Comment by theultdev
2 years ago
I don't really see the big deal here. Who wants to approve and configure all of their language servers?
If you open a file for that language, is there ever a time you would deny the download?
I just don't want a huge amount of popups like VSCode.
Also, the binaries are downloaded from their release on github. As long as that is secure I don't see a problem.
> I don't really see the big deal here
Here's an idea: someone sends a dev at some company, or even a freelancer, some code. Code references a module with a malicious npm package (say, with a postinstall script). Dev opens it in zed
Now, my untrusted code is running on your machine, probably without your knowledge
>someone sends a dev at some company, or even a freelancer, some code
The code itself could be malicious and have backdoors. Really you shouldn't run anything untrusted outside a sandbox or some other form of isolation
Why the hell does npm support a postinstall script? There really shouldn't be a need to run arbitrary code provided by the package for something like this.
The package itself is arbitrary code. You're running arbitrary code either way whether it's preinstall, install, post install, or when the package code gets ran.
It's common to need to setup tool chains for code that gets compiled (i.e. a node module that adds language bindings to a C library)
It also supports preinstall and install scripts, for more obvious reasons.
4 replies →
How is that any different from the VS Code extensions that have one star and are just copies of other extensions… waiting to get high stars and then switch-a-roo? Same goes for browser extensions.
Unless you’re auditing everything while taking Trusting Trust into account, you’re drawing the line somewhere saying “ok I can’t be bothered past this point verifying”.
… everyone has a line somewhere on the trust-but-verify spectrum
> … everyone has a line somewhere on the trust-but-verify spectrum
Sure, and by making the automatic downloads optional, users are given the choice of where they want to draw that line.
> I don't really see the big deal here. Who wants to approve and configure all of their language servers?
everyone
> If you open a file for that language, is there ever a time you would deny the download?
every time
default should be offline imo. want to download something? do it manually and place in folder etc
> everyone
Are you really so self-centered that you can't imagine anyone doesn't care?
I'll raise my hand and say I personally am happy to trust Zed and am fine with auto-installing whatever binaries they propose.
I do think it's reasonable to have an option for people with different security postures, but don't assume you speak for everyone.
Just migrated from Vim to NeoVim. Downloading and configuring all the various LSPs has genuinely been one of the most frustrating aspects.
Then you’d click the „yes and never ask me again” if a prompt about whether you want to download a random binary showed up. But a lot of people wouldn’t want to click that and would either click „no and never ask me again” or vet each case one by one
2 replies →
With Vim + ALE this is dead easy: Install LSP servers via your OS package manager, and ALE will find them in $PATH and use them.
If you want to use NeoVim, then LSP-zero + Mason was also a decent experience last I tried.
just use mason
1 reply →
> everyone
Not true, everyone is not you, I don't want to.
a classic HN comment! "everyone is just like me"
absolutely incorrect, i loved that it does it for me and do not care even in the slightest and in fact this is 1000x preferable to vscode asking me.
what on earth made you think this was a reasonable reply.
Yes, whenever I’m reading untrusted code, I don’t want to be using a language server - most of them execute arbitrary code, and I do not want that.
That’s a completely separate concern, it’s not like a new language server is downloaded for each file you open. I don’t know if Zed has a “safe mode” like some other editors, if it doesn’t you should ask for that instead. Unless of course you never open untrusted files in a language you’re familiar with, which would make you extremely peculiar.
No, but one would be downloaded the first time I'm opening some NPM backdoorfest.
Open it in something else then.
If you use Zed you must have known the language server was running when you tried it, how did you think that was happening?
This kind of article or reddit post and discussion is how you know, at least for some people.
Anyway, you asked who would care. Now the topic has moved to "what to do about it", which is hardly an issue. Of course people who think Zed has a problem will not use it. That does not make it a non-problem.
1 reply →
What if one language server adds a function to use your code for AI training? Are you okay with that as long as it came as a gitthub binary?
And these modern editors introduce another issue with their modularazied design. For each supported language Vscode installs tons of other crap beside the language server itself. And the language server alone has a quite long list of dependencies
https://github.com/golang/vscode-go/blob/master/extension/go...
I wouldn’t be okay with that, but I doubt I would be able to tell from the download button
GitHub release builds provide no whatsoever guarantee of having been built by GitHub from the corresponding source, if I remember correctly
Ah, I think you might be pleasantly surprised that this is an area being focused on right now with attestations[1] for example, here are the attestations for the GitHub CLI[2].
1: https://github.blog/2024-05-02-introducing-artifact-attestat...
2: https://github.com/cli/cli/attestations
Maybe this whole cryptographic stuff has some use, but all that which was needed was for GitHub to declare when a file was uploaded manually and when by a workflow (specifying which workflow).
This looks so complex that it might well be just smoke and mirrors
So the worry is the Zed team themselves will inject something into the binary?
The xz backdoor was an example of exploiting this disconnect. It was not present in the repository, it was inserted only into the release artifacts. Anyone getting xz by checking out the repository and building it themselves, would not be affected by it.
3 replies →
I usually don't use language servers at all. AI auto complete does the same for me faster... So yes, I would like to not download any of them.
IntelliJ now comes by default with a local-only AI auto-completer. I noticed that almost always, it "knows" the autocompletion better than the older intellisense.
However, sometimes (very often) you need to explore the API and just check every available method and check their docs to find which one is appropriate to use.
So, even though I can see AI replacing a lot of auto-completions, it just can't replace it completely.
Guess it depends on upon what you do.
I mostly make crud endpoints, so I can remember most of what I need. And for the times when I can't I prefer to view the API docs in a browser.
> Who wants to approve and configure all of their language servers?
I think you're asking the wrong question. The correct one would be: "who wants to be asked if they want to approve and configure all of their language servers?"
It's not what zed does, it's doing it behind your back!
It's okay for a browser to download and use anything from any site, maybe, with mature cross origin policies and billions in security work, but the fact it's done without saying anything is just a bug that can be fixed. Fixing clarity is the real win.
What's really funny is it was found because it was crashing and the user was running another libc. If they're really concerned about 14MB of download, they should add a firewall or something, but they saw it crashing. Finally, all these versions of everything sitting around, nodeJS, glibc, etc, very UNIX, a recipe for small breakages. Though I guess that's just the problem we deal with.