Source code installation downloads and runs binary code without permission
helgihg opened this issue · 6 comments
I noticed that during the installation, "ffmpeg" and "electron" are downloaded in binary form during the source code installation process. The user should at least be made aware of this and given the option of backing out.
What do you mean by source code installation? There is no such thing.
Downloading ffmpeg and electron are part of the development process of Code. They are necessary components of VS Code.
See, this is why Microsoft's code cannot be trusted, even when it's open-source.
@joaomoreno I simply cannot believe that you are in any way confused over what I mean by "source code installation". I'm obviously talking about building the project from source. Were you honestly confused about this? Really?
The issue also does not regard whether these components are necessary or not. I'm sure they are important and implied nothing to the contrary.
I was pointing out that when a user like myself, who has chosen to use only open source software builds your project, then your project downloads binary code, without notifying the user. That's the problem. Just notify the user, so that those of us who actually believe in open source software can use our computers the way we like, and those of you who don't really care, can use it the way you like. Everyone wins.
There is no installation happening when you run ./scripts/code.sh. We download all dependencies which we don't inline in the repository; they are placed within the repository. There is no opting out. Code can't run without them.
We don't need to notify the user at this point in time. This is what third party notices, license files and miscellaneous legal paraphernalia is for. You'll find all of that in this repository.
You're not listening. The user should be warned, so that they can opt out of the process entirely. There should be a warning to the user, that the code that he/she is about to run, is not compiled from source but downloaded in binary form.
But whatever. You just stay doing your Microsoft thing and I'll just keep staying the heck away from it.
@helgihg I am listening and you're being rude.
If you are downloading our sources and attempting to compile and build VS Code, you are not a user; you're a developer, just like me. Go around a few other open source projects and try to get their sources and compile them; they will also download binaries in order to do so. They won't notify you of this, since it's part of the development process, not of any user flow. Google Chrome and Atom are good examples. Are Google and GitHub "doing the Microsoft thing"? Can't they be trusted, just like Microsoft, even when it's open-source?
No, you're not listening and no, I'm not being rude. I've been trying to explain to you something that you constantly brush to the side as if you don't understand, which is in fact rude, although painfully common in IT. It's perfectly okay to disagree, but you started this conversation by pretending to not understand what I meant by "open source installation" and you've been sidestepping the conversation ever since.
And given that the information you've provided on Chrome and Atom is correct, then no, obviously they cannot either be trusted by those of us who don't just blindly trust random binaries from wherever. The main reason that most serious open source software users use open source software in the first place, is precisely that they don't trust random binaries downloaded from wherever.
All that's needed, is to warn the user, tell them "Hey, I'm about to download some binaries to build this awesome thing. Cool? (y/n)".
But I can see that you simply don't care, and that's totally your right. Microsoft has no obligation toward me. I was actually trying to help make the software better for all of us by pointing out something that could easily be better, but seeing your reaction, I'll simply not consider running anything from Microsoft on my computer in the future. It's fine by me and clearly it's fine by you. Life goes on.
That said, I hope that this exchange won't negatively impact your day. Even though we clearly disagree on this point and it seems we'll continue to disagree and I'll continue to distrust Microsoft, you're probably doing lots of awesome things for lots of other people. Participation in open source development is fundamentally honorable whether you get paid for it or not. There was a time when essentially nothing from Microsoft was open source and you're helping to change that, and I deeply respect that, despite our disagreement. Have a good day and take care.