it makes sense to me. remove as much friction from the publishing process as possible, so you get a huge amount of packages. this incident just shows they removed a little too much.
there are so many niche packages on the aur useful to so few people that nobody would go through the official process to properly package, test, and maintain them.
for example: vscodium is a fork of vscode, but microsoft disables the marketplace for it. the vscodium-marketplace package from the aur adds it anyway. i don’t think any regular repos have these kind of hacks and patches available.
I found it kinda funny that enabling the marketplace in VSCodium was your example here, given how much of a vector for malware that is itself. It’s malware all the way down.
You can download .vsix extensions from the marketplace and import them into VSCodium manually just FYI. And it won’t auto update so it will save you next time a supply chain attack inevitably hits and starts infecting new versions. Assuming the downloaded version isn’t infected in the first place of course.
It just seems odd to me if there is no maintenance why not just build a package yourself from the devs provided source code? Maybe I’m just an old man but it seems without the on going maintenance it would be about the same as for example using buildpackage and apt-build on Debian but that is a local repo for just me. So if something goes wrong it only affects me not the whole internet.
Not to discredit your point about the AUR as I use it plenty myself but for this specific case is there a reason to use vscodium on arch since they ship code as an official package which has a marketplace?
Iirc, isnt that just a build right out of the ms repo? So all the telemetry would still be there by default, which vscodium removes. If I am remembering right, that would be the best reason IMO.
I don’t really use either (outside of work scenarios where its going to be regular VSCode on windows anyway), just going off memory here, so I’d need to check too.
Doing a bit of looking, per vscodium folks:
They are very similar. Code-OSS is what you get when you build vscode from source. VSCodium is essentially just a build script that automatically builds from source when MS cuts a new release and then uploads the binaries here to GitHub. In that sense it is mainly to save time.
Additionally, VSCodium turns off telemetry in the build process, and rewrites some of the deeply nested telemetry URLs to go nowhere in case something in the codebase tries to send info back to MS. So that is a small difference that a standard build of Code-OSS would not have unless it was done manually.
I’m not sure how the packaging was done to get Code-OSS into Arch, so it’s possible there are other differences with the Arch version specifically.
it makes sense to me. remove as much friction from the publishing process as possible, so you get a huge amount of packages. this incident just shows they removed a little too much.
there are so many niche packages on the aur useful to so few people that nobody would go through the official process to properly package, test, and maintain them.
for example: vscodium is a fork of vscode, but microsoft disables the marketplace for it. the
vscodium-marketplacepackage from the aur adds it anyway. i don’t think any regular repos have these kind of hacks and patches available.I found it kinda funny that enabling the marketplace in VSCodium was your example here, given how much of a vector for malware that is itself. It’s malware all the way down.
You can download .vsix extensions from the marketplace and import them into VSCodium manually just FYI. And it won’t auto update so it will save you next time a supply chain attack inevitably hits and starts infecting new versions. Assuming the downloaded version isn’t infected in the first place of course.
It just seems odd to me if there is no maintenance why not just build a package yourself from the devs provided source code? Maybe I’m just an old man but it seems without the on going maintenance it would be about the same as for example using buildpackage and apt-build on Debian but that is a local repo for just me. So if something goes wrong it only affects me not the whole internet.
Not to discredit your point about the AUR as I use it plenty myself but for this specific case is there a reason to use vscodium on arch since they ship code as an official package which has a marketplace?
Iirc, isnt that just a build right out of the ms repo? So all the telemetry would still be there by default, which vscodium removes. If I am remembering right, that would be the best reason IMO.
https://gitlab.archlinux.org/archlinux/packaging/packages/code/-/blob/main/PKGBUILD
Seems like it, but isn’t that the same what vscodium does? https://github.com/VSCodium/vscodium#why-does-this-exist
Unless i am misunderstanding?
I don’t really use either (outside of work scenarios where its going to be regular VSCode on windows anyway), just going off memory here, so I’d need to check too.
Doing a bit of looking, per vscodium folks: