← Back to context

Comment by as-cii

2 years ago

Hey, Antonio here. Co-founder at Zed.

Sorry that we haven't replied to that GitHub issue yet. We try our best to listen to the community (here, on GitHub, on Discord, ...), but we're a small team and, admittedly, it's tricky to keep up with everything.

I agree that we should ask users for consent before downloading language servers (and other executables).

For everybody who's come across the ticket here or on Reddit and hasn't worked with the Zed codebase yet, let me provide some context on how language support is implemented.

In Zed, we have three ways of supporting a language (and its language servers):

1. Extensions that users can install from the `zed-extensions` repository [0]

2. Pre-bundled extensions that ship with the Zed binary, but still need to be installed [1]

3. Built-in language support [2].

For (2) and (3), the code is owned by the Zed team and we make a conscious effort to review contributions from the community in that area.

That code can automatically download language servers, but we try to vet which exact scripts/binaries are downloaded from where. For example: we heavily use rust-analyzer ourselves and keep up to date with its releases, the Go language server `gopls` is downloaded from the Go team using the official `go` tooling, the ESLint language server comes from Microsoft, etc.

For the longest time, we only had built-in language support (3). A couple of months ago, we shipped extensions for Zed (point 1 and 2 above, parts of it described in [3]). The goal was for built-in language support (3) to gradually move to pre-bundled extensions (2) so that users had the ability to choose which ones to install. We did make some progress, but we haven't ported all languages yet.

We're a small team and can only do so many things at once. So after investing quite a bit of time into extensions, we chose to pause that work and invest into other areas for a while (porting Zed to Linux, for example). Once those areas are in a better state, we plan to come back to extensions, build them out some more, and port the remaining languages.

So, TL;DR: we hear you loud and clear. We try to vet things that are currently installed automatically. But we agree that we should ask users whether they want to install arbitrary binaries on their computer. We also plan to transition all language support to manually-installed extensions once we finish other projects.

[0]: https://github.com/zed-industries/extensions

[1]: https://github.com/zed-industries/zed/tree/main/extensions

[2]: https://github.com/zed-industries/zed/tree/main/crates/langu...

[3]: https://zed.dev/blog/language-extensions-part-1

5 comments

as-cii

Reply
ishaanbahal  2 years ago

Thanks for this response. Zed is awesome, haven't been able to switch to it full-time due to [1] https://github.com/zed-industries/zed/issues/5065, but do appreciate what's being built.

It's a new product, which is clearly seeing quick changes every week, so hopeful you'll get to this one soon. The internet will always be extreme around any issue, and make it seem like the end of the world, to those folks, maybe try zed again later? It's still a good editor to keep in mind.

Although one minor thing about this, getting users accustomed to this flow and then later asking for consent might also raise issues, like this one, just with a more "Zed now prompting for every little thing" in future. So might want to keep that in mind.

Loving zed for go development (especially with a decent suite of Vim bindings), just haven't been able to use things like Flutter , due to lack of debug support, which VSCode does quite well (albeit crashes a bunch).

nijave  2 years ago

I think some middle ground might be including an extension lock file that gets committed to the repo. For internal projects, users will get auto configured by trusting the other internal users that setup the repo.

For external projects, users need to trust the project they're pulling down anyway since it's arbitrary code.

That would also help mitigate the risk of supply chain attacks (since versions are pinned and ideally verify package integrity)

sakisv  2 years ago

Hi Antonio, thanks for Zed, love it.

If I may offer a small piece of feedback based on your comment here:

Apart from its speed, the single thing I loved about Zed and made it stand out from the likes of vscode, was the built-in language support.

This made for a great first time experience where I didn't have to search and download anything and everything was working out of the box.

In fact it was so good an experience, that when I had to download another thing for terraform support, it struck me as much more annoying than usually

Reading that your plan is to move in the exact opposite direction is disappointing and, I'm sorry to say, I hope it doesn't come to pass.

jarule  2 years ago

I've seen this guy on the Zed YouTube channel, and yeah, dude loves to talk for hours without saying anything useful.

cowl  2 years ago

this answer makes things even worse. "we are a small team so its ok for us to expose your pc to risks".

If you dont have the bandwidth to do things securely dont do them at all.you are asking the devs to wait until you have time to return to it to plug the holes you have opened because you needed a bulletpoint for your release.

and this is not just a lack of time, its your attitude in regard to the devs, see also the optout telemetry for another example of total lack of respect for privacy.