Comment by chris_money202
16 hours ago
Unfortunately if it was from a compromised extension this is going to be more justification for creating closed environments like what Google is doing with android and Apple has already done with iPhone.
16 hours ago
Unfortunately if it was from a compromised extension this is going to be more justification for creating closed environments like what Google is doing with android and Apple has already done with iPhone.
Why not simply have both? This does not have to be an either-or decision. Have a default repository with vetted extensions, but leave the option to install from other sources open.
Enterprise will always choose the less risky option so if there is either-or its vetted extensions only.
For consumer it's kind of already like this in a way, there are "verified" extension providers.
Overall, I think this is just going to lead to a lot more scrutiny. I'm sure one of the first things asked when this was discovered was how can it be prevented and I'm sure one of the first answers was get VsCode to lock down extensions. Enterprises love the easy answers
In the age of LLMs, vetting can even be done in a CI/CD. What's the big deal?
Token use? Non-deterministic outcomes?