Visual Studio Code is designed to fracture (2022)

– cpptools is kind of amazing but also pretty bad. It regularly malfunctions for me. It’s essentially undebuggable. I have less experience with the other extensions, but I don’t expect that they that much better.

– The VSCode security story is very, very weak. Extensions are not sandboxed. The client, accessing remote repos, is wildly insecure, by design.

And that second point is a big deal. Maybe when poking at your own company’s code, you aren’t that concerned about your repo attacking you. You probably should be concerned about malicious extensions, but we’re all far too used to trusting dev tooling. (Don’t forget that MS’s extensions are just this side of malicious.)

But, with AI, you should absolutely not trust your LLM. It is entirely unsafe to give an LLM that might try to exploit you the ability to write into your repo directly or to run JS code in the context of any portion of VSCode. And it’s really quite easy to convince LLMs to engage in all manner of shenanigans.

There’s an opportunity to make a better ecosystem. In a better ecosystem, the equivalent of cpptools would not have telemetry, because the equivalent of cpptools would not have Internet access. It would have the ability to read the workspace, to create cache files for its own data, and to operate its UI, and that’s all.

This is a big concern for our Infosec team. There is no middle ground between open access to every Extension on the marketplace or locked down and Extensions are installed via local files. The latter being a significant overhead in maintaining VSCode.

This is quite surprising to me if true. Microsoft has for years touted “Security is everything and the single most important thing right now”, yet something that basic is not taken care of for the most security minded audience, and for the audience with probably the biggest impact in case ssh-keys and alike gets stolen?

People randomly installing extensions (and Visual Studio Code suggesting random extensions by “language support”) starts to look a lot worse than I thought. Guess I’m lucky I never jumped aboard the Visual Studio Code train…

As far as I know, extensions are not sandboxed either on Emacs, (Neo)vim, Jetbrains IDEs.

Of course, in many cases that can make your entire setup brittle – i.e., what happens when the package author decides to change some functionality that you carefully and tightly integrated into your system? At the same time, there’s enormous, unmatched flexibility for making your own rules of the game – there’s nothing that comes even close. You can change a function to do things that it was never initially designed for. For example, if there’s a command that lets you perform GitHub search and open results in the browser, you can advise that command to change the behavior and instead of opening the results in the browser, send that data to an LLM and display it in a text buffer. You wouldn’t have to rewrite the entire command; you would only have to override a specific part of it. In Vim, you’d have to rewrite the entire function. In VSCode, you’d likely have to make a separate extension. In Emacs, you wouldn’t even have to save the damn thing into a file – you can write it in a scratch buffer and immediately try it out.

Sandboxing does not come for a free, as it creates more complex development APIs and a performance hits.

Would still be nice to have the option to opt into, for example, running as a WASM isolate – given the option of a robust sandbox, some plugins will find it desirable to migrate and gain the secure badge or however isolated plugins are marked for user identification.

But There are plugins where it’s going to be too much of an uphill battle to move to that model though. I still think on balance having sandboxed plugins, however they’re implemented, would be pretty nice.

For all that the Docker ecosystem is somewhat of a mess, it seems more than adequate for this use case.

Who’s the best kid in the block regarding third-party extensions security?

There’s really not much standing in front of a supply-chain attack for my editor of choice, emacs. Most people use a community extensions aggregator that also directly fetches from git repositories. The only slim advantage we have is that I’m sure a much higher % of emacs users would actually look into the source code of the extensions they pull.

as brewster says: ‘governments burn libraries’

there’s a reason that the first backup of the internet archive is at alexandria and that the first time brewster started the internet archive it was a for-profit company called ‘alexa’

  * main (free software)
  * non-fee
  * contrib (free software that depends on software outside of main, so usually non-free software)

While I am not fond of the “contrib” terminology, I think this categorization makes a lot of sense.

in a few tiny comments it demonstrates precisely the problem the larger ecosystem is facing and will almost certainly get much much worse sooner than we think.

Much F/OSS on Windows and virtually all F/OSS on macOS has proprietary build dependencies (e.g., MSVC on Windows, Xcode and various Apple frameworks and GUI toolkits on macOS), but is still itself F/OSS. It’s true that such software doesn’t promote or embody software freedom to the same extent as free software written for free platforms and built with free toolchains and dependencies.

But this case isn’t about that. Reread the comment of maintainer (presumably an MS employee) at the end:

> I’m sorry to let you know that our license also prohibits using our extension in alternate distributions of VS Code – only the official one produced by Microsoft may be used. So even if we did produce a RISC-V version, you wouldn’t be licensed to use it with Code Server.

That’s just proprietary, software plain and simple.

Recall freedom 0 of the free software definition:

> The freedom to run the program as you wish, for any purpose (freedom 0).

In the way that third-party distributions of VSCode do not come with the same rights to extend the software or use it in combination with compatible extensions as the first-party distribution does, VSCode also fails the test of freedom 3, regardless of the license of much of the code:

> The freedom to distribute copies of your modified versions to others (freedom 3). By doing this you can give the whole community a chance to benefit from your changes. Access to the source code is a precondition for this.

It’s not that your modified copies must give your users the same rights to inspect and modify the code as you had (that’s copyleft) but that you are unable to give them such rights. MS does this not entirely through the licensing of VSCode but also through the licensing of certain extensions, but the actual outcome is the same.

It’s not a different story for the term open-source. This:

> May we ask why you’d like to do this? If you’re planning to redistribute the language server binaries as your own custom offering, please note that our runtime license prohibits that.

means that the extension fails condition 1 (the redistribution criterion) of the open-source definition. And VSCode not allowing modified redistributions the same rights as the original fails condition 3 (the derived works criterion).

Neither VSCode nor this extension is open-source. They’re both just proprietary software with some open-source components.

Free Software Definition: https://www.gnu.org/philosophy/free-sw.html.en#four-freedoms

Open-Source Definition: https://opensource.org/osd

Note that these are not definitions in the ordinary lexographical sense. They are terms that were created with explicit social and technical purposes in mind, by and for organized movements. This isn’t an argument from the dictionary but a reminder of the purposes of these concepts.

Partly true, partly false. VS Code is FOSS (MIT license). The VS Code binary that Microsoft distributes is freeware (proprietary license).

> and neither is this extension

Correct.

> That’s just proprietary, software plain and simple.

Indeed, the Pylance extension is proprietary software.

> In the way that third-party distributions of VSCode do not come with the same rights to extend the software or use it in combination with compatible extensions

False. Third party distributions of VSCode can absolutely use compatible extensions. The license of certain proprietary extensions does not allow you to use them with third party distributions of VSCode.

> It’s not that your modified copies must give your users the same rights to inspect and modify the code as you had (that’s copyleft) but that you are unable to give them such rights. MS does this not entirely through the licensing of VSCode but also through the licensing of certain extensions

The VSCode license prevents you from reverse engineering, modifying it, and you agree to send some telemetry to Microsoft. You’re correct that the MS distribution is not FOSS. It’s the same with Chrome (the code base) and Chrome (the browser binaries that Google distributes).

> Neither VSCode nor this extension is open-source.

Again, to be clear: VSCode (the binary) is not OSS, but the source code used to build VSCode (the binary) *is* OSS.
Pylance (the extension) is straight up proprietary software.

> Note that these are not definitions in the ordinary lexographical sense. They are terms that were created with explicit social and technical purposes in mind, by and for organized movements. This isn’t an argument from the dictionary but a reminder of the purposes of these concepts.

The MIT license represents a different view on the social and technical goals of open source software. It’s much simpler than the GPLs and only has one obligation for the user/redistributors: display a copyright notice. It’s not as copyleft as the GPLs.

Edit: to be clear, I think Microsoft should offer VSCodium themselves and state clearly that they take that, bundle it with other stuff, and are calling that blob VSCode.

The instant they do that I’m moving to Theia or something else (zed?). MS is not to be trusted, as outlined by this article.

> The MIT license represents a different view on the social and technical goals of open source software. It’s much simpler than the GPLs and only has one obligation for the user/redistributors: display a copyright notice. It’s not as copyleft as the GPLs.

The MIT license is a tool used for a range of purposes, not an expression of values. It doesn’t ‘represent a view’ about how software should be developed or distributed in the same way that documents like, e.g., the FSF’s account of the four fundamental software freedoms, the OSI’s Open-Source Definition, or the Debian Free Software Guidelines do. It sits at a different layer. Moreover, all of those documents incontestably include MIT-licensed software among the licenses that embody their values– none of those organizations or movements they participate in exclude permissively licensed software.

That some source code is distributed under the terms of the MIT license only tells us a little bit about the way and extent to which it is or isn’t aligned with the values and touted benefits of either the free software movement or the open-source movement. There are individuals (and organizations, if you count the contributor bases of large, relatively organized software projects) who are interested in software freedom and/or open-source development but averse to copyleft, but permissive licenses don’t themselves exclusively support only one set of values and goals or constitute a statement of allegiance to other doctrines (and neither do copyleft licenses).

And that’s part of what makes statements of values and ideas that go beyond licenses per se, like the ones I cited but also books like Free Software, Free Society and The Cathedral and the Bazaar, and the many shorter online documents one can find at FSF.org, EFF.org, sfconservancy.org, or even the OSI’s policy advocacy work valuable: they transmit the things that copyright licenses cannot. They are reminders that adopting software and software development practices means making choices about entering into concrete relations of power, dependency, collaboration, and competition. The F/OSS licenses are instruments in service of meaningful choices about those things. And that’s exactly the way that my recourse to things like the Open-Source Definition and the FSF’s article What is Free Software was not to make a merely verbal dispute, arguing about what words mean, but a move to ground this discussion in the range of first-order values for which F/OSS licenses are instruments. That’s something equally relevant and equally worth doing whether the licenses in question are maximally permissive (like the technically-not-a-license of donating a codebase to the public domain), strong copyleft licenses like AGPLv3, or something else like LGPL or MPL.

The same front-end powers their Visual Studio IDE (not Code).

Also, AFAIK, there exist an alternative `clangd`-based C++ extension, which is fully open-source (but I could be wrong).

From what I can tell, Microsoft isn’t even sabotaging open alternatives, they’re just Not As Good. That sucks, but that’s just how it works when you’re using software made by a company that likes to pay its staff and still make a profit.

I welcome everyone who feels entitled to the source code of Microsoft’s very best software to see what true open source, maintained by an independent non-profit organisation looks like. You’ll get an IDE that’s functional, maybe even features a real debugger, but you’ll probably wish you could go back not long after.

People are taking software given to them free of charge for granted. It’s not that long ago that you had to buy IDEs for hundreds or thousands of dollars and you had to buy the upgrade if you wanted the next version a couple of years later.

This is not a quote from the article and isn’t what the article is saying. It’s effectively suggestig that devs are being duped and MS goals are closing essential parts down.

I think they are. VSIX extensions are supposed to be some sort of open standard, but some Microsoft extensions like Pylance actively refuse to work if they detect running in something other than Microsoft’s build of VS Code.

If they messed with VSCode to sabotage OpenPylance or whatever the situation would be different, but in this case people are just looking a gift horse in the mouth.

Pylance isn’t sabotaging Pyright, because it is built on top of it. You can find alternative extensions that are “just” Pyright. (They have a fraction of the users because the SLM-based magic of Pylance is a nicer experience if you can “afford” it (based on your principles).)

Pyright is maybe sabotaging competitive projects MyPy and Ruff by being “knighted” as a part of Pylance, but that’s not generally how open source competition is seen to exist. There also doesn’t currently seem to be competition for the proprietary bits of Pylance outside of the LLM space. That’s maybe catching up quickly, but Microsoft’s more dedicated SLM models might still be leaders in the space, and Microsoft wanting to keep models proprietary while they are competitive shouldn’t be a surprise.

It’ll work fine for “Visual Studio Code” but all these OSS forks (inc recent venture capital funding for AI ones) gets wrecked.

It turns into a game of having to iterate through the graph and trying to convince official SDKs to change their product direction.

Pushing shit up hill…

Then once feature parity is done, performance problems are next, if they ever get addressed and completed.

I love the idea for open source software, but the very best software in todays world is always something you have to pay for.

I do know the price I’m paying for using Emacs and Vim. Even though (in theory) they are completely free, in reality there’s a price there. Vim and Emacs require time, patience, and dedication, just like any other tools. I know who gains from my choice – myself, the community, and the industry.

I knew exactly how JetBrains profited from my choice of using IntelliJ in the past – I paid for the license and renewed it every year.

But what’s MSFT’s scheme here? They’re giving me this beautiful, nice tool completely for “free”? What price will I have to pay for that choice in the future?

I’m sorry, but I think every dev should remain at least a bit skeptical, do you truly believe that Microsoft, a colossal corporation with a market capitalization comparable to the GDP of Germany, spends an enormous amount of resources to build “a free” code editor, because… I dunno, they love you or something?

“Subterfuge Source” has a nice ring to it, and abbreviated “SS” really drives the point home as well.

This has to be a joke, right?

Microsoft’s software is absolute nightmare pile of trash.

> People are taking software given to them free of charge for granted.

Whooosh: this is the point made by the author of the article zooming over your head. The point is that closed-source software that pretends to be open-source will affect even those who don’t need or want to use it.

For example, I don’t want to use Azure DevOps (Github Actions) or w/e it’s called. It’s absolute garbage. Abysmal design, abysmal implementation. But, I’m forced into it because the org I work for has an obligation to put their projects in GitHub. And, against my will, my work and my knowledge is used by Microsoft to abuse their users.

My only consolation is that I do this as a paid job, and I, personally, will not use Github, and will advise everyone I can to do the same. But this is too little. I want to be a good person, and to do my job in such a way that it’s valuable to people who requested it. I feel really bad that, instead, I’m indirectly peddling the pile of garbage made by Microsoft to astronomically enrich the few people standing at the top of the company.

That was eclipse.

There are lots of great examples of well funded open source software projects. Companies have a history of killing them off, which hurts everyone.

Edit: OTOH reporting on this as if it’s a grand surprise is a bit funny. Like come on, this was obvious from the start. I just didn’t care, it didn’t feel like a fight worth fighting. And I care about BSD/MIT license devs being exploited about as much as MS’ business model potentially falling apart because I turn off telemetry: folks knew what they’re going into, and did it anyway because “sempai corpo will notice us.” Well, it did, congratulations.

As for me, I don’t care. I ain’t posting anything on anything lighter than AGPL, ever, but I’m a small bean and ultimately there’s stuff I care about way more than software.

i’m only interested in microsoft’s generous gift of blankets if they come without smallpox

mostly what i offer ‘in return’ is more free software, which is also how, for example, the vim and gcc teams support each other, for the most part

i’m surprised to see your comment because i thought you were old enough to know this already

And also to remember Public Domain and the various flavours of Shareware and Demos, which is what Open Core/Dual Licensing are nowadays, by another name.

i agree that open-core is little more than shareware. dual-licensing is a different model, one pioneered by peter deutsch in the early 90s

this is ground we explored extensively on the fsb mailing list in the late 90s. if you’re interested in my current thinking on the relationship between markets and open-source knowledge sharing, i’ve just written a somewhat longer note at https://news.ycombinator.com/item?id=41696527

I don’t know what solution you’re promoting because Free Software still works. The professional for-profit software industry is in the toilet right now – Open Source is destroying it in a certain for-profit purview.

A guitar doesn’t make the musician, and the hammer doesn’t make the carpenter.

There’s specific skill with being able to use tools well, but that’s not what makes a programmer, guitarist or carpenter valuable.

i still have some keybindings in emacs from when i used visual c++ last millennium, and i’m probably using emacs in significant part because i started using lugaru epsilon in about 01989. since then i’ve also used vi, vim, idea, eclipse, nedit, and the f83 editor, but i keep ending up back in emacs sort of by default. and i think my level of flexibility on this count is far above average

see https://news.ycombinator.com/item?id=41696512 for a more in-depth exploration of this

A good guitar player or a good carpenter sure as shit know a good tool from a bad tool. Good tools are force multipliers and can can make somebody much better than without the tool.

Plus bad tools can actively keep people away from learning new things. A shitty soldering iron can absolutely convince somebody they suck at soldering. Sure a pro can make use of a shitty soldering iron but they won’t do it willingly and their output will be subpar. Same with cooking and bad knives. Same with anything.

The argument that “tools don’t make somebody good” is pretty silly. They absolutely do.

I disagree, but only because I’d rephrase what you’re saying as “good tools are force multipliers for skilled people”. You can give a beginner musician the most expensive guitar rig, and they’ll still sound like a beginner.

I also never said what you’re arguing against. The GP was essentially complaining that using vscode would hamstring their career because their skill would be in something Microsoft could take away. What I was trying to say is the reason programmers get paid isn’t because they’re good at using their IDE, it’s because they’re good at programming. I believe the GP’s concern is misplaced.

Consider: Do you go to a restaurant because their chef uses expensive high-end knives, or because they have good food?

Is that why famous guitarists play only on specific expensive brands and professional carpenters have favorite instruments?

Here is Satriani playing on a terribly setup guitar (1) His only comment at the end? Oh, that was a little painful.

(1) https://www.youtube.com/watch?v=_KZjVZLsU6s&t=20s

IDEs are usually far more complex due to their vast feature sets and constant evolution. If guitars evolved and increased in complexity at the same rate as IDEs, we would’ve seen something absurd like James Hetfield wielding a 150-string monster guitar.

IDEs have become incredibly complex tools with features that go far beyond the original concept of text editing, while guitars have remained relatively consistent in their core design and function over decades.

We don’t have to keep practicing typing “the quick brown fox jumped over the lazy dog” over and over again to master an IDE, while you have to play same tunes again and again to become a virtuoso. Experienced musicians often have a broader, more adaptable skill set and can change instruments, while IDE users might be more “locked in” to their preferred environment for various reasons.

I agree with your sentiment though – good programmers are good not because they’ve mastered their tools – they chose to master their tools because they are good programmers.

almost all pianos have more strings than that; the bottom octave or so have two strings each and the rest of the keys have three strings each, for a total of somewhere around 250 strings. pipe organs are routinely significantly more complex than that. but a lot of the elaboration in musical instruments doesn’t take the form of increasing the number of parts; instead we have things like special varnishes, holes cut in particular shapes, special alloys for strings, tweaked electronic circuit designs, tweaked magnetic pickup designs, etc. i’m not sure it would be easier for a random person to learn how to make a stratocaster-competitive electric guitar than it would be for them to learn how to write an emacs-competitive ide

as for lazy dogs, i think it’s common for both programmers and musicians to practice etudes, not just for instrument mastery (which is only a small part of the problem both in programming and in music). a typing class in eighth grade was enormously helpful to me in programming even though, as everyone knows, typing is only rarely the bottleneck in programming. and i think it’s pretty common for programmers to spend time on practicing the effective use of one ide feature or another, watch screencasts of other programmers using them, buy books about particular ides, etc. check out https://www.vimgolf.com/challenges/9v0062d0773d000000000225 http://vimcasts.org/ https://www.youtube.com/watch?v=wDIQ17T3sRk https://www.youtube.com/watch?v=uGrBHohIgQY https://www.youtube.com/watch?v=p09i_hoFdd0 etc.

But that isn’t true. Lots of famous guitarists play, and love, the cheap guitar they had before they made it big. Yeah they own lots of expensive guitars (because they like collecting guitars and are rich enough to do it). But they don’t only play those.

Internet personalities: the closest thing I might compare this to is the deliberate proliferation of smallpox and the resulting deaths of hundreds of thousands of native americans. (a story which, ironically, turns out to be almost entirely fabricated to spread FUD about the us government… https://allthatsinteresting.com/smallpox-blankets)

Couldn’t put it better. FOSS advocates want everything for free and source code released every time, all the time. Who’s paying the bills? The rent? The mortgage?

To be precise, the system sucks, but we have to work within it, and that means profit-driven companies which pay employees liveable salaries so said employees can buy the food and shelter they need to experience a decent life.

I’ll bet that 95% of FOSS developers either contribute as part their full-time job, or already have full-time jobs with the salary and flexibility that allows them to also contribute to FOSS projects in their free time. Not everyone has this luxury.

Who’s doing this? VS Code is free; Pylance is free, cppdbg is free, the C# suite is free. However the licences are clear; these extensions are closed source.

VS Code’s core editor functionality (Monaco, LSP, DAP, etc) is fully open, and has been regularly repurposed and re-branded by several other companies. I sincerely don’t see the problem. If someone else wants to write their own extensions, they are free to; these extensions are Microsoft’s IP and hence Microsoft is free to do what it wants with its IP.

https://github.com/microsoft/vscode-cpptools?tab=License-1-o…

In reality, it’s a MIT-licensed wrapper. The real license is also included in the repository, just not the top level github license.

https://github.com/microsoft/vscode-cpptools/blob/main/Runti…

The disingenuity is what you are condoning. The repo is superficially organized to appear open-source but is actually a minefield.

Github will sometimes say “found other licenses”; the best Github can do is to “report” on the state of a repository; it’s up to the community to decide on stricter tolerances for declaring something to be open-source, because as we see here, even a major corporation is willing to engage in subterfuge/exploitation.

Saying something is “open source” provides material benefit: it creates attention, it attracts users, it creates community. Shouldn’t a project be fully in-the-spirit of open source to benefit?

There’s plenty of case law around the word “free”; it’s just too early for the phrase “open source” to have settled case law.

Has it? If there’s one good thing about Microsoft, it’s that basically anything, even from the stone age, is still supported. You can fire up some executable from the 1990s on Windows and it works and you can probably just be a .net dev for the next 50 years if you want to. If there’s one company in this industry that takes long term support and backwards compatibility seriously it’s Microsoft

Silverlight, Internet Explorer, Windows Phone, Microsoft Edge (Legacy), Windows Media Center, Microsoft Expression, Hotmail, MSN Messenger, Zune, Kinect, Cortana (on mobile devices), Groove Music, Windows Mobile, FrontPage, ActiveX, Visual Basic 6, Windows XP, Windows 7, Skype for Business (being replaced by Teams), Office Picture Manager, DCOM, Winforms (considered legacy), .NET Remoting (superseded by WCF), WCF itself now considered largely obsolete, Classic ASP.NET (Web Forms), etc.

While Microsoft does offer LTS for core products, they also regularly obsolete technologies, often driven by market changes or strategic shifts. Their rate of obsolescence is comparable to other major tech companies.

Last time I checked one can still choose optional MFC component of desktop development in vs installer and it will let you build old code with latest toolchain and do maintenance. Not that it makes any sense in 2024 but its still there.

ps. I’ve been hitting F5 every working day in vs for entire career and have no plans to switch to anything else =)

As a developer you should already be used to having to switch stuff to something else. Going from DX12 to Vulcan, from x86 to RISC-V, from Linux to FreeBSD, from XCode to EMACS, from Perl to Python, from Angular to Flask, whatever.

however, see https://news.ycombinator.com/item?id=41695702

inevitably some of your learning efforts are sunk into the tools, apis, and platforms you use. those can compound over time, making you more effective for the rest of your life, or simply be a pleasant memory. spending time on tools, apis, and platforms that are not dependent on some company’s goodwill is helpful here; none of vulkan, x86, risc-v, linux, freebsd, emacs, perl, python, angular, or flask is dependent on any single company

(x86? yes, without amd, x86 would have died around 02000 like most other 80s architectures did, killed by intel’s itanic blunder.)

in the 90s i invested time learning a lot of different tools and platforms. most of them are no longer useful to me because they were dependent on some company or other: vax, vax/vms, informix, netapp, mfc, sunos 4, purify, clearcase, pv-wave idl, erdas imagine, khoros cantata, irix, windows nt 3.51, cde. but, for the most part, those that were open standards (or, better still, free software) remain useful to me to this day: diff and patch, shellutils (now coreutils), tcp/ip, perl, netbsd, emacs, python, html, css, the i386 architecture, bash, vim, c, c++, sql, gcc, gdb, samba, ssh, postscript, tcl, tk, etc.

admittedly x.25, smtp, ftp, perl, tcl, twm, and fvwm are not as useful these days, and visual c++ and win32 are still somewhat useful. so it’s not 100% black and white. but the longevity difference is extremely striking

Or more likely, “the free version will now contain ads and mandatory telemetry, pay to upgrade to premium for a more streamlined experience”. Just like the Mafia, create the problem then sell your their solution.

It sounds like MS is making a better cpptools/C++ extension mouse trap and it’s impossible to build a fully OSS version because many of the MS components are closed? And when a user discovers he/she can’t use their native extensions from any web interface, this is a problem for the web interface guys? I have to ask — if people want to use this freeware instead of OSS software, it might be disappointing, but is that really a problem?

If there is an answer, it would seem to be more information about who is to blame. Perhaps open source vendors should be more clear that their offerings are also open source and open ecosystem? Perhaps that would tip off devs that not every extension is, that is — the MS alternative extension is not.

One could even be more forceful:

    "Certain alternatives, like vscode-cpptools, are NOT licensed under an OSI approved license.  vscode-cpptools contains many unexamined binary blob components.  Developers of blah blah blah C++ extension strongly believe in an open ecosystem for VSCode extensions, but MS has also refused to allow redistribution of vscode-cpptools, if used by native open source builds or by those offering VSCode via web services.  Developers of blah blah blah believe, whether the code is closed or open source, ALL VSCode extensions should be freely redistributable for the good of the broader VSCode extension ecosystem."

If major extension projects are aligned, they could simply add a notice like above to their description on their marketplace page? Trust me, legally, culturally, MS really, really doesn’t want to deny access to its marketplace, because a few OSS projects wanted to offer a comparison of their license terms to those of MS.

Apple is currently dealing with a marketplace lawsuit. MS doesn’t want a marketplace or another antitrust suit.

You then create another API with one public function. This function is an extern call into the library binary.

You publish the second API into Github with an MIT license and proclaim your API is open-source.

The broad theme is: if 100% of the functionality of the software is inside a closed-source compiled binary, should it be false advertisement to say it is “open source.” Or in other words, who draws the line when someone oversteps the intent of “open-source” for exploitative reasons.

I don’t know if cpptools’ functionality is 100% closed; in reality there are three other licenses you must agree-to within a repository that is supposedly MIT licensed.

I get it. I disagree that it’s false advertising, though I do agree it could be scummy. For instance, if MS created a combination package, licensed that package as MIT, whereas the important bits were proprietary.

Maybe any conflation of licenses have since been scrubbed from the marketplace, but from what I see on their license pages right now, I’m not sure MS’s behavior rises to scummy. The Python package makes pretty clear it includes pylance, and pylance makes clear it’s not MIT licensed.

> I don’t know if cpptools’ functionality is 100% closed; in reality there are three other licenses you must agree-to within a repository that is supposedly MIT licensed.

It should be well known by now vscode-cpptools and vscode-python are partially closed, which is good enough as closed, which is good enough as BSL, etc. If it’s not clear, then that’s a failure of the open source community and alternatives to make it clear. The license links seem pretty clear to me. Perhaps it would be better if the situation were made even clearer, like a badge for OSI licensed packages, but it’s not yours or my store.

My God’s honest feeling is transparency and building better stuff is really the only remedy. You either believe in the FOSS development model or you don’t. You either have a strong open source language community or you don’t. If the C++ or Python OSS people can’t muster an alternative, it’s not MS’s fault for building a better mouse trap which only works with MS products.

There is this overwhelming desire in FOSS communities to works the refs, or even FUD wrong-thinking projects, instead of saying: “They have a development model and so do we. We believe ours is better.” Python, in particular, has so much interesting language server stuff going on in Rust (see Ruff and pylyzer). Re: C++, clangd is apparently very good too. It stinks for the ecosystem that MS has acted this way, but I think one just needs to very clear about whose fault it is when something breaks, or when someone can’t use an MS extension, because it’s obviously MS’s fault.

VS Code is an IDE you can download and use for free from Microsoft. It’s not some magical open-source platform/ecosystem thing that anyone can use for anything, which Microsoft has no control over. It’s a product.

It seems like everyone wants to make “universal” developer _services_, but no one wants to build or fund an IDE, or it’s just too hard or something. That’s not Microsoft’s fault.

Also Monaco is the best editor by a thousand miles, front-ends are just using this editor because it’s the best. We used to install CodeMirror or Ace when they were the best options.

I’m not sure there was a massive master plan behind the creation of Monaco, on the contrary, they saw an opportunity to make it a standalone project that unlocked countless of web UI.

VS code is decent, all rounder, free, open enough to be forked.

And people forget that it’s marvel of engineering. Go look through code. That doesn’t get produced for free.

Microsoft or any company owes nothing for free to anyone whatsoever. This entitlement syndrome needs to be in check.

That’s worth money.

Like I always say about open source. I’m skeptical about adapting frameworks without big money behind them… Because relying on the whims of random internet amazing engineer is a risk.

MS will make money on vscode. Just like Google makes money on Chrome. Just not directly.

The problem is when the free offering is actually designed to ensnare you in a tarpit of legal liability and uncapped financial liability. Especially with a service like VSCode where it’s not a single purchase and you rely on Microsoft indefinitely (through extensions and updates). But it’s designed that way. There’s no other option. They chose to not make it simple to avoid a single clean payment, and extract longer term money of ambiguous amount based on user resistance.

It’s was a very easy switch for me from VScode at least, and while I called it “slow” that is because nvim is ridiculously fast. DoomEmacs performance is still great, for the most part.

There’s actually a lot in that core, especially when you compare it to other open core products (ex. Gitlab). Enough that you can fork it and have a viable MVP for your own IDE (as Cursor, Gitpod, and many others have done)

But you shouldn’t ever be under the impression that you fork will be identical to VS Code.

Frankly I think developers have benefited a lot from this. There’s actually a strong foundation for others to innovate on their own IDEs without sinking years into basic R&D, and it’s much better than the alternative era when ~all the user-friendly IDEs were proprietary.

   If you are not the author, we suggest you first reach out to the author with an issue in their GitHub repo to request that they publish their extension to open-vsx.org. We've drafted a template with suggested content for the issue.

https://github.com/eclipse/openvsx/wiki/Publishing-Extension…

Such “3rd party extensions” don’t get the “verified publisher” icon (or at least should not get it ;).

Zed exists, it’s new but it’s already a very good IDE. I tested it with Unity and the C# support is fantastic.

20 years ago the notion Microsoft would develop dev tools for Mac and desktop Linux would be absurd. Now you’re mad you can’t just fork VS Code, sprinkle some tweaks on it and create a business around that ?

An IDE needs at least a working Debugger (or, to be more precise, a graphical interface to debugger(s)).

And Zed has exactly the same problems VS Code has, minus actually contributing LSP and DAP (Debug Adapter Protocol) to “the editor community”. So, Zed is actually worse in that regard.

For me that should read at _last_ (or not at all).

While almost any IDE I ever used had a debugger (starting woth Borland Turbo C++) the number of times I used one I can count on both hands. And even then, a CLI to the debugger is just fine.

Like with any feature an IDE may offer, there are people for which that very one is essential.

Fair enough; but don’t assume your non-negotiable X is the same for every other user of an IDE. It is not.

Btw. I’m not saying that having an integrated debugger is a sufficient condition for an editor to be an IDE (VS Code isn’t, Sublime Text isn’t, other editors with DAP support aren’t).

> but don’t assume your non-negotiable X is the same for every other user of an IDE. It is not.

But _you_ not needing a debugger in an IDE is a reason something is an IDE without one, I see. Btw. I’m (normally) not using IDEs.

With that definition any usable editor and vim-likes 😉 is an IDE. I can live with that (that Zed is an editor comparable to them) too.

Also Microsoft’s remote and container development tools only work on the official VS Code.

I’ve tried other editors, including VS Code, because it was free. I always come back to Intellij.

This applies equally if their own license is MIT or if it’s GPL/copyleft.

(From that point of view, Microsoft would be able to release VSCode as GPL while also shipping binaries under a proprietary license, if they wanted to.)

Things get more complicated when they aren’t really the authors because they have merged contributions from other authors, e.g. pull requests. Then what happens depends on the license used by the other authors for their contributions. Sometimes the contribution’s license is implied, or legally unclear. To avoid problems, some diligent organisations require contributors to sign or confirm something to make it clearer, before they accept contributions to be merged.

> To avoid problems, some diligent organisations require contributors to sign or confirm something to make it clearer, before they accept contributions to be merged.

That’s a very generous way of saying they’re having people sign away their rights under a copy-left license.

This is such a huge problem and something that I have regularly commented on on Hacker News itself how the open source term is being applied so loosely especially by a bunch of VC funded companies who are further perpetrating this horrible horrible change in language and meaning and the ethos behind the open source movement.

YC itself is funding a bunch of these companies who claim to be open source but do not follow the ethos at all.

What matters is that software licenses are legal text documents. The only place where the interpretation of those texts matters is in a court room. I don’t think there are a lot of court cases involving VS Code. MS tends to have their house in order on that front.

So, VS Code seems safe enough in the legal sense. Yes, it has some extensions that are not licensed as OSS or that are simply closed source. So what? If that bothers you, don’t use those. Or better, fix it by creating some open source. Open source is not a right, it’s a privilege that is granted to you at the discretion of the creators of that software. Not something that you can demand from them.

VS Code is a closed source product that includes lots of OSS components. So much that there’s VS Codium a well, which is fully OSS. A lot of those OSS components are used in other products as well. And some of those things are fully open source. The value of the VS code ecosystem is that it enables this ecosystem of components and products to thrive.

But the word “fracture” is very much meant in a different context here, in that Microsoft does not allow its proprietary extensions to VS Code to be used legally by any third-party fork, and thus can leverage the unique and unstandardized behavior of e.g. its closed-source Pylance Python language server to ensure that no fork can replicate the experience (glitches-as-features and all) that practically all users of VS Code will expect, thus giving forks a Sisyphean challenge to overcome.

https://visualstudiomagazine.com/articles/2021/11/05/vscode-… is linked in the OP and discusses the surprise the community felt when VS Code transitioned to Pylance. I’d venture to say that most users of VS Code have no idea how much of their Python editing experience is run by closed-source logic.

On one hand, it’s a bit frustrating that many people, myself included, switched to VS Code from other IDEs because “if the community sees a problem, the community has the tools to fix it and will do so.” But that ceases to be true when the bulk of the IDE’s power comes from closed-source language servers that Microsoft could feature-freeze (or deallocate resources from them) at any time, and still have ~years before any community language server could begin to replicate all the edge-case behaviors of their closed-source extensions and gain notoriety as a better alternative to Microsoft’s defaults.

Is this a bad status quo, though? Microsoft’s invested incredible resources in a stellar user experience to date, and might not have done so if it didn’t have this strategy in play – a strategy that ensures that no fork will ever be able to capture developer mindshare, and that ensures that the larger Microsoft ecosystem of services will never be disadvantaged or de-promoted by such a fork. As long as leadership desires to continue making this advantage larger and larger, and have Microsoft developers dogfood their own IDE, and thus continue to invest in their language servers, most users will benefit. And sure, some of us will need to keep typing “# type: ignore” into our codebases to work around a Pylance bug that nobody can see the code to submit a PR to fix… but we gain so much in return for that inflexibility. I’m more interested in how my IDE helps me to make my own visions into reality, than in the purity of whether it can truly be called “open source.”

Not sure that’s so very true for most langs / stacks other than Python. Go LSP & vscode extension is Go-owned, C++ you have clang LSP+ext and can really skip MS’ offering(s) there. TypeScript LSP+ext is most likely OSS (dunno) or else MS-owned anyway; dotnet same. Niche langs own their LSP+exts anyway. The builtin HTML / CSS stuff is bare-bones IIRC, if there aren’t richer OSS alternatives out there yet there sooner-or-later will be. Python, I wouldn’t know, but let’s face it, if a lang is a big FOSS project it can and will mobilize their own owned and ever-more-excellent LSP + ext if and when necessary / desirable — and if it’s niche and small-scale, MS won’t anyway, proprietary or not.

I don’t use VSCode and never will. It’s just an awful editor, regardless of who’s peddling it. None of the things that are important to me are controlled or somehow touched by Microsoft.

But, I’m undecided about what’s the right thing to do here: if I dislike both Microsoft and VSCode being, essentially, a closed-source product sprinkled with open-source, do I side with people who want this piece of junk and fight to make it truly open-source or wait to see it inevitably die a fiery death?

The article makes valid points, if you are an OSS enthusiast. But at the end of the day, you always have the source code and you can always run your marketplace. This costs time and money, but if you believe in the idea you have to invest something and not depend on a mega corporation. If there are proprietary extensions that you can’t have that sucks, but again someone can build an OSS one.

But overall I agree with the article, I just have no illusions they are doing anything out of belief in open source, and I’m fine with it because worst case I have other options.

There’s so much focus on how Microsoft has this huge advantage with VSCode and GitHub Codespaces as a cohesive product.

But I think that this entire cloud coding workstation space is rather niche in itself.

I think the average user of VSCode, VSCodium, or whatever other fork has full flexibility to not use Microsoft’s preferred extensions and solutions and customize their environment.

All this stuff about fracturing an ecosystem basically amounts to picking default extensions and I just don’t know if this is one of those “abuse of market power” things yet.

I mean, sure, it can be said that it’s bad how Microsoft is so large that it can single-handedly steer the course of a lot of development trends.

At the same time, I don’t think VSCode being such a good product was something that came out of Microsoft’s dominance. They had a lot of luck with that one, they had the right idea, people, and management at the right time. Microsoft makes plenty of software where their big company big dollar investment hasn’t made them a market leader and they have a laundry list of failures and technologies that are trending downward to show for it.

I would agree with another comment on this thread: it really does seem like a bunch of complaining from some cloud workspace competitors who want to get a free IDE for themselves that works perfectly.

That means companies will be, regardless of the desire otherwise, forced into proprietary models, and proprietary development will continue to be the most effective way to put food on the table.

Open source will forever be a niche volunteer thing plus some predatory abuse by monopolies because the OSI is not interested in open source being the default way to make software.

The OSI’s definition of open source was worked out in the 1990s and has changed almost not at all. That stability in the meaning of “open source” (or “OSI-approved”, if you want to be precise) is a good thing. If you want to experiment with software licenses that (like open source) don’t lock the user in or that (like open source) allow forking, but that are better than open source at allowing the maintainer to earn money, then please do — just don’t call your experiment open source. Coin another term.

It is not some awful tragedy that those who want to experiment with software licenses cannot use the reputation of the “open source” label to market their offerings.

Parenthetically, “nice volunteer thing” is not an accurate description of AOSP, Chromium, Firefox and most Linux desktop software.

All exploitative projects entirely funded and mostly operated by a monopoly found violating the law or awaiting judgment for such in almost every single first world jurisdiction.

Also neither AOSP nor Chromium are used in the real world in practice, over 99.99% of users use proprietary forks.

In other words, thank you for supporting my statement entirely.

> Linux desktop software

Yeah, definitely “not niche”.

I didn’t think it needed spelling out, but OK: GrapheneOS would not exist if AOSP didn’t have an open-source license. Electron, Microsoft Edge and Brave browser wouldn’t exist if Chromium hadn’t been released on open-source terms.

Surely it is not your claim that because Google has done bad things, nothing that Google has ever done has ever been positive?

Going back to your previous comment, where you write, “the OSI is not interested in open source being the default way to make software.”

Do you actually believe that if the OSI had been smarter or more ethical or had listened to your advice (sent back in time perhaps) then open source might have become the default way to make software?

I consider it obvious that that was never a possibility.

> GrapheneOS would not exist if AOSP didn’t have an open-source license

First, Graphene OS is used by… less than 0.01% of Android users, so again, thank you for confirming my point. Furthermore, GrapheneOS is harmful for the ecosystem. Similar to VSCode, proprietary services are essentially gated out from alternatives to the default proprietary Android. And the big problem with Graphene and other AOSP forks, is they waste developer effort while protecting monopolies. Every developer-hour wasted on Graphene is a developer-hour not spent on a truly open mobile OS, and that’s sad.

> Electron

We could live without it. Nobody needs a whole browser to ship a single page app. But also…

> Microsoft Edge and Brave browser wouldn’t exist

So remember that whole part where I said 99.99% of use is the proprietary forks? Edge is, of course, completely proprietary. (Brave is just a cryptocurrency grift, will focus on Edge here.) Microsoft is a monopoly in several respects still, and Edge adds several anti-features like ads on the start page and shopping “features” which collect your shopping behavior. Furthermore, the switch to Chromium for Edge makes the Internet ecosystem worse. Because one of the largest independent web rendering engines disappeared overnight… further contributing to Google’s monopoly stranglehold over the web ecosystem, and it’s ability to essentially force standards bodies to comply with it’s choices or become irrelevant.

> if the OSI had been smarter or more ethical

I think time travel conjecture is sort of pointless, obviously there are dozens of conditions on when good licenses got approved, what projects adopted them, etc. But if SSPL was approved, as the viral copyleft license it is, less open alternatives would evaporate overnight. Without the risk Amazon would lift your product, wrap it in a proprietary platform, and simultaneously undercut you on cost, I think at least for SaaS, there’d be very little reason for a business to launch without providing their code on fair terms.

All that being said, the discourse around the OSI and open source is toxic enough and compromised enough, I think shifting to new terms is ideal anyways. I saw https://fair.io/ “fair source” recently, which seems quite reasonable, though I’d love to also see an expression of it more focused around labor and sustainability in addition to just business case. Developers deserve to get paid for their work, and I feel the primary goal of open source at this point is to cultivate free labor for the tech monopolies backing the OSI.

i think you’re missing not only the point but actually reality as a whole

It’s common / popular in certain enterprise circles, for “security” and audit reasons. No admin or most permissions on your computer. You get a specific VM with “controls”. Anything required might be installed on request.

A locked down cloud hosted IDE might just be 1000% easier.

People when Microsoft pulls this trick (core repo OSS, most useful things around it are full of DRM and legal traps): silence

The hypocrisy is really astounding and in a way, MS has managed to pacify even the strongest FOSS advocates by offering something which looks like OSS but it actually isn’t. This is on par with claiming that a repo is GPL but the build API keys are not. (Yes, this also happened elsewhere, and not even in a corporate project at all!)

The Open Source Definition is hilariously unfit for purpose in 2024 because it allows shenanigans like this.

If you enjoy a rabbithole, look at how much DRM there is in Pylance (another extension that MS has locked down): https://github.com/VSCodium/vscodium/discussions/1641

The short summary is that MS uses multiple, constantly changing methods of DRM to make it impossible for people to patch out the “only official VSCode” check from the Pylance extension.
This is very clearly malicious.

Open core absolutely is open source. There’s a clear and valuable open source core that others can build on to build their own products.

This isn’t just hypothetical. As far as I know, no source-available license allows you to actually use it to build your own product. While VS Code has many other products built on the core (including products that lawyers have reviewed closely for compliance).

Depending on where the line is drawn. How functional the “core” in a real life scenario is. Often companies use some “enterprise security” features as closed thing, like saml/oauth/… where one could argue those should be default state of things these days.

For example, if the copyright holder applies a security fix to an old version that had “expired” and is now open source, will that cause old version to revert to source-available? Does any security fix, even the simplest one, require clean room reverse engineering on part of the community? Unless these questions are answered clearly by the copyright holder, BUSL/FSL are not really usable as open source even after the expiration date.

I don’t mean this as a negative thing as such. It’s just Microsoft being better at selling products to enterprise organisations than anyone else. One of the reasons Azure has grown from around 10% to 25% of the global market share during the previous past 5-10 years while AWS has actually lost its position is simply sales. When AWS first entered Europe they were a lot like Google Cloud, in that even if you were a municipality you would end up in an automated support loop. Then Azure came along and sold the same Microsoft support as they’ve always done, which is basically the best IT business partner you can have as an enterprise organisation, and naturally they won. It’s not like Amazon didn’t notice, a few months after Azure really rolled out we suddenly had an AWS account manager and direct phone support. But by then the ship had sort of sailed because of how Microsoft simply offers great value. Teams is another good example, it was a worse communications platform than what we had at the time, but it was “free” because it was attached to every user license we had, including the cheap educational ones. Almost nobody in non-tech enterprise will spend money on something they get for free, even if the free product takes years to become as good.

VSCode is the same. We pay for co-pilot and we pay for a lot of the Azure integrations, because why wouldn’t we? In the giant IT budget heading to Microsoft they are tiny costs which are in the “services” category in the excel sheet that heads for the budget. It is tiny, but when you consider just how many EU enterprise organisations buy these services it’ll amount to millions and for some services billions of revenue for Microsoft.

A good way to think of the “new” Microsoft strategy is similar to how cartoons are used to sell toys. You can watch Lego Dreamzzz for free on YouTube because Lego knows it means a lot of people are going to buy their Dreamzzz sets. It’s the same thing with VSCode. On top of that, they’re winning the familiarity game. When you hire a new developer, they’ll want to use what they know, which for many people is VSCode.

> VSCode is build to sell Azure and other Microsoft services, which they won’t if you use VSCodium

If corporate has bought into MS, they will use Azure services anyway. So for MS it would not matter if vscodium also integrates well with Azure or has a good .net core debugger, their customers will still bring the whole IT budget to them.

Because you are spot on. Corporate buys the whole MS store, only walk the road that MS marketing has blessed and it happily walks into the Azure trap. They outsource IT strategy and planning to MS anyway, and MS names it “Azure”.

Money. Which is OK. Developers need salaries. They need to justify the department budget to bean counters and sales internally. The company you work for is most likely not a charity too.

If you want to strictly use free software (as I do), VsCodium is great for everything I need.

The idea is people start a project in VS Code, need to scale up to a reproducible dev environment for multiple users, and follow ads in VSCode to GitHub Codespaces, which charges by the hour for VMs. Now you’re locked into that, you’re locked into GitHub as well, and they can cross sell you GitHub Actions, GitHub Advanced Security &etc.

Therefore, Pyright is almost the minimum needed to add type checking to your CI process.

Edit: to clarify, not only is Codespaces advertised in VS Code, it also uses private APIs so no competitor can publish an extension which replicates this functionality on the VSCode marketplace.

I don´t think MS is after solo hobby devs. For startups they have other incentives to lure them into their ecosystem, like free Azure credits.

And that is why open source projects on github are free too. Because the paying organizations depend on the free software ecosystem, build by volunteers in their free time. MS wants control (1) about that nonetheless, because not having that is a risk to their baseline

____

0. https://news.ycombinator.com/item?id=41695356

1. That is not necessarily harming libre software per se, but keep in mind that MS is only interested into OSS as long as their commercial customers depend on it.

And also the fact that Pyright, the underlying library that powers Pylance, is open source. Microsoft even has a mostly workable demo extension built from it, which is fully open source, published in their marketplace, and receives regular updates.

Source Available is fine by me so long as it isn’t being misrepresented as Open Source in an attempt to sponge off of the goodwill generated by Open Source communities. So I’m not feeling the “outrage”.

And I spent a good portion of my open source advocacy activities on license compliance at the ASF, helping projects to ensure that even with all the bundled dependencies the aggregate licensing of the distributed artifacts complied with the terms of the Apache License Version 2.0. So I’m not feeling that “silence” either.

What I’m feeling is “hypocrisy” being projected onto a straw man by someone who’s got an axe to grind with OSI and the Open Source Definition.

The sentiment that “VSCode is OSI-compliant so it’s morally okay to support it” is very common, and it’s substantially derived from the OSI definition. I do not think that it’s an irrelevant issue or that it would be misrepresenting the definition.

Is it really free (as in freedom) software when it contains DRM? Is it really open source when critical extensions are unusable if you build the software for yourself? It might meet the definition strictly by the words but in my view, this is not much better than TiVo-isation (when the license is adhered to but the user can’t effectively use a modified version) or other shady practices.

Oh, I definitely agree. While I don’t use the editor (mainly because I prefer full IDEs and not glorified text editors personally) I agree that holistically, the existence of VSC is a net positive to the programming community. My argument comes from a moral perspective – even though the good outweighs the bad, the bad parts are really scummy and need more awareness.

Like, my perspective is not utilitarian, it comes from a deontological point of view. I see people and companies get regularly flamed (or even harassed/intimidated) for much smaller things such as the crime of creating their non-OSI-compliant licenses and various related things. In contrast to that, the VS Code ecosystem is much more proprietary, grants much less practical freedoms and operates from a way less clean moral background than any of these projects. Yet, many people are willing to excuse this because Microsoft has figured out a way to implement vendor lock-in without breaching any of the four freedoms in techicality. To me, this is way worse than someone saying “no we won’t let you use our software for anything“…

I am also not a fan of the LSP (good arguments can be found in https://www.michaelpj.com/blog/2024/09/03/lsp-good-bad-ugly….) but that’s another topic 🙂

Just don’t call it “Open Source” and you won’t get nearly as many complaints.

The big problem arises when somebody tries to leech off of the goodwill built up by Open Source communities and give their Source Available proprietary offering some FOSS-juice. (Most often VC-backed companies who have failed to understand that “Open Source is not a business model”).

This argument would make sense from a strictly logical perspective if these were all the facts but the problem is that the expression “open source” wayyyy predates the OSI. It’s been used in the 80s and the 90s on Usenet and in various places, and it simply meant software which was distributed in source code form. (as opposed to binary form) These pieces of software didn’t even have a license file attached to them which was implicitly understood as public domain, or “do whatever the fuck you want to do with it”.

The OSI simply appropriated the term to a narrower, stricter meaning which grants certain freedoms to the user and takes certain freedoms away from the creator. (Such as the freedom to change your mind in licensing! You can’t practically change your mind since these are all non-revocable grants)

Furthermore, I don’t really agree with the “leeching off the goodwill of OSS” framing. From a practical perspective as a user, having the source code available is way closer to OSI-licensed software than proprietary, closed-source software. You can view the code of the program, you can usually share your modifications with others (which is technically disallowed but the developers are very unlikely to care as long as you don’t resell it), you can fix bugs in it, you can change functionality you don’t like.
A less-commonly talked about side effect is that if the source is available, the developers are less incentivised to provide user-hostile features, simply because they know that the users can patch it out relatively easily. There’s many cases of rugpulls and forced functionality changes in software nowadays and almost all of it is possible because the user can’t simply change the code to change the unwanted behaviour but must put up with it instead.

Naturally, this is a huge advantage compared to closed-source software. And if a company is willing to share its source code with its users, this should be lauded and encouraged! Obviously, the developers want some benefit from sharing the code, and one of the huge benefits is goodwill by customers. If the developers are not incentivised – but more commonly, harassed and mocked – to share their source but disallow competitors to steal it, in most cases, they will simply not share the code at all, leaving you, as a user, with way less freedom in practical terms.

Both you and the company can’t really do anything with paper freedoms – you can’t really use paper freedoms and the company can’t survive if their licensing permits others to profit off their work while discouraging them of doing so. In this view, having more practical freedoms should be encouraged because it helps both the user in having more usable and more modifiable software, and helps the developers not to go bankrupt when Amazon decides to commoditise their offering or something.

EDIT: I conflated “developer” with “company” when writing this post. My apologies. Of course, everything above also applies to natural people who develop software too, not just corporations. I made this mistake because of the subject matter (Microsoft), sorry.

On the other hand, people were using licenses that are now called “open source” licenses well before that, so the practice certainly precedes the term. Also, the OSI definitions were derived from the Debian Free Software guidelines.

(1) https://web.archive.org/web/20021001164015/http://www.openso…

This applies to the situation where the users are programmers. And I am a programmer. But I have never and probably never will modify any open-source applications I may be using. Too much work. Some library-code perhaps but not a full application (like VSCode).

Too easy to cause more errors rather than fixing them, creating a dependency to my own modifications. When it becomes time to upgrade to the next version of such OS software I will need to merge my modifications to the official app or library, and there is no guarantee that my modification would be compatible with the latest version of the said software. If it is not compatible that means either more work for me, or that I can’t upgrade.

“I don’t have the resources to exercise my freedoms” might be a problem for you, but it’s not a problem caused by the freedom or the mechanic granting it.

And even for programmers like me it is not very valuable, especially if we’re talking about sw-applications like VSC as opposed to library code.

I get that nice things that you want are sometimes expensive, but that’s just life, isn’t it? The world doesn’t owe you a cheap-and-easy-to-hack-on piece of software.

But I think your portrayal of FOSS advocates at large as unconcerned about the spirit vs. letter of open source compliance is wildly inaccurate. If anything FOSS communities discuss such topics obsessively. (How many bits have been spilled onto the internet about TiVo-isation?)

Also, see pxc’s excellent analysis elsethread for an illustration of the utility of the OSD: https://news.ycombinator.com/item?id=41693457

>If anything FOSS communities discuss such topics obsessively.

I don’t see this the same way. Whenever topics like these come up, “quoting the OSI definition word-by-word” is a fairly a common moral argument. (See every Mongo/SSPL or ElasticSearch thread on this site and you’ll see)

While there is definitely discussion of this, you are entirely right, there’s a substantial proportion of people (I’m not claiming that it’s necessarily the majority or anything – but influential enough to derail or block things) who do not take the spirit of the Free Software movement into account at all. At a glance, many arguments against these licenses don’t come from a viewpoint that these licenses violate the spirit of Free Software – they just mechanically quote the OSI freedoms without any critical evaluation or moral reasoning.

pxc’s analysis is great and morally I definitely agree with it. I don’t think that most people agree with it though – which legitimises the VSCode “open-source” approach.

I’m not sure that’s the case. I think the strongest FOSS advocates gave up on Microsoft decades ago, and just don’t engage with anything they put out. If MS release source-available stuff, strong FOSS advocates don’t peep because they’ve not even looked at it. Why bother – it’s Microsoft. If someone else does it, well, the FOSS advocates still had some hope that what they didn’t wouldn’t be terrible, so there’s space for those hopes to be dashed.

hey, we welcome microsoft to countribute to FOSS, but expecting to behave like another is laughable given the alternative

Like many OSS enthusiasts, I did some initial research on VSCode/VSCodium and decided to install the latter (similar to Chrome/Chromium).
As I kept using it I discovered that some MS extensions would refuse to run on VSCodium without workarounds.
At that point I was fully aware of the license situation and still decided to switch to VSCode for convenience.

My point is that most software developers are capable of understanding how VSCode and its “useful extensions” are licensed; it’s not a new concept. And from there, each individual can choose what tools they use according to their preferences.

On the vscode landing page they say. “built on open source” with a link to where you can clearly read the license. The ONLY thing that is important is the licence. This clarifies that parts of the product are not open source. At this point you can either use the product or not use the product. But as YOU didn’t build it or pay for it you have no place to complain. This is the same sense of entitlement that causes people to harass open source maintainers to fix a bug or implement some feature. People want everything for free and are outraged when they find that the world is not so. Yes it is convenient to go to the package manager and find just what you were looking for without having to do any work or commit any contribution but this is a privilege and not a right. It’s amazing that any open source exists at all and where it exists we should say thankyou and where it doesn’t either button up and pay or build it yourself.

> But as YOU didn’t build it or pay for it you have no place to complain.

I disagree with this point. You’re conflating legitimate criticism or discussion about the model (which many have differing opinions on) with the harassment of open-source maintainers – something I strongly oppose as well. Could it be that past negative experiences have made you overly defensive? If so, I understand, but I believe it’s a bit misplaced in this context.

You make it sound like poor and good hearted Microsoft is being abused by evil ungrateful kids.
It’s time this crappy company gives something back for decades of evil that they’ve brought on OSS community.

As OSS old-timer, I gave VS Code a try, but it was too noisy and distracting, slow, and didn’t allow enough control over what was being installed and when. To each their own of course, but I didn’t see any particular reason why VS Code is much better or deserves to be more popular than other editors, and if any functionality is missing from other editors – especially those that are incorporating tree-sitter – then maybe we can just improve those alternatives?

Talking about modern editors, I like where Zed is headed, but that project also has some non-OSS components or aspirations if I remember right.

The blog read like the author is crying that Microsoft is not giving away extension for Gitpod to make money

Microsoft is embracing open source, gaining market share with proprietary extensions, and then those to extinguish any truly OSS forks.

Embrace, extend, extinguish. Once again.

Of course it’s a post relating to MS so there will be at least one such comment

The standard isn’t detailed enough to create your own Office implementation. Not even Microsoft Office implements it correctly. Microsoft only created the standard so they could claim they were as open as OpenOffice, to prevent OpenOffice from becoming the standard, to make sure third parties would continue building upon Microsoft Office, and to ensure third party implementations would always be slightly worse.

As leaked emails later showed, even Microsoft employees used the Embrace Extend Extinguish term to describe this project.

I’m not sure why you think the VSCode situation is so different.

I’m not sure how they’re related? How is something MS allegedly did with Office over 20 years ago related at all?

It’s not like they can make plaintext source files incompatible with other IDEs

I wonder to what extent this halfheartedness should be ascribed to the MS org chart or to reasoning like “we should prevent a competent competitor to run away with our tools”.

In the mean time, there is a capable replacement named Theia (0) with none of the strings attached. We as a whole would do best to move to that one. (1)

___

0. https://theia-ide.org/#theiaide

1. That is to say: for vscode kind of experience. Native IDE’s are unbeatable imho.

Huh? If anything, MS prevents people from shooting themselves in the foot and illegally installing a piece of software against the license terms.

You can use vscodium for free, it’s great, you literally don’t have access to a few MS extensions (with open alternatives, which you can support financially if you care).

> INSTALLATION AND USE RIGHTS. a) General. You may install and use any number of copies of the software only with Microsoft Visual Studio, Visual Studio for Mac, Visual Studio Code, Azure DevOps, Team Foundation Server, and successor Microsoft products and services (collectively, the “Visual Studio Products and Services”) to develop and test your applications. b) Third Party Components. The software may include third party components with separate legal notices or governed by other agreements, as may be described in the ThirdPartyNotices file(s) accompanying the software.

One thing I don’t understand is how forks (I’m actually talking about Cursor which is one I’m actually evaluatinng) are getting away with scrapping all extensions from the VSCode marketplace… I even e-mailed them but had no official position on that. Maybe they have some separate contract with Microsoft — they do have OpenAI backing, so, maybe they have some bridge there, does anyone know? Or maybe Microsoft is just waiting to see how they themselves can profit for it and so is taking no legal action at this point?

— disclaimer: I’m on the author of PyDev and I do have my own Python extension that I publish to VSCode and OpenVSX (https://marketplace.visualstudio.com/items?itemName=fabioz.v…)… it’s completely Open Source in Eclipse, but for VSCode it’s currently commercial. I discovered that’s a nice way to have less people requesting support, even though 99% of it is still Open Source 😉

I hate the way they don’t open source the useful ones like the ssh debugging though

Isn’t it worse than that? They’re not just unsupported, I thought it was against their EULA to use the MS extensions with anything but the official VSCode.

It doesn’t matter to the average person using it for personal projects but it’s a liability to businesses. It wouldn’t matter most of the time but this is Microsoft we’re talking about.

And for business, they will use the official VS Code anyway. My own employer is up to their armpits in Satya’s ass. Over the last 8 years the MS sales goons have managed to get us to throw out every third party solution they had an option for. We even have to use Edge now.

“most useful things around it are full of DRM and legal traps” is a HUGE overstatement. Vscodium is great and have everything anyone can want (except, maybe, devcontainers)

Huh? There’s been lots of outrage about this. Repeatedly.

However, the problem is that nobody with any resource is willing to step up and replace the Microsoft closed source plugins. And developers aren’t willing to put themselves out to use non-encumbered extensions.

It’s basically a big “Put Up or Shut Up” from Microsoft, and nobody is willing to “put up” so we wind up with “shut up”.

There’s no longer outrage, since this has become the norm. Biggest most obvious example: Chrome.

Thanks for correcting me!

>Specifically, this is discriminatory against users of the software that use proprietary software within their stack,

(From wikipedia) That’s… the point.

This is a field of use restriction, and it is indeed the point of the SSPL! But field of use restrictions are disallowed under OSI’s Open Source Definition — because it’s critically important that Open Source software must be usable for any purpose to avoid uncertainty and exclusion, as explained elsethread (1).

(1) https://news.ycombinator.com/item?id=41691577#41694133

Any business which isn’t exploiting open source in order to benefit proprietary source won’t even be phased by this. It’s simply a requirement to open source your stuff, which the OSI would support if supporting open source was actually their mission.

I had to fight my way through your aspersions about the motivations of the people who take part in OSI license discussions, some of whom I am personally acquainted with. I consider the notion that they are driven by allegiance to Amazon and the like risible, although you don’t have to take my word for it (and shouldn’t, it’s an argument from (negligible) authority).

The idea is that a “field-of-use restriction” should deny a license grant based on field-of-use, as opposed to granting a right to users to obtain source code based on field-of-use. This seems like a technicality when the obvious effect is to cripple commercial competition which some see as illegitimate and advantage certain other parties — something completely at odds with the idea that Open Source software needs to be available for any use, deeply cherished by myself and many other FOSS advocates.

If we aren’t able to say “hey, this is for open source use only”, companies unburdened by ethics will always have a market advantage over ethical open source companies, and that in the long term will ensure open source doesn’t win.

Stopping hyperscalers is restricting usage in a field.

The primary reason that field-of-use restrictions are part of the OSD is to avoid excluding anyone from the community, and also to avoid fights about whether anyone belongs. Historically, military uses were often excluded in certain licenses — but just what constituted military use could be very hard to determine and potentially could result in endless litigation. Dual-use technology, anyone?

The same reasoning applies to hyperscaling. If you allow any restrictions on field of use in “Open Source”, then a fundamental guarantee that countless users of OSS have been counting on goes up in smoke. Before, it was software that anyone could use for any purpose. But now, everyone has to wonder, “am I actually allowed to use this Open Source Software”?

I firmly agree with these arguments, and I’m glad that the OSI continues to be intellectually and morally consistent in applying them — despite your asserting that they must be corrupt to do so.

the same goes for anything LGPL licensed, but I’d be surprised if you count that as GPL 😉

I’d rather get paid than build towards an ideal bunny world of free as in free beer software.

developers developers developers

Plus, for the former you can still get paid. You don’t need proprietary software for that.

Now for developers, they are recruited to build software under the guise of freedom, while their users care not about the men who die for the cause, and only appreciate the free stuff.

The argument that you can still get paid developing free software is obtuse. Source code is a very valuable tool to protect intellectual property (which is a recognized legal asset despite what stallman would like to be the case). If you sacrificie your source code advantage by making it public (which is a requisite for free software, put down your “Free software isn’t open source” paragraph gun), then you give away most of your capacity to make money out of your skill. Furthermore, open source development and closed source development are two very different skillsets, so you kind of get locked in to a worse paid form of software (with the exception of the top 0.01% of developers who might net evangelizing positions at actual proprietary companies like Guido Van)

Also what do you have to say to the open-source projects that take a “dual licensing” approach, like how Google profits from creating their own proprietary browser Chrome that has more features than the open-source Chromium? Isn’t it practical for companies to freely provide an open-source version with fewer features and sell a better, proprietary version? I havnen’t done any of this, but to me it sounds like there’s plenty of ways to make money developing open-source software.

The issue is that you give away your source code to your clients and competitors, who can then save money by not paying you.

If you don’t give them source code, whether by distributing binaries or access to a server which holds the code, you can recoup the investment by ensuring clients only get the benefit of your software when they pay.

It’s a similar dilemma in the pharma industry, yes you can free the patents and publish the synthesis method, but who is gonna pay the researchers?

Finally Chrome is more of a byproduct of google’s efforts to scrape the internet, turns out that in order to figure out what a website is showing a user you need to pretty much develop a full fledged browser. The goal of google was never to develop a browser.

Critically, Google doesn’t sell or charge for Chrome access.

Their monetization model is making software free (as in beer) in exchange for advertising. Again, that funky word free.

Regarding imitating that model, you and me are not google, and will more likely fail than not if we were to pursue that model.

Isn’t it just that all companies want to extend/embrace/control.
This has happened with a lot of Open Source products recently.
Didn’t this just happen with Redis this year.?

“The mission of the Microsoft Developer Division is to earn the trust and love of developers across all languages and platforms and make them successful as they build the applications of the future.”

Maybe the simpler explanation is that they want to make a good product? Which will mean it spreads out, and they do need some amount of control, thus the ‘official’ build.

Of course, they are also shady. I lived through the Explorer lawsuit days. But even then, I think they stumbled into it, they didn’t have much of a plan beyond control.

All companies want to extend and control.

OSS was supposed to be a counter to this.

But seems like without some kind of ‘pay’ model where developers can actually ‘live’ and contribute, it eventually falls apart. There are just not as many people willing to spend nights and weekends developing and especially SUPPORTING OSS for free. So any OSS tools that are good and widespread, and don’t have some support like research funding, get co-opted.

Maybe a non-profit company is the best way. But we’ve seen how that turns out if it actually takes off, like OpenAI.

Also people who in some contexts could be infinitely more productive with their favorite editor by not being forced to work with an IDE. One thing is developing for the desktop where having a form editor becomes handy, therefore KDevelop or Lazarus make sense, but why in the world should one be forced to use that behemoth for a small set of .c or any other language files where a well thought makefile can rule them all? Do I have to install and configure vscode for a short source that would run on a microcontroller? Really?
I see more and more projects requiring vscode, and that is not good if they don’t actually need it (YMMV of course): turning a set of sources and their makefile in a IDE project isn’t hard, doing the opposite is often a nightmare.

As an editor it’s a pain in the ass, as an ecosystem it feels like a fucken freemium mobile game for how polluted and nickel-and-dimey extensions are, and worst of all it’s owned by microsoft so while this article is informative on the specifics, I knew from the jump there was some legal fuckery involved because there literally always is

I can’t be a total purist and never use a tool that’s connected to a large tech company’s ecosystem, but where at all possible one should, and this is only becoming more true

I have. There were an awful lot of electric tools doing things that used to require manual work. And they were used even the old guys who were fighting against their broken bodies to work for long enough be able to retire.

I would consider bothering with some static analysis tool, but definitely not with php or other runtime heavy languages.

But I dream about a simpler world where I could just open nano on a dusted terminal in a basement, grab my printed copy of a OS manual, and code away.

This approach extends to the application environment as well, download nothing, use Operating System tools, code the rest.

Download nothing. Upload only.