather the rational thing to expect that most discussions of the software are strongly intertwined with the values/opinions of the programmer, because these form the bottom of the iceberg of the software.
P.S. Just to be clear: I am not the kind of person who does personal jabs or passive aggressive snipes.
If we stick by what you say, the maintainer may be uninitiated by copycat culture. Forking is a form of it, but so is shameless copying. If a person perceives theft, then they may respond in all kinds of abhorrent ways. Of course, we onlookers will yell out that it’s not that big of a deal in this case, but we can do nothing about the individuals perception.
Is this the person’s first time having an idea of theirs taken (appropriately or inappropriately)? Their sense of right and wrong may be just fine (speaking of value systems), but their reaction is intense.
There’s either more to the story or baby just experienced a little bit of life, and it hurts.
Edit:
From the maintainers:
Today we found Sublime Text authors just stole the WHOLE repository publishing the theme again, under their name, by replacing ANY reference of original authors with their names.
We opened a pull-request to restore the original theme made by us with all the credits. Let's see if they accept it, or they want to keep the stolen repository.
As I suspected Watson, the persons perceives theft.
Why would any add-on have more authority than it needs? Oh right - because no currently popular language supports implementing that kind of resource/rights monitoring and control:
An absolute failure of contemporary programming language design.
Software firms need to think harder about what kind of guarantees the languages they use can give them - which part of a project's code can access which (and how many) resources - access to other project components, filesystems, the network, and the amount of process memory and CPU time they are allowed to consume. The current default answer is usually "any place has authority to access everything else, and a simple infinite loop will use up all the system's resources"
Isn't it about release-notes.js? There are quite a few files in there that are obfuscated. So far I haven't found anything super bad, it looks like a sanity.io client of some sorts, but there could be some stuff hidden in there as it's seems like quite a big JS bundle.
That's untrue. I've created https://monokai.pro, to my knowledge the first commercial theme. It's been going strong for years now.
People are willing to pay for nice things. Especially if it takes longer to create it yourself.
A theme is more than a list of colors. Monokai Pro contains custom designed icons and color filters too, and some code logic to sync it all up. It needs continued updates, as editors keep evolving with new UX/UI elements.
I paid happily for monokai pro vscode since it was a one time payment. However I will not purchase a subscription for jetbrains intellij because per year it'll cost me the same amount as the intellij idea ultimate and that just doesn't seem like a fair price.
oklch should be an incredibly minor to unmeasurable performance hit, even on a 7 year old chromebook. Nor should it affect the displayed output. It's just a better color picker syntax.
No, paid themes are just passive income for their creators, since they get free advertising from IDE marketplaces and it costs them nothing to run. You can google free vscode theme and get hundreds of literally the same thing.
Assuming that the editor never removes/adds/changes anything then yeah, it's basically free. But since most editors are somewhat of a moving target, it does take a bit of maintenance to make sure everything continues to look right as things update.
The worst part with maintaining a theme/colorscheme is that you can't really rely on automated testing to catch most of the issues, unless you start doing snapshot testing comparing PNGs or similar, and is the biggest time-sink when a new editor version been released.
I don’t remmener the exact steps, but it was fairly easy. You just need a mac (which you can borrow) and an audio editor. But that’s been a few years as I’ve been using the same one for a while now.
Yeah, so only-iPhone users are out of luck since the majority of people don't have a Mac. Last time I used Android you needed the file and the phone itself, you select the audio file and you're done.
I could see the case for paying for a theme that provides its own icons and works across multiple tools and goes out of its way to support tools that I use. If anyone makes skins for Segger Ozone, I've never heard of them.
I'm comfortable working without any syntax highlighting at all. It's not that I go to the effort of turning it off, I just don't really care that it's there. I used to use Sam as my daily editor - got used to plain black text pretty quick. It's all a matter of preference.
I'd pay off the cuff money ($5) if it wasn't paywalled. "Donationware" if you will. I do this with other apps/resources/things including a nice pixel font I like using in images.
I suck at colors and want nice themes. I'm glad people better at this than me take time to make nice things.
But, I don't want to ever manage licenses for my theme. My dotfiles need to fetch it automatically or it's out.
Yeah well, MSFT - the behemoth among evilish corporations, invests vast sums into developing a sophisticated tool with extensive features - more than their combined philanthropic initiatives - and offers it freely to just about anyone. This generosity doesn't seem questionable at all, eh?
I mean, when I use Vim and Emacs, the benefits clearly flow to users and the developer community.
Back when I paid for the IntelliJ license - I knew exactly how their revenue model worked. Yet whenever I download and use VSCode, I don't really know what's Microsoft's grand plan here, does anyone else do?
from a quick deobfuscation of some of the code, i can't see anything wrong with it? i think this is just a case of obfuscated code being against the VS Code guidelines. the guy clearly wanted people to buy his pro version so maybe that's why he obfuscated all the code in the extension
In VS Code linux is very annoying the message that appears as a notification "We have uninstalled..." I try to remove the extension and after a few seconds it appears again and again. I think I have to use another IDE for today, fix this guys. PLS
it is very annoying the message that appears in VS Code linux, "We have uninstalled 'equinusocio..." please guys fix this. I have tried to uninstall the extension but magically it appears again, for today I have to use another IDE because of how annoying it is...
I did the following (it might help you too):
1. Close VS Code
2. Go to `C:\Users\USER\.vscode\extensions`
3. Delete the folder with that extension
4. Open extensions.json, find and delete the block related to that extension, then save the file
5. That’s it
Usually it's better to put an archive link in the comments, not at the top, so the original domain isn't obscured. I've pinned the archive link to the top now (and detached this subthread from https://news.ycombinator.com/item?id=43181471).
(As throw16180339 said, please email hn@ycombinator.com with these things - that's the only way to be (mostly) sure I'll see it.)
No it’s not. A blockchain is a Merkle tree whose canonical “master branch” is agreed upon by everyone and difficult or impossible to change (e.g. due to PoW or a similar mechanism).
A Git repository is a Merkle tree whose canonical “master branch” is agreed upon by everyone and difficult or impossible to change (because people want to collaborate on a project). If you try to rewrite history and people don’t agree with you, they would just fork the project and get on with their day.
a similar mechanism, like... a consensus mechanism? public key cryptography? some kind of content-based addressing? social convention and agreement on which fork to use?
is it easy for you to go edit historical commits in the linux repo?
What even is this comment? The extension has been deemed to have malicious code in it so it's been pulled. It's been remotely removed from users who have signed in to Code and I'm thankful for that. Should I be furious?
I'm increasingly suspecting there was nothing actually wrong with the extension, and Theo and others may have simply demolished an open-source developer's reputation primarily because they found him difficult to collaborate with.
The post has been deleted: https://web.archive.org/web/20250226020241/https://github.co...
Hi - Isidor here from the VS Code team.
A member of the community did a deep security analysis of the extension and found multiple red flags that indicate malicious intent and reported this to us. Our security researchers at Microsoft confirmed this claims and found additional suspicious code.
We banned the publisher from the VS Marketplace and removed all of their extensions and uninstalled from all VS Code instances that have this extension running. For clarity - the removal had nothing to do about copyright/licenses, only about potential malicious intent.
Expect an announcement here with more details soon https://github.com/microsoft/vsmarketplace/
As a reminder, the VS Marketplace continuously invests in security. And more about extension runtime trust can be found in this article https://code.visualstudio.com/docs/editor/extension-runtime-...
Thank you!
Letting you know that VSCode is unable to uninstall the extension. It prompts me to uninstall, but when I confirm the window refreshes and the extension is still there, triggering the same "is problematic" prompt. This is an infinite loop. Same behavior when trying to uninstall the usual way from the extensions panel.
I had to manually delete the extension's folder in %USERPROFILE%\.vscode\extensions and delete the entry from the json (%USERPROFILE%\.vscode\extensions\extensions.json).
VSCode 1.97.2, commit e54c774e0add60467559eb0d1e229c6452cf8447
Thank you for letting us know. We are investigating.
Any update on this? I am not directly impacted, but am unsure about others in my company. Assuming that they may be:
* Any specifics on the (potential) impact for affected users?
* What they should do to get it removed?
Edit: There does seem to be a little bit more information available over at Bleeping Computer[1], but the precise nature of what the malware does is unclear at this time other than that it may be some type of "supply chain attack". It would be good to hear more about the specifics.
1: https://www.bleepingcomputer.com/news/security/vscode-extens...
Thank you man, I was getting nuts here trying to uninstall this crap but unable.
Help me square this circle:
> A member of the community did a deep security analysis of the extension and found multiple red flags that indicate malicious intent and reported this to us.
> As a reminder, the VS Marketplace continuously invests in security
If you’re relying on the community to alert you to the issues in the marketplace, perhaps you’re not investing enough in auditing popular extensions yourself?
I would also suggest that the trust model for VSCode is fundamentally broken - you’re running arbitrary third party code on client machines without any form of sandboxing. This is a level of security you would not deploy into Azure, so why is “run arbitrary 3p code on someone else’s machine” appropriate for VSCode?
While I appreciate the work that the VSCode team does and I use it, the lack of any form of sandboxing has always bothered me.
PSA: every package you install from any package manager from browser extensions to npm/composer etc presents the risk of malware. Because the open source community lacks the financial resources to vet every single version of every package. Demanding this level of security from software provided at no cost that relies on open contributions is wholly unreasonable. If you need that, buy an IDE from a company financially capable of ensuring security and accept the limitations of their offering.
Mitigations like running in a VM might protect your dev workstation. But not code you put into production that relies on third parties.
> Demanding this level of security from software provided at no cost that relies on open contributions is wholly unreasonable
VS Code isn't some kind of hobby project by a couple of dudes on laptops with nothing but the best interests of the community at heart. It's a flagship IDE produced by one of the most valuable tech companies in the world, released for free as a loss leader in service to very specific corporate goals.
When a tech behemoth releases a free IDE as a loss leader and it drives out all of the scrappy open source projects one by one, I think it's reasonable to hold that tech behemoth to tech behemoth standards rather than scrappy open source project standards.
> VS Code isn't some kind of hobby project by a couple of dudes on laptops with nothing but the best interests of the community at heart.
Which is why I'm pretty confident in first party packages and don't install third party plugins from random authors.
> I think it's reasonable to hold that tech behemoth to tech behemoth standards
You’d end up with Apple-style reviews and then people complaining about them. You can’t really win.
The marketplace isn't operated on a paid contract for vetted extensions. You vet the extensions you use. Most don't, and it's ok. Don't shift the blame and the cost on microsoft though, they don't have to offer it.
Yet Mozilla, for all the flak it gets, isn't paid a dime by its users, but does find resources to vet the most popular extensions. Everything I use is checked by them.
Raymond Hill (of ublock fame) wasn't really impressed with how it is performed, but it's still much better than nothing (which is what MS apparently does).
VSCode is an IDE in name only, it's a glorified text editor, and pretty mediocre one at that. I in "IDE" stands for "integrated", like what you'd expect from JetBrains' products. Or even the real visual studio.
What functionality or property makes JetBrains' products an IDE while VSCode isn't? Honest question, I've never used any of their products.
Paid JetBrains user here. What JetBrains gives you is self-implemented add-ons in their marketplace. These are perceived to have the same level of trust as the base product. Then there is the similar level of “might be malware” or “steal your infoware” from (possibly adapted) open source and third parties available on their marketplace.
As a example: Rider (https://www.jetbrains.com/rider/) - a IDE - comes with everything you could possibly need to build and compile .NET apps out of the box, while VSCode - a code editor - relies on extensions (and thus mostly the community surrounding VSCode) for this.
Or to make things more succinct:
* VSCode is a extendable code editor (like vim, neovim, Zed and Sublime)
* Jetbrains Rider is a fully equipped Integrated Development Environment (like Microsoft Visual Studio or its direct sibling Jetbrains IntelliJ IDEA)
And while extensions are optional within a IDE (and often solely used for increased productivity), more often than not they are a necessity in a code editor to even become productive.
I'm a big JetBrains fan, but this distinction is just silly. If you look at the way that JetBrains IDEs are packaged, the differences between IDEs all come down to extensions—which are enabled by default, which are available to install at all. IntelliJ Ultimate can be made to have all the features of PyCharm with the right extension combo. And occasionally they break out a new IDE by taking an extension and making it no longer available for installation elsewhere (like RustRover). The entire architecture is one of plugins.
"Integrated" isn't meant to contrast with a plugin-based system (otherwise JetBrains wouldn't count!), it's meant to contrast with a dev environment built out of a bunch of individual tools and terminal commands run separately.
Good point. In the old times if someone had Eclipse but installed plugins for different language than Java we wouldn't suddenly downgrade Eclipse that it is a text editor.
Apples to oranges or should I say Advertising Revenue vs. Freemium Revenue models
>Everything I use is checked by them.
How you know that?
> Because the open source community lacks the financial resources to vet every single version of every package.
I made the point elsewhere, but this seems to fail in the face of Debian and Red Hat and Canonical who have been publishing mostly-secure distros of exclusively open source software for decades now.
There's a reason why MS and NPM get caught by this sort of shenanigans, but it's not "open source".
Because the attack surface is smaller and more difficult to extract value out of. I think it’s been shown time and time again the more motivated your attacker the more difficult it is to defend and very visible popular platforms see more attacks. NPM and MS represent drastically larger platforms.
Uh... no. There is far (far) more code[1] shipped in the package repository of any Linux distro than in all the world's vscode extensions. Are you being serious? NPM arguably gets a little closer, but only a little.
No, the reason Linux is safe and modern distributors aren't is the "packaging" step. Debian volunteers package software that they understand to be high quality via existing community consensus. You can't just show up to Fedora and say "ship my junkware app", you need to convince the existing community that your stuff doesn't suck.
And that's worked extremely well for decades now, going all the way back to 2BSD being shipped above V7 Unix. The reason MS and NPM et. al. abandoned it isn't just pure experience[2]. They don't want to wait for their repos to fill with good software, they want all the software in it now so that they don't get beaten by whoever their competitors are.
And this is the inevitable result. If you allow anyone to distribute software to your users then you allow everyone to distribute software to your users. And everyone includes a lot of bad people.
[1] With vastly more capability! The distro ships everything from firmware blobs and kernel drivers up through browser glitz and desktop customization. Talk about "attack surface"!
Remember, when we're triggered our reading comprehension goes down and we confuse emotion for facts. Did I say they ship more/less code? No, first I was talking about the user base size and the economic incentives for malicious users.
For the most popular package:
Debian: ~253K installs per month [1]
NPM: ~236M installs per month [2]
VSCode: ~158M installs total [3]
Obviously VSCode is hard to compare, but the most popular Debian package would need 52 years to achieve the total VSCode numbers so I'm sure it's safe to say VSCode beats Debian significantly on installs and NPM wins even more convincingly.
Ok, but let's take a look at how much code is shipping which was your metric:
Debian: 242k submissions per month for amd64 [4]
NPM: ~50k new non-spam packages per month, ~800k new version submissions per month [5]
VSCode: No data available
I don't know how VSCode compares, but clearly NPM beats Debian which makes sense because of how open it is and more importantly how many orders of magnitude there are JS developers vs Linux developers and how much more frequently they update their packages because the overhead is lower for creating a submission.
It's really easy to forget that the number of JS developers or people using IDEs is much larger than the number of Linux users. So NPM still beats Debian on this front. As for the security assumption and how good a job maintainers are doing, I'm not so sure on that either. The xz utils backdoor into SSH was found by a Microsoft employee (i.e. the community) not by Debian maintainers. It's not hard to imagine that the lack of notable security issues (particularly attempts recorded) actually indicates very little review, not that there's a higher bar because the maintainers are more talented or have better incentives for "reasons" - there's a reason Chrome was perceived as having better security than IE (it did - architecture was better) and STILL they see regular successful attacks bypassing all the mitigations.
Again, to reiterate in case the above got you triggered again - NPM & VScode have significantly more users than Debian and that creates economic incentives for attackers. The capabilities of a vulnerability matter less unless you're a state actor because capabilities do not track economic results as strongly. This has so much evidence it shouldn't even need this kind of explanation. Remember when people said that Mac had better security? Well turns out Apple is dealing with all the same vulnerability and spam issues on a closed down system when their popularity went up; again, economic incentives.
[1] https://popcon.debian.org/main/by_inst
[2] https://www.npmjs.com/package/lodash
[3] https://marketplace.visualstudio.com/items?itemName=ms-pytho...
[4] https://popcon.debian.org/
[5] https://blog.sandworm.dev/state-of-npm-2023-the-overview
The "triggered" bit is just flaming. Please stop that.
But I'm not following how you get from popularity numbers to "attack surface". The latter is a term of art that reflects the amount of complexity on the "outside" of a software system that can be interacted with by an attacker. It correlates well with "amount of code". I don't see that it has any relation at all to number of installs.
I originally used attack surface imprecisely in terms of how many people you compromise with a single vulnerability. In other words the economic value of the attack. But also in the formal term of art, it's still true that NPM has a larger attack surface with many more weak points than something like Debian has. VSCode is trickier since it's a single application, so may not be from that perspective. However, it is basically running Chrome so it is still quite a large attack surface area.
But sure, let's use "amount of code" as a proxy. Debian has ~123GiB of source code [1] across ~65k packages [2] while NPM has 74 GiB [3] if I'm reading it correctly (other sources say 128 GiB) across 3.3 M packages [4]. Given that JS requires less code than C for equivalent functionality (due to a richer runtime & no memory management), any way you slice it, NPM is a much larger attack surface both in terms of number of opportunities and how valuable the attack is.
[1] https://www.debian.org/mirror/size
[2] https://www.debian.org/doc/manuals/debian-faq/basic-defs.en....
[3] https://replicate.npmjs.com/
[4] https://en.wikipedia.org/wiki/Npm#Registry
It presents a risk sure. But your browser sandboxes those extensions. VSCode runs extensions with the same permissions that VSCode itself has.
You do realize this is Microsoft we're talking about here? Not merely a couple dudes in their bedroom doing this in their spare time? I guarantee you that a non-zero percentage of the code in VSCode was paid for.
Who ever paid to use the extensions marketplace?
I meant on the development side, not that end users paid for anything.
Then why should end users expect anything? Microsoft is already paying for developpers.
Then they can pay those developers to sandbox vscode extensions at the very least. I like using vscode sometimes but I'm sure as shit not going to use it if my work bans installing extensions due to security risks.
> You do realize this is Microsoft we're talking about here?
Fiscal responsibility: required
> Not merely a couple dudes in their bedroom doing this in their spare time?
Fiscal responsibility: optional
I would also point out, the malware-infested extension we are talking about presents more as the “two guys in a bedroom” model (though possibly a state-sponsored actor).
I was going to point this weird part of their comment too.
Reminder that the Open-VSX extension registry exists: https://open-vsx.org
Idk if they removed the malicious theme (or if they have it at all), but if MS isn't doing anything beyond just responding to user reports, you might as well switch to an open registry that probably does the same level of security work, and avoid giving them yet another monopoly.
Remember, this is Microsoft! A friend told me of a fairly major corporate firm that found MSFT had arbitrarily pushed an AI tool to run on their SharePoint, scooping up site data outside of any formal agreement to do so. MSFT are no doubt covered by a general agreement but this seems underhand/inept and yet a remarkably common flaw in their approach (I've seen similar behaviour with Teams apps)
> If you’re relying on the community to alert you to the issues in the marketplace, perhaps you’re not investing enough in auditing popular extensions yourself?
I think that's sort of unfair. Of course MS should be relying on the community! That's arguably the best single practice for detecting these kinds of attacks in open source code. Objectively it works rather better even than walled garden environments like the iOS/Android apps stores (which have to be paired with extensive app-level sandboxing and permissions management, something that editor extensions can't use by definition).
The reference case for best practice here is actually the big Linux distros. Red Hat and Canonical and Debian have a long, long track record of shipping secure software. And they did it not on the back of extensive in-house auditing but by relying on the broader community to pre-validate a list of valuable/useful/secure/recommended software which they can then "package".
MS's flaw here, which is shared by NPM and PyPI et. al., is that they want to be a package repository without embracing that kind of upstream community validation. Software authors can walk right in and start distributing junk even though no one's ever heard of them. That has to stop. We need to get back to "we only distribute stuff other people are already using".
I think you missed the part where I’m asking why the extensions aren’t sandboxed whereas they do invest into sandboxing when it comes to renting out their own machines in the cloud. Even browsers try to do sandboxing of extensions. It’s a jarring disconnect and VSCode is well beyond the prototype stage at mass adoption - the lack of sandboxing is confusing and worrying.
> you’re running arbitrary third party code on client machines without any form of sandboxing. This is a level of security you would not deploy into Azure, so why is “run arbitrary 3p code on someone else’s machine” appropriate for VSCode?
More and more, I am starting to think I need to run my development environment (for both work and personal projects) in a VM.
I am on MacOS, so UTM or Parallels would work pretty well I think. Sadly, I think my work explicitly forbids us from running VMs or accessing our services from them.
VSCode in cloud would be great, GitHub tried something similar with GitHub.dev , I haven’t tried it in a while but it didn’t feel quite ready at the time, maybe things have changed
Try https://vscode.dev
You can append a Github repo to the URL to open it: https://vscode.dev/https://github.com/facebook/react
> Help me square this circle
Sure. As a general rule, you get what you pay for.
You might need to chase down reuploads, too.
https://marketplace.visualstudio.com/items?itemName=t3dotgg....
Thanks. Our security researchers will review this today and we might take it down. We reached out to the new author and he does not have malicious intent, and agreed that we just take down the new extension if we see something is off.
> We reached out to the new author and he does not have malicious intent
Because he said so?
The maintainer goes into more detail here: https://news.ycombinator.com/item?id=43182156
This is a older pinned version before the license and malware stuff started going down afaik
https://youtu.be/3wz7YF2as-c
Maybe point to the actual reupload instead? https://marketplace.visualstudio.com/items?itemName=fanny.vs...
Wild how its github page (1 commit, 1 hour ago) has already 885 forks and 11.2K stars to mislead people
https://github.com/Fanny-Theme/fanny-theme-support
> Expect an announcement here with more details soon https://github.com/microsoft/vsmarketplace/
Hi Isidor, excited for this! At Open VSX, we'd love to take a look and potentially flag the extension as malicious on our side as well. Are you aware of the version range that the malicious code was included in? I'm asking because https://open-vsx.org does not have any version published since the extension went closed-source.
The extension file is still available to download directly from MS.[0]
I downloaded the file, and unzipped it, but on a cursory glance I only see obfuscated code nothing malicious.
[0]: !!!WARNING MAY BE MALICIOUS!!! https://marketplace.visualstudio.com/_apis/public/gallery/pu...
Obfuscated code is malicious, even in case it's harmless.
Then never download an Android app, they're obfuscated by default.
Is it possible for you to add color theme/icon theme/keymap only extensions, without any executable code? I think, it will improve the security situation a bit. I don't see why the mentioned kinds of extensions should have any code.
This is really confusing to me. The original discussion was about changing licenses, but somehow (coincidentally?) there was malicious code discovered shortly after? Are these related?
It's a common theme:
- build an open-source thing
- wait till thousands or millions of people are using it
- change the license and close down the source
- implement malicious code
- push an update
- profit! you now have your malware running on millions of systems
Should be added that the malicious part is often done by a third party that takes over an open source project when the original developer doesn't have the time/energy/money to maintain their open source/free work. Many Chrome extensions end up being sold for thousands or just hundreds of dollars because there's no money in them and the dev isn't all that interested.
Society as a whole could easily avoid this by funding open source/free utilities to the point where malware makers need to spend significant cash to outbid yearly community support, but unfortunately maintaining anything available online for free is a thankless job that barely covers the electricity required to maintain the code.
In this case too, the developers behind the theme seemed to want to monetise their work, which had attained almost 4 million installs, in the past, but found themselves with a rather unwilling customer base. I don't know if they snapped and uploaded something malicious or if they're intentionally making it hard for forks to copy their work, but either way the lesson learned is that if you want to make money you should just abandon your free projects and start something else.
Every time piracy or Youtube ads come up, HNers grandstand on how they don't even pay a dime to the content creators making the hundreds of hours of videos they watch.
GGs if you want a buck for the VSCode theme you made.
I proudly block ads while giving directly to the people that make the stuff I like.
I know I'm in the minority, but I block ads because of memetic hygiene. I don't want to deprive artists but I'm not sitting through adslop for a podcaster's sake.
With Youtube at least, you can buy Youtube premium, so you don't have to sit through Youtube ads without needing an ad blocker (though you'll still have to sit through any ads the Youtuber directly adds into the video itself).
Disclosure: I work at Google.
I use Youtube Premium, plus an ad blocker, plus an extension that removes shorts, plus an extension that skips sponsored segments.
Soon, I'm going to need an extension that removes the AI stuff I don't want and didn't ask for.
Using youtube in 2025 is exhausting.
Does the ad blocker do anything on Youtube since you have premium? It'll of course do things on other sites, but I'm wondering if it has any impact on Youtube.
Yes. It removes ad elements that Google / Youtube don't consider to be ads, like channel stores and that sort of stuff.
Care to share these extensions?
Ad block: https://ublockorigin.com/
Skipping sponsored sections: https://sponsor.ajay.app/
Remove shorts: https://addons.mozilla.org/en-US/firefox/addon/remove-youtub...
Return dislike: https://www.returnyoutubedislike.com/
Forgot to mention returning the dislike in my original comment.
At least I can use these extensions and get something resembling the service I want to pay for.
Bless you, appreciate the sauce.
At £12/month YT Premium feels rather expensive for what we'd get out of it (though we have considered it for our Dad who uses it for music and train videos a lot) compared to other subscription services.
Also note that while it takes away the ads, it does nothing about the stalking (which bothers me much more than the adverts themselves) the results from which will be used to serve ads if you cancel in future (and in any case may be made available, directly or otherwise, to third parties, unless that part of the terms has changed).
US prices:
Netflix 1080p: $18/mo. Netflix 4k: $25/mo. No annual plan.
Youtube Premium, which offers 4k, is $14/mo, or $120/yr for the annual plan (which averages to $12/mo).
UK prices:
Netflix 1080p: £13/mo. Netflix 4k: £19/mo. No annual plan.
Youtube Premium: £12/mo. No annual plan.
It's interesting how in the Youtube Premiums discount over Netflix is smaller in the UK than the US, and how Youtube Premium lacks an annual plan in the UK.
>Also note that while it takes away the ads, it does nothing about the stalking
Does an ad blocker change that?
> > Also note that while it takes away the ads, it does nothing about the stalking
> Does an ad blocker change that?
In many places, yes. Youtube? Less so, but it depends on which blocker(s) are in play.
A DNS based blocker won't help completely as some of the ad/track related requests are coming from their main domain or sub-domains that are used for other things so can't be blocked wholescale. It will block JS and other resources pulling from *.doubleclick.net though.
A browser/add-on based blocker may do much better by being able to more selectively block resource that are tracking related. It will also be able to block data passed via embedded videos in other sites. They can, and probably do, still track based on what you are actually watching via requests to the main domain, no ad blocker can do much about that without blocking the whole site.
When it comes to embedded videos, that reminds me of youtube-nocookie.com . If the website does an embed using youtube-nocookie.com , that prevents I believe what is being described as "stalking".
>The Privacy Enhanced Mode of the YouTube embedded player prevents the use of views of embedded YouTube content from influencing the viewer’s browsing experience on YouTube. This means that the view of a video shown in the Privacy Enhanced Mode of the embedded player will not be used to personalize the YouTube browsing experience, either within your Privacy Enhanced Mode embedded player or in the viewer’s subsequent YouTube viewing experience.
>If ads are served on a video shown in the Privacy Enhanced Mode of the embedded player, those ads will likewise be non-personalized. In addition, the view of a video shown in the Privacy Enhanced Mode of the embedded player will not be used to personalize advertising shown to the viewer outside of your site or app.
https://support.google.com/youtube/answer/171780?hl=en#zippy...
I fundamentally disagree with making money from ads. I have no problem giving money to people who make things.
Copyright abolitionists are more than happy to embrace no one ever making money off of "software" again.
> Society as a whole
As long as we won't have to pay 2 USD for an extension!
The closing down step is optional. Just don’t build on a public CI, and inject malicious code in your builds, xz-style.
Are you contending that's what happened here? This is not a leading question, I genuinely do not know and am trying to learn more.
yup, many mobile app developers do this (inject any SDK that'd pay them) too. Doesn't need to be open source, though
Mobile app devs are often scum,
but no need to single them out.
Plenty of bait and switch later free apps turned freemium, or malicious, out there.
This is a good description of the problem. I'm not sure why it's been downvoted, except that "common" is overstating it a bit.
reminds me of mx player on android (nova launcher also?)
Hey! Isn't that the Microsoft business model? Doesn't MS control VS Code? (google microsoft antitrust).
Can you please clarify whether the fork also suffers from the same security issues (or engage the fork's owner to ensure that it doesn't https://github.com/t3dotgg/vsc-material-but-i-wont-sue-you)
Hi, owner of the fork here.
I did a thorough combing of the code base when I forked. Just did another audit and still not seeing anything suspicious. Gutting all of the opencollective and changelog code to be 1000% sure.
Hi. Please do not replace the original author's copyright notice in the LICENSE file. That is a violation of the Apache License.
You could instead "append" your name to the copyright notice though, which is legal.
https://github.com/t3dotgg/vsc-material-but-i-wont-sue-you/c...
[flagged]
The only potential risk was the use of sanity to render a changelog. I didn't want to risk it, so I gutted that and a ton of other stuff. Just published a new, stripped down version.
https://github.com/t3dotgg/vsc-material-but-i-wont-sue-you/p...
Ok, but did you remove something that explicitly appeared malicious? This is a key detail that I am not seeing in your comments or commit messages.
That's covered by
> I did a thorough combing of the code base when I forked. Just did another audit and still not seeing anything suspicious.
Thanks for flagging it. Our security researchers will analize it and based on their findings we might remove this one as well.
s/analize/analyze/g
s/g/
So is there any proof of the malicious code?
The extension file is still available to download directly from MS.[0] (Which, why if you pull it from users are you still allowing downloads first of all.)
I downloaded the file, and unzipped it. On a cursory glance I see obfuscated code but zero "red flag" level code, has anyone seen the malicious code claimed?
[0]: !!!WARNING CLAIMED TO BE MALICIOUS!!! https://marketplace.visualstudio.com/_apis/public/gallery/pu...
Will Microsoft consider adding a permission model for extensions?
This is tracked in this feature request https://github.com/microsoft/vscode/issues/52116
We do not plan to add a permission model in the next 6 months.
> We do not plan to add a permission model in the next 6 months.
I guess Copilot functionality trumps "Security above all else" now.
https://blogs.microsoft.com/blog/2024/05/03/prioritizing-sec...
Yeah, the vscode release notes used to be lists of interesting new things and novel improvements.
Now they are all “copilot” “features”.
TBH, no criticism on the developers, but the VS Code release notes haven't been interesting or relevant to how I used the editor for years. I think I checked out when they added a terminal client to it and it dominated the release notes for ages.
AI features is one of the bigger innovations in editors in years, I fully understand the enthusiasm, especially given it can be linked to an earnings model. That said, before AI stuff I would've expected them to push integration with Github and Azure more.
This is why I use Emacs and it's why I didn't stop using Emacs when Sublime Text II, then Atom, then VSCode became popular.
When Microsoft gets bored of VSCode or forces you to only do AI "vibe coding", Emacs will still be there.
New version just came out. The release notes were full of good things.
Well, I used Emacs for 15-20 years. It has problems of its own -- mostly that it is effectively locked into an antediluvian view of how editors work, and that to use it effectively you end up maintaining large and complex configuration files.
I still use it for some things, but what we really need is a new, different edition of Emacs that has the same basic architecture but a more modern take on all the stuff that dates from the 1980s.
It's not "a problem," it's a difference in philosophy. Sure, VSCode comes accessible out of the box with minimal configuration needed and a GUI-first settings interface. But that comes with its own price - your config is more restricted in what you can do and fragmented across json files, settings menus, and extension options.
In contrast, with Emacs I can change any behavior of any function and command - built-in or third-party with amazing granularity. I can change specific parts of a function without rewriting it, and I don't even need to save that - I can just write a piece of Elisp in a scratch buffer, evaluate it, and test it out immediately.
Also, you are completely wrong with your notion that Emacs is outdated. Modern Emacs tools allow you to do things in a way no other editors let you - you can control video playback, read and annotate PDFs, search through your browser history, and automate things with LLMs.
Not to mention that the problem similar to the one being discussed in the thread would never happen in the Emacs world - nobody would ever get to publish a package with obfuscated Elisp code in it. You always will have full control over the code you download to use.
Yeah, I'm not wrong. Its terminology is antique.
As for the rest, been there and done that, but then you have to invest in your knowledge of Elisp, which has zero other benefits.
> Its terminology is antique
git uses "plumbing" and "porcelain" commands, referring to victorian-era plumbing systems. Adobe and other publishing tools use terms like "slug", "gutter", "folio", "pica". Debugging tools use terms like "trap", "dump", "patch". You're annoyed with what Emacs calls "window" and "frame"? And what about Tmux's "pane" and "window"; or "session" - "an ancient" term from the time of timesharing systems? Oh boy, if you afraid of words don't ever try to get into Haskell - those FP-crazies do use some real fancy words for their stuff.
> knowledge of Elisp, which has zero other benefits
The same way the knowledge of sql, or awk, or bash, or vim motions, or ssh, or tmux has zero benefits outside of their respective domains? What are you even talking about? I, for one, get daily gains, benefiting from knowing elisp - anything that has to do with text, just about anything can be automated with ease.
Just the other day - watching my colleague over Zoom, I decided to fix that for my note-taking. It took me fifteen minutes to write a piece of Elisp that OCRs any piece of text from a screenshot. Instead of disrupting my teammates all the time, I would now take a screenshot of a screen area with Flameshot, run my custom command and voilà - the text appears in my editor, and I can quickly grab it and use it in my notes.
I don't know where exactly "you've been" and what "you've done", but it really sounds like you haven't seen modern Emacs in practice. When one sees what people can do these days in it, it's hard not to get impressed.
XEmacs Tried to do that, it has been attempted to rewrite the backend of emacs into Rust twice, Guile has tried to interpret emacs lisp twice. The biggest problem is basically how large the user base is and the ability of people to want to perform the port so actually improving the editor is more likely.
GTK+ and webkit has been integrated into emacs and it has a package manager now and configuration is still a problem.
before copilot the first item in their release notes was always accessibility, which I though was a very nice touch. Now Copilot took the prime spot
[flagged]
[flagged]
Political orientation determines what we let companies get away with.
this is not about who they vote for, it's the system that is neoliberal in that allows and incentivizes only maximum profit and puts very little barriers
Given the enormity of the attack surface that has just been exposed, that's disappointing.
This isn’t really exposed so much as exploited. This was always possible.
you're right. it's not new. https://www.bleepingcomputer.com/news/security/malicious-vsc...
Security has been overlooked for way too long for me to trust it at this point.
The only sane way to contain the blast radius is to run is to run code-server in a container (or in a VM) and use it through a browser tab.
Luckily, the UI works perfectly, hotkeys and everything. They did an awesome work there.
There will never be some permission model. Like in VBA there is after all this years nothing. VBA would be much less problematic if you could restrict VBA to just one Excel sheet or so
Just to be clear, which publisher was banned? Maybe I'm being stupid (it's late here) but I'm struggling to track the various parties involved.
Anyway, thank you for the update.
The publisher Equinusocio was banned.
Given that it's been automatically removed from all VS Code instance, is there any way to check if it was previously installed? It's concerning that there's now no way to check if a sytem has been compromised by this
Doesn't it prompt to uninstall?
I de-obfuscated most of it and didn't see anything malicious. Was there any particular file that was concerning?
I missed it-- it's in the release notes file. I uploaded it to pastebin. It does look malicious.
https://pastebin.com/H5QjS4Bt
Why was there any obfuscated code in the first place?
The issue to which op links now yields 404. What's up with that?
I am in European time and I do not know what happened on that post (since I was sleeping). I assume it were some heated arguments between maintainer and community about license/copyrights/open source maintenance.
https://web.archive.org/web/20250226020241/https://github.co...
https://web.archive.org/web/20250226020241/https://github.co...
Imagine the amount of infected packages we use every day. Probably 20 different governments see everything we do.
why worry about governments so much? You know how many different companies see everything you do? Do you trust all of them?
https://www.wired.com/story/gravy-location-data-app-leak-rtb...
Companies didn't intentionally murder 100 million of their own customers in the 20th century alone.
They certainly aided and abetted. See IBM.
But they didn't murder their own customers. Their customer, a government, did the murdering.
As long as government claims the right to a monopoly on violence, it is reasonable to hold them to far, far higher standards than anyone else, including corporations. There is only so much damage one company or one cartel can do, but with government, the downside is unbounded. As I suspect we're about to see for ourselves.
Nah, let go of that monopoly on violence claptrap. Governments can't do things without corporations to build stuff for them.
> Their customer, a government, did the murdering.
Using stuff the corporation made and profited from.
Max Weber died in 1920, get some new economics.
They are now evading the ban by rebranding the extension to "Fanny Theme": https://marketplace.visualstudio.com/items?itemName=fanny.vs...
Is this a troll name? Fanny is a faily well-known slang term[0]
[0] https://en.wikipedia.org/wiki/Fanny#In_slang
only in UK IIRC
Many English speaking countries, I'm sure the US is more the exception than the rule in this case.
Of course, 'git' is also an insult.
Git is a fairly mild insult though, roughly equivalent to calling someone annoying. I'm sure at least a few of us have thought Git (the tool) to be aptly named, from time to time.
And here I thought it was redneck for "get" like that's where ya git yer code from.
Linus once quipped "I'm an egotistical bastard, and I name all my projects after myself. First 'Linux', now 'git'."
Is "fanny" an insult at all?
Yes, in Britain it is, you fanny.
That one is specifically British though. Or perhaps even just English, I can't imagine a Scottish person using it.
So what? The answer to the question is still yes.
Damn! That was fannier than I expected. Lmao.
It was also equivalent to "bro" in the late 90s, at least in some circles in the US.
35+ years ago, my friend insisted it meant the UK definition and, until now, every time I heard the word, I'd think of the time my, otherwise smarty-pants, friend didn't know what the most basic, least offensive, slang meant.
It's pretty mild, but still offensive in the UK. Your friend was right to believe that much. That everyone thinks it means that? No - the US uses it differently for a region of the body slightly less offensive. It's a bit like spunk, which is also fairly offensive in the UK, and fag, which despite having an offensive meaning in the US, is actually traditionally not offensive here, though the US meaning is known and sometimes used - it means "cigarette" here mostly, and "faggot" means something less offensive too (a bunch of sticks or a type of meatball like dish.)
Remember when fanny packs were a thing?
But people wore them on their front side didn't they? I don't remember people turning them around and preparing them on their butts
Did you mean a bum bag?
More like “only in the US it isn’t” :)
Might be regional but fanny is definitely slang in the US as well, but very quaint/dated, meaning butt. Would generally be used in some sort of context like a grandma telling a kid, 'Get your fanny over here right this second!'
It would never be offensive or used with sexual connotation. It's kind of like the equivalent of wiener.
It was a popular name in France in the 90s ¯\_(ツ)_/¯
Yeah, Fanni is still used in Hungary.
Thank you. We will security audit this extension today and take action if needed.
Didn't the author evade a ban? Isn't that enough reason to take this down?
They could at least somewhat automate checks for that sort of thing.
Yep, because there's already another one, our hex code merchant clearly has nothing better to do: https://marketplace.visualstudio.com/items?itemName=vira-the...
It's a new publisher https://marketplace.visualstudio.com/publishers/fanny
If you dig into the code on GitHub [1] , you can see it's the same author as the Material Theme. But I'm not sure how the marketplace folks are supposed to track that.
[1] https://github.com/fanny-theme/fanny-theme-support
Next one: https://marketplace.visualstudio.com/items?itemName=vira-the...
new main features:
0 external and harmful dependencies
closed source = no more toxic community and youtubers talking shit about things they don't know.
Looks like we're good now.
Correct, the author links to it from his github page https://github.com/equinusocio
So, this is pretty weird no? In his GH profile he links his website/portfolio https://astorinomattia.com/ which is actually his surname + name.
It doesn't seem to be pretty smart and safe going rogue with such public exposure no? Unless it is a completely fake persona, of course.
It also links to his employer (https://lualtek.io). Maybe someone should let his employer know what their employee is up to :)
> Things destroyer.
Hmmmmm.
[dead]
[flagged]
Hey y'all, I made the most prominent fork of this extension "Material Theme (But I Won't Sue You)"
The maintainer went off the deep end last year. He pulled the (originally apache 2) source offline, then started threatening to sue people for hosting alternative versions, including them in other IDEs, etc. Genuine lunatic.
Out of an abundance of precaution, I've taken the following action on my fork:
1. I have the VS Code team auditing it as we speak, and I've given them full permission to immediately pull it from the marketplace & force uninstall it from users if they find ANYTHING malicious.
2. I have audited the code base thoroughly (nothing seemed malicious)
3. I have removed ALL code related to changelogs, analytics, Open Collective and html rendering.
The only thing that seemed slightly concerning was the html + sanity loader for changelogs, so I gutted it entirely. Two PRs removed almost all the deps and over 7,000loc (mostly package-lock)
Repo is here if anyone else would like to audit https://github.com/t3dotgg/vsc-material-but-i-wont-sue-you
To me it seems ridiculous, that a theme could even accumulate such things as analytics and even lots of dependencies. A theme is usually something self-contained. And even more ridiculous, that anyone can, as you write, "force uninstall" anything from my machine. So glad I am not a VS Code user. It seems all the typical corporate BS is happening with its marketplace and plugins.
Try Qt themes, they're binaries compiled from C++ code :)
If one can "force uninstall" for safety, then it implies that automatic upgrading an extension with the user's consent is unsafe at the first place.
It is, but that's the reality of today - auto-updates, "evergreen" releases. This was popularised by Chrome, and IMO fixed a LOT of headaches and allowed for much faster and more agile release cycles - the reality before was that a company like Microsoft would have to provide support for older versions of their software for X years and deal with the fallout of security issues with remaining older versions. (Web) developers had to be careful about adopting newer features because X% of their user base would still be on older versions of the runtime, leading to the invention of transpilers and the start of what is still a very complicated system in web front-end world.
It doesn't fix any headaches it just outsources them to the users who get surprise breakages of their workflow in the middle of an important project.
* without the user's consent
Isn't the problem that VS Code has no permission model (restricting of them), so all extensions can do anything?
While it is, the same issue exists in Sublime, Vim, Emacs, Gedit, pico/nano[1], IntelliJ, Android Studio, Eclipse, and every editor.
[1] https://threatpost.com/researchers-show-how-popular-text-edi...
I think Xcode may be the exception but Xcode plugins also can’t do much.
I think Emacs and Vim will be lower probability targets than VS Code, though.
yeah. I hope you leave malicious code running on your computers to prove your point.
how is there not a single screenshot of what it looks like either in the repo or on the marketplace page? Or did I just miss them?
it's ugly, don't worry.
however, I found this from the malware creator's website itself: https://framerusercontent.com/images/G17CYe9tTL2GP1Rw4mUI8YC...
thank you!
Thank you
[flagged]
He's being as helpful as possible, there's no need to go hard on his language like this.
I don’t think went that hard though? I was just pointing out the discrepancy between what they said and what they mean. Not everyone might know that the marketplace doesn’t need you permission to remove your extensions.
They don't need it. They offered to "notify me before any action is taken" and I politely declined - explicitly telling them to IMMEDIATELY take it down if they find anything at all
Maybe "blessing" is more appropriate, but this is really splitting hairs.
My haters live in a different dimension of hair splitting, it's honestly kind of unreal
I don't think they need his cooperation either
[dead]
[flagged]
Likewise
https://www.mikeleake.net/wp-content/uploads/2023/01/DpQ9YJl...
Feeling insecure today?
Come on. You can think of something better to say than that I'm sure of it. That's a Reddit level response...
Likewise
Curiously, someone on reddit noticed suspicious changes in this extension 7 months ago [1]. Obfuscation in open source is usually an extreme red flag. Microsoft really needs to rethink their security model for vs code extensions. It has simply become way too profitable to target given whatever they are doing against it. For every dev they ban 10 will come with new malicious extensions.
[1] https://www.reddit.com/r/vscode/comments/1eq40o2/has_the_mat...
Be careful what you wish for.
VS Code is maybe the best product Microsoft has ever released, largely because the extension market. If Microsoft polices the marketplace more, you can probably expect VS Code quality to degrade.
Here's my argument: More scrutiny of the marketplace will lead to less extensions overall (the scrutiny process will reduce the number of extensions overall as barrier to entry will be increased). Less extensions available will create an incentive for Microsoft to add features to VS Code directly. The more features MS adds, the more bloated VS Code will become.
So then, more security auditing in the extensions marketplace will lead to a more bloated VS Code.
All that said, it would be nice if there were better security controls in the extensions marketplace, I just don't trust Microsoft to do anything in a way that actually improves their products for the people who use them.
It took a while, but Microsoft got it pretty much right with Windows Defender. It quietly made all other active scanners obsolete. It's just a question of how much effort they're willing to spend on a free product's infrastructure.
You do not have to police everything, copy what Mozilla is doing: pass the top X extensions through manual audits (including looking at code diffs on every update) and mark them as trusted. Maybe also add a giant warning "this extension may steal your stuff" when installing everything else.
Reading the commentary, this guy seems unhinged. He thinks he owns literal hex codes
he sucks at tech and has driven away everyone good at it. I don't use his software, but I hope he gets out of this episode soon (and learns he didn't invent material!)
> He thinks he owns literal hex codes
Pantone would like a word.
Pantone is a lot more than hex codes, it's a whole system of material science for colors.
Pantone does a lot of legitimate work, but also they pretend to own the hex codes for their colors.
Yep - Give them a Pantone Color and a Material, and they can tell you how to get that material in that exact color.
I dunno. I asked for the Pantone of neon brown on transparent aluminum and they stopped returning my calls.
You should do stand-up comedy.
Neon brown is orange :)
Someone else described him as a lunatic. But, this is a security issue, and you shouldn't assume that someone who is successfully putting malicious code into developers' IDEs around the world is unhinged or a lunatic, but rather cunning and deceptive (or a front for an intelligence agency). It's not paranoid to have such suspicions about someone who is getting malicious code into developers' tools.
> unhinged or a lunatic, but rather cunning and deceptive
These aren't mutually exclusive.
Someone uploaded a replacement, Material Theme (But I Won't Sue You)
https://marketplace.visualstudio.com/items?itemName=t3dotgg....
The original author seemed to talk a lot about funding development/maintenance, so I got curious about what the hell needs to be maintained. I cloned the https://github.com/t3dotgg/vsc-material-but-i-wont-sue-you repo and had a look. Here's a LoC summary:
Among those, 622 lines of TS are hex color definitions for variants in scripts/generator/settings/specific. Most of the rest seems pretty boilerplatey, e.g. look at the 599 lines in scripts/generator/color-set.ts.So the question remains: what the hell is there to maintain (that takes more than a couple minutes every $godknowshowlong)? I've published and maintained waaaaay more substantial open source projects for years without expectation of any financial contribution.
There's nothing wrong with building proprietary software of a couple of thousand lines of code, including themes. And people should be able to ask for money in exchange for their work.
What's wrong is the bait and switch, as these projects end up being popular because of their FOSS nature.
He had raised about $7.6k total funding using opencollective.
https://opencollective.com/material-theme
that's pretty good, especially for a vscode theme.
Wild.
Pretty good for a material design theme. The most boring, over used yet ugly and style-over-function design.
> There's nothing wrong with building proprietary software of a couple of thousand lines of code, including themes. And people should be able to ask for money in exchange for their work.
The issue is not someone wanting to be financially rewarded for work, however small. That's completely different from saying you need money to "maintain" what is essentially configuration for colors. That's a deceptive use of that word.
Let's call this what it is: a grifter asked people to pay him for the privilege of hacking them.
"What's wrong is the bait and switch,[..]"
Morally wrong, legally not so much. If it is under a permissive license (and it was MIT originally as others have pointed out) you can always cut a proprietary version.
That doesn't take away the right to use the permissively licensed code of course.
> Morally wrong, legally not so much
Of course, but then, the legality of it is irrelevant.
Free markets work because consumers can exercise their freedom to choose, and in such instances it's easy, given that the reason for why many such projects see wide adoption is their FOSS nature.
> Free markets work because consumers can exercise their freedom to choose
That only works if the consumer is fully informed.
In the case of bait & switch sometimes the switch happens without them being informed and/or without giving them chance to cancel/uninstall/whatever.
Just a reminder: https://bitworking.org/news/2008/01/the-free-market-fairy/
What about this clause: "The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software"
It sounds like they went out of the way to remove that copyright notice. Am I misinterpreting that part?
Genuinely curious since this stuff affects me....
As the original Copyright holder, you can do that. It just doesn't make the old Apache licensed version disappear.
Only if they do hold all the copyrights. If they've removed the notices from other people's open-source contributions (and don't have a CLA or similar that permits them to do so) then that's copyright infringement.
I thought the MIT license was the original one?
It was Apache2, see this (preserved) fork.
https://github.com/Dramaga11/vsc-material-theme/blob/main/LI...
Changing the historical agreement is fraud.
If he edited the repo history to edit the licence that is.
it's a problem. As soon as it became easy to ask for money via Patreon or githib sponsorship, etc... tons of people are going to try to get some for minimal effort. It's just the nature of the beast.
Asking for money isn’t a problem. The problem is this person went out of their way to extract money by harassing people who rightfully use the open source Apache 2 version, switching the marketplace extension to a closed source version with obfuscated code (likely malicious according to MS), and possibly more, all this for doing a quite small amount of work. That’s after already raising $7.6k, apparently.
Making a theme is not minimal effort which is why 99.9999% of everyone uses preexisting themes rather than making their own.
LoC is a red herring. And the fact that thousands of people decided to introduce his LoC as a dependency in their local development environment makes the point.
I'm surprised to see supposed software engineers get this wrong. We tend to dismiss look&feel type things as low effort which is funny because very few of us could make a make a good theme if we tried, yet it's "just" a matter of picking colors.
Maintaining a theme ~a decade after its creation is minimal effort. You can check the commit history yourself and see it's a one line change once in a while among auto dependency bumps thanks to a >10k line package-lock.json, at least half of which is unrelated to core functionality as demonstrated by t3dotgg.
It's also funny to see a "supposed software engineer" shit on other's tools and post veiled personal attacks based on a single Internet comment. If I were you I'd probably insinuate you've never worked on any large code base so don't know LoC definitely correlates with complexity as a rough first signal (not to mention I included a rough analysis of actual code as well), but I shouldn't do that based on a single comment. Anyway I've maintained plenty of open source code bases large and small, popular (>10k stars, yes that's not a very good metric but it's also a useful first signal) or not, so I'm pretty well equipped to evaluate maintenance burden.
Yeah, pretty much. I am actually baffled. Heck, I am impressed he raised 7k for a theme.
Almost all of the work has already been done by other people for other text editors. Porting a theme requires copying files from another project and writing a tiny bit of glue around it. The author of a niche terminal emulator I'm using on small systems was able to add around a hundred themes this way in a short amount of time. Sadly, he wasn't able to raise $7.6k×100 for all that thankless work.
I think effort is irrelevant. Value is what we really look at when deciding what price to pay. It doesn't matter to most people if it took someone a 1000 hours to produce a loaf of bread. They're not going to pay 100x the price of the bread that took 10 hours to produce. Especially, if the products are mostly indistinguishable.
Partially in jest, but have you forgotten about the luxury market?
I think the luxury market proves my point. The perceived value of luxury items is much higher as reflected in the price paid. Although, the cost and effort to produce luxury items is roughly the same as a similar non luxury item.
hi, maintainer of the fork here
just did a pass and removed everything that was not necessary - it's even less code now lmao
Looks like the creator of the replacement is the tech YouTuber theo (https://m.youtube.com/@t3dotgg)
Just made that connection, I've been watching a lot of his content recently, it's excellent
Oh hey, that's me! Not surprised this guy went kind of insane tbh
What is it about material themes that does this to people? The same kind of thing happened to the IntelliJ one half a decade back.
At least that one wasn't literally just colours.
Just whatever that's popular and has a chance of monetization.
So the possibility of grabbing the golden ring.
[dead]
Can anyone help point out where in the repo the malicious part was? Can't find it.
Found the obfuscated code here https://web.archive.org/web/20250226020241/https://github.co...
So weird that this person took contributions from others then made it closed source. It doesn’t seem right, but not a copyright expert.
Speaking generally:
It’s assumed that your contribution will be licensed with the current license (generally). Maintainers can change the license but that wouldn’t affect prior contributions. Basically anything up to that license change would still have the original license. This is what makes forks possible when popular software changes their license.
In order to go back in history and change a license, you need either the consent of your contributors or a document that would grant you the power to do that. A CLA could (but not all CLAs will) grant a maintainer to change a license at will back in time.
Other famous software that has seen a license change: Redis and Terraform. In those cases the license changed but already released software is still available with the old license and that old license allows for forks.
My understanding is that permissive licenses (BSD,MIT) can generally be relicensed. For example you can fork a MIT project under GPL. But to do the same for a GPL project requires agreeement from all copyright owners, or just you if you made everyone sign a CLA. This is the whole point of GPL.
Your general understanding is wrong, as there's nothing in either BSD or MIT that allows for re-licensing, and nothing else gives you that right.
You can incorporate MIT/BSD code in a proprietary project, but that imported code itself remains BSD/MIT licensed. For many projects, this is a technicality, but no, you can't claim copyright on MIT/BSD code that isn't yours.
Technically your statement is incorrect. The MIT license allows dealing without restriction and sub-licensing, but the effect of re-licensing an MIT product as GPL would be a license with many unenforceable terms on the code that is MIT licensed.
> Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
> The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
Note the "deal in the Software without restriction" and "sublicense" permissions and the virality of the terms that require the permission notice must be included with all copies.
One problem with this however is if someone has removed the license from the software like what has happened here, then that software really has no license because the license doesn't specifically state that it applies to derivatives. The Apache 2.0 license is much clearer on that subject of derivative works.
>as there's nothing in either BSD or MIT that allows for re-licensing
But also nothing preventing you from doing it.
MIT can be relicensed, for sure.
No, it cannot. You can incorporate an MIT licensed work into a work that is licensed differently, but compatibly (not a real problem with MIT), but now you have three works that are under different licenses: the MIT part, the "other" part and the whole. The MIT part stays MIT. Someone can cherry-pick just that file (or file snippet) and use it under MIT, without caring about the license of the whole.
What happens when a file was previously under MIT, the license changes, and a new change is made? Do I need to look at the git blame to find which parts I can use as MIT?
You don't need blame necessarily, just git log. You look at the latest version under your preferred license. That's the one you take your snippets from.
Of course not. What makes you believe that?
The MIT license is not very long, and it contains this sentence:
> The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
Which clearly state that you can't remove that license to put your own.
> What makes you believe that?
Probably the sublicense wording that many techies confuse with relicensing.
Also sloppy wording in discussions like HN where "relicense" is sometimes used as a shortcut for "combined with a compatibly-licensed work in a larger work that can be used under the whole-work license".
If you're the sole copyright owner, of course you can.
That is not the case with other licenses.
Was Material even his work in the first place?
Looks like it was, or at least the initial commit was. This was back in 2017.
https://github.com/material-theme/vsc-material-theme/commits...
I'm not sure why the initial commit already says "official", but that's almost a decade ago.
The initial commit was in 2015 and was MIT licensed for a couple of years before it was changed to Apache licensed. It's unclear if any of the other contributors gave permission for this change to happen.
https://github.com/material-theme/vsc-material-theme/commit/...
just like many open-source projects (primarily maintained by a company) turning their projects non-commercial, a la redhat, terraform
One of the things I love about the internet is learning how different people can be, I perceive it as different than me but I assume everyone has their quirks.
In this case, this is one of the most extreme instances of people installing lots of dependencies. The moment I realized something was different in me was left pad, I already felt that couldn't be me.
The log4j incident hit me different, it COULD have easily been me. A security vulnerability is like death or a terminal illness in my eyes. Successful companies that scale do so without incidents, If you are running a company and you have a vuln you are out of the race. So I tightened up a lot after that.
I realize something similar with sex I just can't fathom putting my whole life on the line just to have sex with somebody and then have nothing to show for it, no relationship, nothing.
And today we see this, people are really risking their companies, their reputation, their pride to have pretty colors on their IDE.
I used to fight it, try to convince people, of course I still keep the pride of being different and weary, but in the end, you will likely be fine, and I only hold a statistical advantage, both are valid strategies of going about life I guess.
A theme is fine - Google has been pushing Material for a while now, after all, so if you come from Google land the colours are familiar and preferred to you, same with themes like Solarized and whatnot.
That said, I do agree that dependency management and reliance is a Problem these days. left-pad was the camel that broke the proverbial camel's back for many people, and it made people realise how ridiculous dependencies in at least NodeJS land has become. It was already silly in Java land since the 2000s, but more from the layers of abstraction and overhead that frameworks like Spring add (which is ironic because Spring was originally conceived to be a lightweight alternative to J2EE, but that's a thread on its own).
I know the general community atmosphere in the Go ecosystem is adverse to adding dependencies and frameworks; it has a good standard library which was complete enough and which isn't yet fully bogged down by design by committee like Java and JS were (to their credit things are moving again), and its users are like "you know, plain Go is good enough", so they are much less likely to add frameworks or DSLs like assertion libraries.
I'd like to know if the same thing is happening in the Rust ecosystem, I've never ventured there before.
The same thing is happening in Rust. Try to compile any random app and it pulls dozens if not hundreds of dependencies.
It had not occurred to me that a VS Code Theme was a full blown extension, since I've never installed one. I wonder if a lot of people have a mental model of a VS Code theme as a collection of CSS files, which should be relatively safe (even including those that install them).
> The log4j incident hit me different, it COULD have easily been me.
That couldn't be me, because I don't use Java, PHP, Windows APIs, or `xdg-open`. The closest I come to Java-esque "include ALL THE BATTERIES" is the occasional Python script, but I won't use `http.server`. (Incidentally, I don't get very much done.)
> (Incidentally, I don't get very much done.) Lol, that's definitely part of the tradeoff of security in life.
> I don't use Java I didn't use Java either, but whatever I was using at the moment (Python) could have been anything, if I stayed in my other job or gotten a different one I could very well been using Java and been the one that installed the thing.
>Python script, but I won't use `http.server`. (Incidentally, I don't get very much done.)
Interesting, I use http.server or the Tcp socket server thing, but I consider myself to be in the extreme, there's still people that use Flask (and I do partake ocasionally) or things like Django, Spring, Next,etc... Same with binaries like Apache, Nginx.
I mean you gotta use something, and if you go too far on the deep end, you get the risk of introducing the vulnerabilities yourself, (in addition to the risk of getting nothing done as you mentioned). I know my limits I wouldn't implement cryptography for example.
I consider it safe to use ASGI / Uvicorn or (if you're careful about which extensions you install) Django. Python has fewer, less-prominent built-in footguns than Java, so even though it's less secure in principle, it's easier to write / audit for security in practice.
Not getting very much done isn't because I practice secure software development. It's easy to write secure software that works. I don't get much done because I try to find new ways to write secure software: experimentation and tool-building takes up a lot of my time, when I should really be writing hacks, documenting them, and moving on.
Never roll your own crypto, unless you understand systems programming on that platform/arch very well: modern systems have all the side-channels, and take great pains to subvert your attempts to mitigate them.
If you do a bit of a repo dive, the repo was initially MIT licensed from its initial commit for at least a couple of years before that license was replaced by Apache 2.0, so there's an argument to be made that that license also applies.
The Apache or MIT license would permit you to continue using it for all versions up to the last commit which used that license. Any later commits under a different license would not be Apache licensed and you would need to follow the new terms if using those newer versions. The new license doesn't prevent you from sharing forks of the older version which was Apache/MIT licensed.
Kinda, it's complicated. When someone other than the owner of the repo contributes code, they own the copyright to that code. When the author changes this repo's license like this they're redistributing the external contributor's copyrighted code. The permission to do so is granted by the Apache 2.0 license and is subject to the conditions of it. Without the permission to distribute the contributed code, the author is engaged in a violation of copyright law. Note the Apache terms:
> "You" (or "Your") shall mean an individual or Legal Entity exercising permissions granted by this License.
This covers not just the users, but also the "author" here who exercises the permissions granted below:
> 2. Grant of Copyright License. Subject to the terms and conditions of this License, each Contributor hereby grants to You a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable copyright license to reproduce, prepare Derivative Works of, publicly display, publicly perform, sublicense, and distribute the Work and such Derivative Works in Source or Object form.
> 4. Redistribution. You may reproduce and distribute copies of the Work or Derivative Works thereof in any medium, with or without modifications, and in Source or Object form, provided that You meet the following conditions:
> (a) You must give any other recipients of the Work or Derivative Works a copy of this License; and
So let's interpret that. Regardless of the whatever intent to re-license the code exists in the mind of the author, in order to distribute the code which was contributed by others, the only legal means to distribute this code must comply with the requirements of the license. Technically they could remove all code contributions which were contributed by others (I've done this in the past, it's a pain to do right), or seek permission from the others to add additional grants that are not included in the Apache license here (I've seen various projects do the post-facto CLA thing for this). But that has not happened here.
So (in my opinion) the github repo of the author is a currently infringing the copyright of all the other contributors. Any one of whom could enforce it or raise a DMCA take down notification on the repo.
So given that we're talking about material that is in breach of copyright, it's likely that being able to enforce a license on that as a consumer is not really a thing which is possible as the conditions on what must be included bind the person distributing the material not the person receiving it.
I'm quite happy that nowadays most tools have competently made themes out of the box, so that if someone wants to minimize risks from something like this and keep the extensions/addons they install to a minimum, that's pretty viable.
Of course, it's also nice that it's possible to theme the software to such a degree and improve usability and accessibility in some cases, just that the feature requests about limiting permissions need to be addressed.
I find it curious that themes can be a security risk at all. Clearly, they consist of more than just the colour codes and don't definitions one might assume. Maybe the theming system needs to be tightened.
While I appreciate he put in a lot of work (thank you for the theme) - Material Design is someone else's work as well..
He also seemed to put a lot of work into the license he wrote and updated many times.
Theo of internet drama fame interjecting himself into the middle of it as always.
This whole thing makes him look like a vulture. Just let the theme die or let someone make a better one from scratch.
The reason he forked it in the first place is, as he said himself, because he's famous.
Aha, he's way ahead of you: https://www.youtube.com/watch?v=3wz7YF2as-c
If the size of your paycheck depends on drama and making a surprised look in a YouTube thumbnail you would possibly insert yourself into the middle of things also
Could you elaborate? I have no idea who “Theo of internet drama fame” is.
Essentially an internet personality. While they sometimes make interesting points, mostly on X, Twitch, and YouTube, he often seems to interject himself into a lot of things needlessly. Before this Material thing, it was that Wordpress incident.
Another creator gone off the deep end apparently?
> reading the review responses by the creator, I don't really trust it anymore. Being rude to others who are concerned over the recent move to closed-source (and without warning!) is pretty disheartening.
> So, uh, the guy who made the VS Code Material Theme is threatening everyone who uses it in their products. He seems to have forgotten it was originally licensed under the Apache License, 2.0.. He wiped the commit history to make it look like it was always his weird fake license.
Real messy. It’s always shocking to me how little people realize - or care - how their behavior - especially their treatment of others reflects on them.
The old commit history can still be accessed here:
https://github.com/material-theme/vsc-material-theme/activit...
This doesn't capture all of it though. There's also a bunch more that you can access by looking at commits in the Pull Requests.
It does, you just needs to find the last one before force push and click “browse repository at this point” and it will slow the pre force push history
Feel free to check for yourself, but the commits where the repo is licensed as MIT are not reachable from that UI - only the commits where the repo is licensed as Apache 2.0 (and the later self- created license). The earliest available activity entry is from 2023, which bottoms out at an initial commit from 2017. The code base is actually older than that having been started in 2015.
The commits which have the real unadulterated history of the theme are available by taking the same actions on the PRs (browse repo), as they point at commits in other repos where that history has not been erased not the main repo where it has.
I suspect this probably indicates that the GitHub repo was recreated in 2023 with a modified version of the source with the Apache license and a history that was rewritten to not contain the commits where the license was MIT. This aligns with what people are saying about the historical perspective on this.
https://github.com/material-theme/vsc-material-theme/commit/... is the initial MIT licensed commit
It seems utterly absurd to me that anybody should be able to issue a copyright claim on a collection of colors and fonts. Copyrights are issued to logos and slogans, not design systems.
It seems utterly absurd to me we litigate the ownership of ideas or their expressions, but here we are.
The founder of Bikram Yoga, tried to copyright a sequence of yoga poses, even though similar sequences have existed for for thousands of years. Monster, the energy drink maker, went after business for using the word "monster" in totally unrelated contexts. Disney trademarked "Hakuna Matata" (a Swahili phrase roughly equivalent to "no worries") after using it in The Lion King, prohibiting African businesses from using a common idiom in their own damn language. Don't get me started on Happy Fucking Birthday.
If you think that sucks, check out T Mobile trademarking magenta https://www.npr.org/2019/11/25/782723429/t-mobiles-parent-te...
Cadbury and purple...
These colours are their trademarks but I believe they don't own the colour in all domains.. probably just food? If you wanted to make a car company logo that colour you'd be ok?
No, trademarks are issued to logos and slogans.
Yes, but many logos are also copyrightable.
Question bouncing around in my mind reading this, especially with money involved, is why did this not cross the line into criminal fraud?
Because noone has stated an injury and made a complaint about it. It's likely that there's some copyright infringement going on with the current state of the repo (due to lack of the author's adherence to the requirements of the license). That could be subject to a DMCA notice if any of the previous contributors decided to make one.
Conspiracy would be more appropriate, no? Thing is, when you conspire to attack a corporation, you have FBI agents bending over backwards for you and your precious profits. When you conspire to attack a bunch or normal people, you're lucky if anyone does anything at all.
So many people who are otherwise functional in society, for whatever reason just can't play well with others when it comes to online communication. This can be true for both software maintainers and users. People can't just leave their emotions at the door and file a bug report or respond to a help request, without including a little personal jab or passive aggressive snipe. Looking at some of those replies to users, it looks like this guy just couldn't keep himself from including those unnecessary little put downs.
> So many people who are otherwise functional in society, for whatever reason just can't play well with others when it comes to online communication.
So I run a small game that has a couple thousand active users, and part of that is allowing users to chat via written text. The amount of vitriol some users spew just amazes me. If they acted like that in person, I expect they would get punched in the mouth quite often. I also have a suspicion that some of these people are literally mentally ill, and online is basically where they live.
> I also have a suspicion that some of these people are literally mentally ill, and online is basically where they live.
Some of it may be because of this. However, I also think that the absence of risk of being mouth-punched contributes a lot. I feel like lots of people are deeply hateful, distrusting and angry in real life, and the risk of social and legal repercussions is the only thing that's keeping a lid on their disregard for others. I think that if this danger of consequences was removed, they would do unspeakable things.
> I also have a suspicion that some of these people are literally mentally ill, and online is basically where they live.
It's certainly reasonable to expect that there are at least some mentally ill people in any decent-sized community, but the Greater Internet Fuckwad Theory[0] suggests -- and I agree -- that there are many people who just turn into complete assholes when they are anonymous or semi-anonymous, and can hide behind their computer, tens or hundreds or thousands of miles away from the people they interact with.
I don't know the demographics of your game, but this is especially true of teenagers. (But not exclusively true.)
[0] https://www.penny-arcade.com/comic/2004/03/19/green-blackboa...
> I don't know the demographics of your game, but this is especially true of teenagers. (But not exclusively true.)
It's just a card game, and I expect that the average age is actually quite a bit older. Which is one of the reasons why I am quite surprised at the rhetoric used, because I would have thought that "adults" wouldn't behave that way. I was very wrong.
There's a fun little MMO-lite that reminds me of Escape Velocity[0]. Its chat system seems to filter and translate on the fly using some tiny ML models, and I think the guy behind it wrote everything himself.
The interesting thing about his implementation is that seeing e.g. Chinese being replaced in-line as it's translated feels way more amazing than knowing a translation has occurred in the background. He's hidden the time difference between paying for a service or running it yourself behind an animation.
[0] https://store.steampowered.com/app/1717290/Subspace_Discover...
It’s off topic but I don’t believe most people are functional in society. I think they are hiding their shitty behavior to themselves and to others, and their true self comes out once in a while.
They hide it mostly to their family, but other human beings are treated like NPCs.
For example I live in the south of France and people are literally crazy on the road but they still avoid accidents by some kind of miracle. These are people from all sex, color, and age. The good middle-aged white father becomes a fucking moron when his car is turned on. The young new mom who pretends to love her children is speeding on the road like an idiot.
Society accepts that or turns its head the other way not to look at it, but it’s definitely around us and I see it every time I go to work.
Some years back, I was driving to the town of Apt, in a hilly area of Provence. I was on a secondary road and going roughly the speed limit, maybe a little more. I was passed on a curvy section of road like I was standing still by a woman who was simultaneously smoking, talking on her phone and examining her face in the mirror. It was an amazing display of needless risk and even though I was alone, I started laughing.
> The young new mom who pretends to love her children is speeding on the road like an idiot.
If everyone is crazy on the road, it's best to reduce the exposure to the road. Speeding decreases time spent on the road. Speeding on the road is genius, not stupid.
Well, no, because speeding increases the energy of potential collisions, and also encourages others to speed. If you have to drive more than once, "speeding" isn't necessarily a dominant strategy.
Would that change if cars could go fast enough, say mach 3?
When driving, you want to keep your velocity relative to other cars as low as possible, while retaining your ability to avoid obstacles / not murder cyclists and pedestrians.
If cars could go at mach 3, then you'd want to avoid roads entirely: it's not feasible to avoid obstacles at that speed, and you certainly don't want to get hit by shockwaves or – worse – actual cars travelling at such relative velocities. So no, you would have worse problems in this hypothetical.
Yes, or relativistic velocities. I figured that harm due to the energy of the collision is limited by death, while time spent on road tends to zero, but your mention of shockwaves brings to mind that a sufficiently high-energy collision would also be a danger to otherwise uninvolved road users, or residents of nearby towns, so my first assumption was incorrect. (I leave aside the problem of maintaining control of a mach 3 road vehicle as an implementation detail.)
People say that the most part of communication is nonverbal. If that's true, written communication would be heavily impaired by the lacking of all the visual cues that we use to interpret someone's words. I tend to agree with them, but that's just my personal experience.
Written text is perfectly capable of communicating all that, as evidenced by zillions of poems, novels, essays, screenplays, etc.
No, I counter that the real problem is that some people are either incredibly bad at communicating their real intent, or incredibly good at communicating their inner asshole nature.
> People can't just leave their emotions at the door and file a bug report or respond to a help request, without including a little personal jab or passive aggressive snipe. Looking at some of those replies to users, it looks like this guy just couldn't keep himself from including those unnecessary little put downs.
My consideration on this is:
A lot of software that at least I write privately is rather a manifestation of some deeper values/opinions that I have. So in some sense the software is just the tip of an iceberg, a manifestation of something deeper. The software might isolatedly be independently useful for other people, but this is not is essence. Its essence is the deeper values/opinions that made the software to be created.
In this sense, it is rather the rational thing to expect that most discussions of the software are strongly intertwined with the values/opinions of the programmer, because these form the bottom of the iceberg of the software.
P.S. Just to be clear: I am not the kind of person who does personal jabs or passive aggressive snipes.
If we stick by what you say, the maintainer may be uninitiated by copycat culture. Forking is a form of it, but so is shameless copying. If a person perceives theft, then they may respond in all kinds of abhorrent ways. Of course, we onlookers will yell out that it’s not that big of a deal in this case, but we can do nothing about the individuals perception.
Is this the person’s first time having an idea of theirs taken (appropriately or inappropriately)? Their sense of right and wrong may be just fine (speaking of value systems), but their reaction is intense.
There’s either more to the story or baby just experienced a little bit of life, and it hurts.
Edit:
From the maintainers:
Today we found Sublime Text authors just stole the WHOLE repository publishing the theme again, under their name, by replacing ANY reference of original authors with their names.
We opened a pull-request to restore the original theme made by us with all the credits. Let's see if they accept it, or they want to keep the stolen repository.
As I suspected Watson, the persons perceives theft.
https://web.archive.org/web/20250226020241/https://github.co...
This appears to be the original source code, before the change to the license and suspicious code:
https://github.com/Dramaga11/vsc-material-theme
Why would a theme contain code in the first place. Shouldn't it just be made of static value containing color codes?
Why would any add-on have more authority than it needs? Oh right - because no currently popular language supports implementing that kind of resource/rights monitoring and control:
https://medium.com/agoric/pola-would-have-prevented-the-even...
An absolute failure of contemporary programming language design.
Software firms need to think harder about what kind of guarantees the languages they use can give them - which part of a project's code can access which (and how many) resources - access to other project components, filesystems, the network, and the amount of process memory and CPU time they are allowed to consume. The current default answer is usually "any place has authority to access everything else, and a simple infinite loop will use up all the system's resources"
I found the malicious javascript (messages.js) file and put it in a Pastebin for anyone to analyze https://pastebin.com/yY1X0LiD
obviously its obfuscated by the guy originally
This code is harmless. We may need a copy of the actual, shipped extension from vscode.
https://pastebin.com/T998ZstM
Here's a copy of it to download directly from MS...
I've seen literally nothing malicious in it so far.
!!! WARNING CLAIMED MALICIOUS PACKAGE !!!
https://marketplace.visualstudio.com/_apis/public/gallery/pu...
Isn't it about release-notes.js? There are quite a few files in there that are obfuscated. So far I haven't found anything super bad, it looks like a sanity.io client of some sorts, but there could be some stuff hidden in there as it's seems like quite a big JS bundle.
Nobody is gonna pay for a VSCode theme.
That's untrue. I've created https://monokai.pro, to my knowledge the first commercial theme. It's been going strong for years now.
People are willing to pay for nice things. Especially if it takes longer to create it yourself.
A theme is more than a list of colors. Monokai Pro contains custom designed icons and color filters too, and some code logic to sync it all up. It needs continued updates, as editors keep evolving with new UX/UI elements.
I paid happily for monokai pro vscode since it was a one time payment. However I will not purchase a subscription for jetbrains intellij because per year it'll cost me the same amount as the intellij idea ultimate and that just doesn't seem like a fair price.
You get a perpetual licence after one year of payments.
Happy Monokai customer here! I want to make themes using my own palette but nothing supports OKLCH and I don't wanna convert to HEX.
I haven't noticed any difference after tailwind started using oklch, doubt there's any.
The question isn't whether you noticed a difference, but whether your aunt notices a difference on her 7 year old Chromebook
oklch should be an incredibly minor to unmeasurable performance hit, even on a 7 year old chromebook. Nor should it affect the displayed output. It's just a better color picker syntax.
7 year old chromebooks don't support olkch.
Not true, Chromebooks receive 8-10 years of updates. Meaning a 7 year old Chromebook runs the latest Chrome with oklch.
I meant making themes for apps like Sublime Text, Zed, &c.
I love spectrum been using it for maybe 7 years now
People pay for mere color schemes. https://draculatheme.com/
I paid for Dracula back when I could stare at dark mode for hours. Now I use Monokai Pro Light (paid for this too).
Free themes are a dime a dozen.
Paid themes means someone's incentivized to keep working on it and adding icons, &c.
No, paid themes are just passive income for their creators, since they get free advertising from IDE marketplaces and it costs them nothing to run. You can google free vscode theme and get hundreds of literally the same thing.
> and it costs them nothing to run
Assuming that the editor never removes/adds/changes anything then yeah, it's basically free. But since most editors are somewhat of a moving target, it does take a bit of maintenance to make sure everything continues to look right as things update.
The worst part with maintaining a theme/colorscheme is that you can't really rely on automated testing to catch most of the issues, unless you start doing snapshot testing comparing PNGs or similar, and is the biggest time-sink when a new editor version been released.
Over $390k in sales! https://draculatheme.com/open
[dead]
That seems like a special case since you’re buying into a consistent theme across different apps. If it was just vscode that would be a tough sell.
he's even selling a book lmao
And shirts, hoodies, hats, etc. Wild. :D
I am more curious as to why one would buy the theme and related merch.
People used to pay for ringtones. People pay for all sorts of things that might seem weird to you because people have different tastes.
Heck, iPhone users AFAIK still can't just put their own .wav as a ringtone and need to pay Apple to use songs/sounds as ringtone.
No you don't. You've always been able to take an M4A file (MP4 AAC), rename the extension to be M4R and copy it to your iTunes library.
You can even prepare ringtones on your phone with the iOS version of GarageBand.
https://support.apple.com/en-us/120692
I don’t remmener the exact steps, but it was fairly easy. You just need a mac (which you can borrow) and an audio editor. But that’s been a few years as I’ve been using the same one for a while now.
> You just need a mac (which you can borrow)
Yeah, so only-iPhone users are out of luck since the majority of people don't have a Mac. Last time I used Android you needed the file and the phone itself, you select the audio file and you're done.
You can do it on your phone with GarageBand. Take any audio file, clip it to the desired portion, export as ringtone.
https://support.apple.com/en-us/120692
Maybe you can use iTunes on Windows? I haven't use the latter in a long time, but IIRC, it was just adding the file and syncing it to the iPhone.
I could see the case for paying for a theme that provides its own icons and works across multiple tools and goes out of its way to support tools that I use. If anyone makes skins for Segger Ozone, I've never heard of them.
I'm comfortable working without any syntax highlighting at all. It's not that I go to the effort of turning it off, I just don't really care that it's there. I used to use Sam as my daily editor - got used to plain black text pretty quick. It's all a matter of preference.
I'd pay off the cuff money ($5) if it wasn't paywalled. "Donationware" if you will. I do this with other apps/resources/things including a nice pixel font I like using in images.
I suck at colors and want nice themes. I'm glad people better at this than me take time to make nice things.
But, I don't want to ever manage licenses for my theme. My dotfiles need to fetch it automatically or it's out.
Are these the same developers? https://plugins.jetbrains.com/plugin/8006-material-theme-ui
I am wondering this too!
EDIT: Did some research and looks like it is different code by different developers, so we should be good.
Thanks for digging in.
This HN submission now links to a 404 on github.
Is the original source code still uploaded somewhere?
I think the guy simply renamed and moved everything here? https://github.com/Fanny-Theme/fanny-theme-support
https://archive.is/SFH7m
The day {n,}vim take away my color schemes, I die. Convenience until it isn't, eh?
Yeah well, MSFT - the behemoth among evilish corporations, invests vast sums into developing a sophisticated tool with extensive features - more than their combined philanthropic initiatives - and offers it freely to just about anyone. This generosity doesn't seem questionable at all, eh?
I mean, when I use Vim and Emacs, the benefits clearly flow to users and the developer community. Back when I paid for the IntelliJ license - I knew exactly how their revenue model worked. Yet whenever I download and use VSCode, I don't really know what's Microsoft's grand plan here, does anyone else do?
Community goodwill is valuable. It's what gets someone to start to think, "this is pretty good, maybe I should try that Azure thing..."
Same reason Xcode is free.
Microsoft <3 Open Source /s
Maybe there should be pool fund. Say you contribute $20 a year to it, and it gets distributed to all extensions you have monthly
https://archive.is/SFH7m
Discussion has been deleted.
Edit: the whole repo has been put to private.
He rename it: https://github.com/Fanny-Theme/fanny-theme-support
from a quick deobfuscation of some of the code, i can't see anything wrong with it? i think this is just a case of obfuscated code being against the VS Code guidelines. the guy clearly wanted people to buy his pro version so maybe that's why he obfuscated all the code in the extension
I got a message today saying the theme has malicious content and it was removed from my VS Code.
In VS Code linux is very annoying the message that appears as a notification "We have uninstalled..." I try to remove the extension and after a few seconds it appears again and again. I think I have to use another IDE for today, fix this guys. PLS
It might be Settings Sync trying to restore it?
the "we took this down for security" is such a tempting _acceptable_ form of censorship.
My bank does this for my suspicious transactions, with a near %100 false positive rate.
You're saying your bank is censoring something you do when it flags a transaction? For me it's just flagging big purchases I don't normally make.
Seems common sense and usually remedied by a text to a bot.
Noo.. please bring it back.
it is very annoying the message that appears in VS Code linux, "We have uninstalled 'equinusocio..." please guys fix this. I have tried to uninstall the extension but magically it appears again, for today I have to use another IDE because of how annoying it is...
I did the following (it might help you too): 1. Close VS Code 2. Go to `C:\Users\USER\.vscode\extensions` 3. Delete the folder with that extension 4. Open extensions.json, find and delete the block related to that extension, then save the file 5. That’s it
Can confirm this works :)
how to remove that pop up which keeps coming?
original link here is now broken
“Can’t wait to see the Netflix documentary about this”
Looks like he's responded to it here. Delusional maniac? (Also, don't download and install that file he links)
https://github.com/material-theme/vsc-material-theme/discuss...
I downloaded it to take a look, all the js is obfuscated via https://github.com/javascript-obfuscator/javascript-obfuscat...
Is there any archive to that discussion? It's now deleted and couldn't find it on archive.is
anybody knows how to remove that pop up?
Rip.
[dead]
[dead]
@dang can you please update the link to the archive link
Usually it's better to put an archive link in the comments, not at the top, so the original domain isn't obscured. I've pinned the archive link to the top now (and detached this subthread from https://news.ycombinator.com/item?id=43181471).
(As throw16180339 said, please email hn@ycombinator.com with these things - that's the only way to be (mostly) sure I'll see it.)
HN doesn't have callouts. If you want dang to see your comment, email hn@ycombinator.com.
[dead]
[flagged]
git is a blockchain
No it’s not. A blockchain is a Merkle tree whose canonical “master branch” is agreed upon by everyone and difficult or impossible to change (e.g. due to PoW or a similar mechanism).
A git repository is just a Merkle tree.
A Git repository is a Merkle tree whose canonical “master branch” is agreed upon by everyone and difficult or impossible to change (because people want to collaborate on a project). If you try to rewrite history and people don’t agree with you, they would just fork the project and get on with their day.
a similar mechanism, like... a consensus mechanism? public key cryptography? some kind of content-based addressing? social convention and agreement on which fork to use?
is it easy for you to go edit historical commits in the linux repo?
Let me clarify: a global blockchain.
100s of people disrupted because Microsoft remotely changed the colours in their editor? Come on, people, you need to own your own tools.
What even is this comment? The extension has been deemed to have malicious code in it so it's been pulled. It's been remotely removed from users who have signed in to Code and I'm thankful for that. Should I be furious?
> 100s
Source?
> disrupted
Source?
Oh no... anyways. I use dark high contrast... guaranteed to work on any IDE (and) you don't get this.
It appears Microsoft released their 'detailed announcement' - it's just a one-sentence fragment in a Markdown file: https://github.com/microsoft/vsmarketplace/blob/main/Removed...
I'm increasingly suspecting there was nothing actually wrong with the extension, and Theo and others may have simply demolished an open-source developer's reputation primarily because they found him difficult to collaborate with.
This is nuts.