The language used to report the issue is very reasonable. Maybe it's cultural, but the fake version you're suggesting is something I'd find insulting, in addition to upsetting me because it's wasting my time. I prefer it if they get to the point.
> And people wonder why foss devs burn out.
These are full-time devs, working for an investor-backed company that plans to make money off the editor. The FOSS part allows them to profit off the work of volunteers.
Zed is OSS but not free. There's a company behind it, not volunteers. They are doing quite some marketing lately. I don't see anything wrong with calling the current issue "completely unacceptable". Forced opt-in is what happens if the language is not offensive.
Interesting. Do paying customers get a different bug tracker from the open source repos or do they all get directed to the same place? If people are paying for this editor then the tone may make a lot more sense.
I can't find anything about a commercial offering so I don't know what the non-free version entails.
I agree with you, it's a standalone package. It can be assumed to have some setup permissions. Also it's far better than the packaging the remote code with the installer or binary.
The same people who will complain about this do t really understand how package managers work also. Take npm as an example, you manually install one package. You do not consent explicitly to have all of its dependencies added also.
This sounds like typical Reddit behaviour.
As you said, a better approach would have been to ask the maintainers to mention it in the readme. No drama required.
I don't use NPM, but that means NPM's behavior isn't that great and maybe shouldn't be an example for others to follow.
Linux package managers with which I'm familiar will absolutely prompt you with the list of dependencies they'll install when you ask for some package and give you the possibility of bailing out.
From the report on Github it seems like Zed will also download LSP for other languages without prompting, so it is initially an issue with Zed, but enhanced by the fact that NPM is misused. It should be noted that other package managers can also run post install scripts.
That being said, I also don't use NPM and actively discard any software that requires me to run an NPM command. It's somewhat funny to me that people are complaining that Python have a package management problem, while we at the same time have NPM which basically took the ideas from Python and said "What if we made this worse?".
The worst NPM misuse, from my perspective, is people viewing NPM as a platform agnostic package manager. I can understand not wanting to build .deb, .rpm and Brew packages, but that doesn't mean that just plunking a pre-build binary into NPM is a good choice.
> Instead they go on calling it "completely unacceptable " repeatedly, using language that implies that the devs have caused grave offense.
Downloading and executing untrusted code is a security vulnerability. If a library does so accidentally, avoiding such an accident should be the primary focus of the report. If a library does so intentionally due to an accidental error in design of a feature, then the report can focus on how to provide the same functionality without introducing a security vulnerability.
This is neither of those cases. This is a feature whose core functionality, automatic download and execution of arbitrary code, cannot be introduced without causing a security vulnerability. This trade-off, in which marginal functionality is introduced by sacrificing any and all security, was a decision made at some point.
> but would it have killed the person reporting it to have formulated it something like "I appreciate the convenience of automatic downloads but I'd prefer to be able to opt-out because of [...]".
This phrasing is not equivalent. Stating "I appreciate the convenience of automatic downloads" does not seem accurate at all. Nowhere does the convenience show up as something that the reporter appreciates. Stating "I'd prefer to be able to opt-out" implies that an opt-out is sufficient. Avoiding a security vulnerability based on a per-user opt-out is something that should only be done for a hotfix until a better solution can be implemented.
I could see the report being updated with a minimum list of design changes that would be necessary for the feature to be implemented in a safe manner: "While locating and recommending a package to be downloaded is convenient, the download must only be performed when the user explicitly approves it, with the user informed of the recommended package, its version and checksum, and the download URL prior to any download. Anything less than that is a security vulnerability." However, I don't fault the report for not doing so, as a reporter may not be familiar with a project's design roadmap. Describing an existing feature's design as "completely unacceptable" is sufficient.
And everything is now a "cyber security flaw" or exploit. I don't know why but it seems like there's been a recent crop of less technical people that know just enough to throw around cybersec buzzwords that are completely meaningless in context. Like I've seen people call this an exploit or a code execution vuln (on other platforms). Like what the hell.
I really wish these "torch and pitchfork" posts were declared off-topic. A discussion on what/when to auto-download and how would be useful, but comments on these kind of submissions are almost always just ranting/complaining about how bad $x is, what idiots people are, and things like this.
> And people wonder why foss devs burn out.
I have slowly become convinced that the open source community has been infiltrated by trolls from, eh, I don't know – something or someone that doesn't like open source. I have no direct evidence for this, but it does seem to align with observed facts.
A few days ago someone posted some hobby project they worked on, and of course one of the replies was some unhinged rant about how the chosen $language wasn't any good and how they would "rather kill myself" than use that language... Okay... I don't think any normal personal can get get that triggered by someone's hobby project, hence my conclusion: infiltration by trolls.
The language used to report the issue is very reasonable. Maybe it's cultural, but the fake version you're suggesting is something I'd find insulting, in addition to upsetting me because it's wasting my time. I prefer it if they get to the point.
> And people wonder why foss devs burn out.
These are full-time devs, working for an investor-backed company that plans to make money off the editor. The FOSS part allows them to profit off the work of volunteers.
Zed is OSS but not free. There's a company behind it, not volunteers. They are doing quite some marketing lately. I don't see anything wrong with calling the current issue "completely unacceptable". Forced opt-in is what happens if the language is not offensive.
Interesting. Do paying customers get a different bug tracker from the open source repos or do they all get directed to the same place? If people are paying for this editor then the tone may make a lot more sense.
I can't find anything about a commercial offering so I don't know what the non-free version entails.
https://zed.dev/faq#how-will-you-make-money
I agree with you, it's a standalone package. It can be assumed to have some setup permissions. Also it's far better than the packaging the remote code with the installer or binary.
The same people who will complain about this do t really understand how package managers work also. Take npm as an example, you manually install one package. You do not consent explicitly to have all of its dependencies added also.
This sounds like typical Reddit behaviour.
As you said, a better approach would have been to ask the maintainers to mention it in the readme. No drama required.
I don't use NPM, but that means NPM's behavior isn't that great and maybe shouldn't be an example for others to follow.
Linux package managers with which I'm familiar will absolutely prompt you with the list of dependencies they'll install when you ask for some package and give you the possibility of bailing out.
From the report on Github it seems like Zed will also download LSP for other languages without prompting, so it is initially an issue with Zed, but enhanced by the fact that NPM is misused. It should be noted that other package managers can also run post install scripts.
That being said, I also don't use NPM and actively discard any software that requires me to run an NPM command. It's somewhat funny to me that people are complaining that Python have a package management problem, while we at the same time have NPM which basically took the ideas from Python and said "What if we made this worse?".
The worst NPM misuse, from my perspective, is people viewing NPM as a platform agnostic package manager. I can understand not wanting to build .deb, .rpm and Brew packages, but that doesn't mean that just plunking a pre-build binary into NPM is a good choice.
I don't think NPM is a model for anyone to follow to be honest, my gripe is just the hill to die on isn't Zed for this issue.
Maybe make a cve out of it since it is an obvious exploit path running unchecked automatically downloaded binaries without user interference.
I don't know if this is sarcastic but doesn't a CVE require an actual proof of attack and not just hypothetical?
It was sarcastic but on point, and many cves do not have poc exploits so at best it is murky.
> Instead they go on calling it "completely unacceptable " repeatedly, using language that implies that the devs have caused grave offense.
Downloading and executing untrusted code is a security vulnerability. If a library does so accidentally, avoiding such an accident should be the primary focus of the report. If a library does so intentionally due to an accidental error in design of a feature, then the report can focus on how to provide the same functionality without introducing a security vulnerability.
This is neither of those cases. This is a feature whose core functionality, automatic download and execution of arbitrary code, cannot be introduced without causing a security vulnerability. This trade-off, in which marginal functionality is introduced by sacrificing any and all security, was a decision made at some point.
> but would it have killed the person reporting it to have formulated it something like "I appreciate the convenience of automatic downloads but I'd prefer to be able to opt-out because of [...]".
This phrasing is not equivalent. Stating "I appreciate the convenience of automatic downloads" does not seem accurate at all. Nowhere does the convenience show up as something that the reporter appreciates. Stating "I'd prefer to be able to opt-out" implies that an opt-out is sufficient. Avoiding a security vulnerability based on a per-user opt-out is something that should only be done for a hotfix until a better solution can be implemented.
I could see the report being updated with a minimum list of design changes that would be necessary for the feature to be implemented in a safe manner: "While locating and recommending a package to be downloaded is convenient, the download must only be performed when the user explicitly approves it, with the user informed of the recommended package, its version and checksum, and the download URL prior to any download. Anything less than that is a security vulnerability." However, I don't fault the report for not doing so, as a reporter may not be familiar with a project's design roadmap. Describing an existing feature's design as "completely unacceptable" is sufficient.
And everything is now a "cyber security flaw" or exploit. I don't know why but it seems like there's been a recent crop of less technical people that know just enough to throw around cybersec buzzwords that are completely meaningless in context. Like I've seen people call this an exploit or a code execution vuln (on other platforms). Like what the hell.
I really wish these "torch and pitchfork" posts were declared off-topic. A discussion on what/when to auto-download and how would be useful, but comments on these kind of submissions are almost always just ranting/complaining about how bad $x is, what idiots people are, and things like this.
> And people wonder why foss devs burn out.
I have slowly become convinced that the open source community has been infiltrated by trolls from, eh, I don't know – something or someone that doesn't like open source. I have no direct evidence for this, but it does seem to align with observed facts.
A few days ago someone posted some hobby project they worked on, and of course one of the replies was some unhinged rant about how the chosen $language wasn't any good and how they would "rather kill myself" than use that language... Okay... I don't think any normal personal can get get that triggered by someone's hobby project, hence my conclusion: infiltration by trolls.
Turning issue trackers into Emoji riddled social media platforms will do that alright.
What does that have to do with anything...?
2 replies →
Everything is now rage-bait. No need for politics to spark it.