← Back to context

Comment by echoangle

4 hours ago

https://code.visualstudio.com/docs/editing/workspaces/worksp...

It is very clear, the first sentence it that it may automatically execute code.

4 comments

echoangle

Reply
duskdozer  4 hours ago

>Code provides features that may automatically execute files...

What features? What files? "may"? So will it actually happen or is it just "well it possibly could"?

I've used it to open folders that I personally made and which don't have any tasks or files that get automatically executed, and yet the message pops up anyway.

It's like having an antivirus program that unconditionally flags every file as "this file may contain a virus"

  • echoangle  4 hours ago

    > What features? What files? "may"? So will it actually happen or is it just "well it possibly could"?

    How is code supposed to know? It probably depends on the plugins you installed.

    > It's like having an antivirus program that unconditionally flags every file as "this file may contain a virus"

    No, it’s like if your OS asks if you want to actually run the program you’re about to before running it the first time. And it gives you the alternative to run it in a sandbox (which is equivalent to what happens when you don’t trust the workspace, then it still opens but in restricted mode)

  • rcxdude  3 hours ago

    Yeah, because there are a lot of mechanisms by which a folder may start to execute code when you open it outside of restricted mode. A large fraction of addons have something which could be used for this, for example. There isn't a general check that it can apply ahead of time for this.

    (They could, with some breaking changes, maybe try to enforce a permissions system for the matrix of addons and folders, where it would ask for permission when an addon does actually try to run something, but this would result in a lot of permission requests for most repos)

abecedarius  2 hours ago

Thing is, when you open a webpage it's clear that it may automatically execute code (Javascript, WebAssembly). What needs to be clear (and by default limited) is the authority of that code.