
VSCodium – An Open Source Visual Studio Code Without Trackers - arthurz
https://www.fossmint.com/vscodium-clone-of-visual-studio-code-for-linux/
======
userbinator
There's already a comment here, and I've also personally experienced just from
talking with others offline, that a lot of people _don 't even know_ VSCode
had telemetry, despite it mentioned several times in the product itself and
its documentation. They (and remember, these people are supposedly
_developers_ ) either ignored it, or just didn't read the docs.

I guess a big WARNING banner might scare users away, but it's still a bit
disturbing to see such a lax attitude towards tools which developers use to
work with a software company's most valuable assets. A lot of people,
developers included, don't really read EULAs, and it's the same reason
(traditional) spyware could thrive: no doubt they all specify in their license
agreements the fact that they all collect information, but approximately no
one reads those.

Put it another way, would you want your compiler or other parts of your
toolchain sending information about all the source files it processed? I
wouldn't consider myself particularly paranoid when it comes to security,
maybe even looser than the average on HN, and even then I wouldn't use such
tools. I wonder how many companies have already banned their use...

~~~
alkonaut
Telemetry is all about how it’s presented to the user. It should simply be
presented at install/first start and users should be _shown_ the checkbox (it
shouldn’t be hidden away in settings) and asked nicely to leave it on in order
to improve the product. Checked by default is a hot topic but I think it is OK
so long as it’s presented clearly to the user.

I mean obviously I wouldn’t like any of the information I handle to be sent
somewhere, but I also don’t mind _statistics_ about that info (number of
files, file sizes, feature use count) to be sent to Microsoft. If I found out
that file contents was transmitted then obviously I’d be outraged - but I’m
rational and assume Microsoft is too.

~~~
johnwyles
Precisely! Albeit I am a bit surprised our infosec team seemingly haven't
cracked down or made a stance just yet on Kite and other telemetry software
for developers. That day will come soon I am sure :)

~~~
cassianoleal
Kite runs locally, why would infosec crack down on it?

~~~
johnwyles
maybe this is old information but I thought it sent information back to Kite?
This article is old but for what it's worth: [https://qz.com/1043614/this-
startup-learned-the-hard-way-tha...](https://qz.com/1043614/this-startup-
learned-the-hard-way-that-you-do-not-piss-off-open-source-programmers/)

------
timdorr
Is this needed? You can disable telemetry from the settings:
[https://code.visualstudio.com/docs/supporting/FAQ#_how-to-
di...](https://code.visualstudio.com/docs/supporting/FAQ#_how-to-disable-
telemetry-reporting)

~~~
false-mirror
1\. One less setting to configure, lest the Default monsters gets you

2\. VSCodium is just a FLOSS VSCode binary. You could build it yourself from
the available VSCode source. However, the VSCode binary is not FLOSS so you
cannot be sure what it is running.

It's not like VS code is the next PRISM-- I'm sure MS has better ways to spy
on users ;). The real pull is whether you prefer FLOSS by default.

~~~
wongarsu
> However, the VSCode binary is not FLOSS so you cannot be sure what it is
> running.

That's equally true of the VSCodium binary. It's not a reproducible build, I
have no way of knowing from which source code the binary was generated.

Of course I could build from source, but VSCodium is just VSCode built from
source with a build flag set. So in this regard it's not contributing anything
notable (and doesn't claim so either).

~~~
xyproto
Why is it not possible to build VSCodium in a reproducible way? Does it
download packages while building?

~~~
O_H_E
I think this kind of reproducible:

* [https://reproducible-builds.org](https://reproducible-builds.org)

* [https://en.wikipedia.org/wiki/Reproducible_builds](https://en.wikipedia.org/wiki/Reproducible_builds)

Sorry, but I don't think I am qualified to explain clearly

------
jameskraus
I suspect the tracking in VSCode is mainly used to improve the product. It's
probably in my best interest, and the interest of the community as a whole to
leave tracking on. I mean, I get it, HN is usually a more skeptical and
security-focused crowd. At the same time, it's likely MS will just take that
information and tailor their bugfixes and features to the things I need most,
so by all means I want them to have it.

~~~
z3t4
It maybe starts with simple statistics. But then you want to know what
features the user use, then you want to know what other programs they have
installed. Then you want to know what the users search for on the web. etc.
It's a slippery slope.

~~~
naikrovek
Every time I hear the phrase "it's a slippery slope" uttered by someone
arguing against something, I am immediately suspicious of the argument that
person is making.

There really isn't such a thing, in the way you've used that phrase.

Capturing telemetry on how I use a tool from within that tool is perfectly
fine, to me. Collecting telemetry on my search history in the browser by that
same tool isn't. THERE ARE NO INTERIM STEPS that makes the second of those ok.
There is no slope. If there is, it isn't slippery. There is a series of
discreet decisions and at some point (which is different for everyone) a line
is crossed. There was no slope or slip that brought you there, only a series
of mostly unrelated decisions.

To think that Microsoft's long-term goal is to install a keystroke logger via
a multi-decade and multi-phase plan that begins with application usage
telemetry in a free developer tool thanks to "a slippery slope" is just simply
not realistic.

~~~
wolco
When you walk in the wrong direction the final step off the cliff is the last
one. Better to get off of the slope because choices get fuzzier the closer you
get to the sun.

------
jakear
The process for making this yourself is basically as simple as:

git clone

gulp build

Consider doing that before running binaries from more or less unknown sources.

I don’t remember the exact gulp command off hand, but if you check the
gulpfile there are myriad build configs for full minified packaged builds.

------
azhenley
Discussion from 3 days ago:
[https://news.ycombinator.com/item?id=19619956](https://news.ycombinator.com/item?id=19619956)

------
telaelit
This is great.

I think I would be okay with companies like Microsoft collecting data on me if
they make it more clear what data they are collecting, what they’re using the
data for, having the ability to disable data collection (defaulted to disable
preferably), and being able to download and have a guid to understand my own
data.

As a dev myself I know all of that is difficult and sounds ridiculous, but I
really do think we have a right to the data collected on us and on our
behavior. Transparency, ownership, and access, that’s all I ask.

------
formalsystem
I had no idea VS Code even had tracking..

Does anyone know what exactly is being tracked?

~~~
aaronbrethorst
Chris Dias offers up a suggestion for how to investigate further here:
[https://github.com/Microsoft/vscode/issues/60#issuecomment-1...](https://github.com/Microsoft/vscode/issues/60#issuecomment-162411071)

But, speaking as a developer of an open source software product that includes
telemetry[1], I expect they're tracking really basic stuff, like: DAU, MAU,
edited file types, project size, crash reports, etc. Basically, information
that helps to internally justify the continued existence of the project, and
data that lets them better prioritize resources on the project.

[1] [https://github.com/onebusaway/onebusaway-
iphone](https://github.com/onebusaway/onebusaway-iphone)

~~~
taneq
> I expect they're tracking really basic stuff [...] information that helps to
> internally justify the continued existence of the project, and data that
> lets them better prioritize resources on the project.

This is my big issue with almost all analytics setups. Sure, you _expect_ that
they're _probably_ tracking stuff like that, which is perfectly reasonable and
benefits everyone. But when you look at the privacy policy inevitably you find
that the data they "may" collect is incredibly vaguely defined, wide-ranging,
and generally not actually limited (they use phrases like "we collect data
such as..." and "some examples of data we collect are...").

And then what they _do_ with the data is also left unrestricted by phrases
like "ways we use the data include..."

And then when you point this out, everyone tells you that you're being
paranoid and they're just covering themselves and don't be silly.

And then when they do precisely what their policy legally enables them to do (
_cough_ Facebook _cough_ Cambridge Analytica _cough_ ) everyone is aghast.

~~~
alkonaut
I wouldn’t (unfortunately) ever bother with what terms say. They are written
by a legal person who worries about future legal issues.

This is basically down to the reputation of the vendor and what information I
can _guess_ they gather based on what sort of outrage they would face if they
cross a line.

There are two messages here:

1\. Legal. Basically a catch all that says they might sample your blood in the
future

2\. Non-legal e.g developers. Says they gather harmless statistics.

Obviously #1 smells. But that’s how US corporate legal culture works. The
judgement I have to do is whether the vendor can be trusted to do only what
they say in message #2. I wouldn’t trust all companies in this respect,
especially not those that trade in information like Facebook, but I do give
Microsoft the benefit of the doubt.

------
writepub
I derive immense value from MSFT's VSCode. I don't think the telemetry in
VSCode is similar to cookie tracking by Facebook et al. Frankly, I do not
understand the fiscal benefit the Microsoft from VSCode, but I'd like to
continue supporting Microsoft's version, as the telemetry from an IDE don't
seem to be all encompassing privacy wise, like web tracking

------
m0zg
Meh. I just set the environment variable in my dotfiles which opts me out of
telemetry. I can't recall a case where MS would outright lie about stuff like
this. I.e. with Win 10 they flat out tell you you can't disable all telemetry,
and in the case of VSCode they're targeting a real hard-ass demographic, so I
trust them to not track me when I told them not to. I also don't use VSCode
very often, though.

------
Vanit
Would've been good if it detailed what its tracking. I assume its update
notifications and usage telemetry, which is fine by me.

------
bartread
This is nice and all but, from my perspective, the biggest issue with VSCode
isn't the telemetry but the battery drain. Even though I prefer VSCode to
Sublime the negative effect on battery life, particularly for sizeable
projects, forced me back to Sublime for most use cases.

~~~
_bear
It uses Electron.. which is packaged Chromium. That's the hog.

------
jlgaddis
If you are concerned with privacy and use _any_ Microsoft products (you're
already making a mistake by doing so in the first place but) I would
recommend, by default, blocking all Internet access to/from the host (edit:
_by default_ ; make exceptions as needed, obviously).

I've got one Windows machine here, just so I can run one specific client that
I have to use for an internally-hosted application. That machine doesn't have
a default route, just a single static route that lets it communicate with the
(internal) things it needs to and, just for good measure, there are firewall
rules (on the router connected to my upstream) that block any traffic to/from
this machine and the Internet. (Sadly, I would not be surprised to learn that
it can "fallback" to using DNS queries or some such to report back to the
mothership.)

I think we'll eventually get to the point where, in general, devices _won 't_
have a default route. It might take a while, though -- currently, way too many
people are still completely okay with every device and application they use
spying on them and reporting back on what they do.

So-called "default deny" firewall policies for incoming traffic are pretty
common nowadays. I can't wait for "default deny" policies for outbound traffic
to become standard as well.

------
rl3
Is there any difference between this and the version in Arch's community
repo?[0] Obviously VSCodium appears to target more distros.

From my experience _code_ (Arch) is entirely debranded, so I can't imagine
telemetry was left in.

[0]
[https://www.archlinux.org/packages/community/x86_64/code/](https://www.archlinux.org/packages/community/x86_64/code/)

~~~
quzyp
Is it? I honestly never had a closer look, but the upstream url just points to
the regular MS github repo.

~~~
rl3
To answer my own question: no difference in terms of telemetry.

Both pull from MS source and are prebuilt, so there should be no telemetry in
either. This explains it well:

[https://github.com/VSCodium/vscodium#why](https://github.com/VSCodium/vscodium#why)

In case anyone wants to compare the minutiae:

[https://github.com/VSCodium/vscodium/blob/master/build.sh](https://github.com/VSCodium/vscodium/blob/master/build.sh)

[https://git.archlinux.org/svntogit/community.git/tree/trunk/...](https://git.archlinux.org/svntogit/community.git/tree/trunk/PKGBUILD?h=packages/code)

------
roryokane
Everyone is focusing on telemetry being turned off by default, but I think the
real benefit of VSCodium is that it doesn’t force you to agree to the non-free
license
[https://code.visualstudio.com/License/](https://code.visualstudio.com/License/)
that comes with standard VS Code (which is different from the MIT license in
the repo,
[https://github.com/Microsoft/vscode/blob/master/LICENSE.txt](https://github.com/Microsoft/vscode/blob/master/LICENSE.txt)).
See the issue
[https://github.com/Microsoft/vscode/issues/17996](https://github.com/Microsoft/vscode/issues/17996)
for discussion of the problems with that license.

------
f055
Some developers are a funny bunch, always chasing after the next cool thing:
either a language, an editor, a stack or a methodology. I’ve watched the RoR
hype, the Agile frenzy, the Sublime Text popularity, the Angular and React
mania... The truth of the matter is that while a developer needs to keep up
with new tech, often “new” doesn’t mean better, just different. Choosing the
right tools for the job at hand from all the available ones, not just the
“cool” ones, is an often missed quality of a good developer.

------
mncharity
VSCode seems rather monolithic. Skimming it briefly, there seems code which
might be usefully repackaged as npm packages for service elsewhere. (I didn't
check whether npm packages exist providing similar functionality.)

This can certainly be the right call for a project. But maybe it's an untapped
opportunity for the broader community?

Has anyone looked at running a tracking fork, say mechanically massaging
vscode into a monorepo?

As I explore opportunities for coding inside VR, having a more integrated
ecosystem for creating IDEs would be nice.

~~~
pavanagrawal123
Check out theia

~~~
mncharity
Thanks... [https://github.com/theia-ide/theia](https://github.com/theia-
ide/theia)

------
eibrahim
Hmmm. Do I trust Microsoft or some unknown person on the internet?

~~~
asjo
Who has the better track record?

~~~
eibrahim
Who has more to lose and who has more scrutiny?

------
chappi42
The fossmint.com website is full with advertisement, social links and an
annoying popup. Somehow funny to visit there to avoid trackers...

------
Yuioup
Are you allowed to use .NET Core debugging with VSCodium?

[https://github.com/dotnet/core/issues/505](https://github.com/dotnet/core/issues/505)

------
ShiroiAkuma
I shall still prefer to go with the usual editors like sublime, vim. At the
very least I can be certain that vim is not reading the files I am editing.

------
madprops
Isn't the use of the vscode store extensions proprietary?

~~~
jakear
It is, but people try to get away with it by using a mistakenly committed
config file from a few years back to argue that the URL’s are now MIT’d.

The commit was quickly reverted, but they didn’t rewrite history to totally
remove it, and now here we are.

~~~
wongarsu
That sounds like they legally released it under MIT. They legally can't just
revoke a license grant, even completely unpublishing it by rewriting git
history wouldn't solve that.

~~~
madprops
I want Microsoft to share the vscode extensions, but that reasoning seems
weird to me. MS is hosting the extensions, they could decide what applications
get access to them. But also saying anything published by mistake immediately
makes it part of the current state of an open source project seems too
violent. Software authors should decide the terms of their software, maybe
past versions maintain the license included in them, but they are not eternal,
should the author decide so.

If at some point I want to turn my application more commercial friendly by
amending the license or changing it completely, and people tell me "No haha
sorry you released as MIT at some point so it's now free forever mate" I would
get pissed off and stray away from open source altogether. At least this is
how the "you can't revoke a license" argument feels to me. But like I said,
past versions that include a specific license should still be governed by that
license.

~~~
wongarsu
> MS is hosting the extensions, they could decide what applications get access
> to them.

A better way to do that would be to add some trivial access protection (like a
password they didn't accidentially publish). No matter how weak, any attempt
to circumvent it would violate anti-hacking laws in most jurisdictions.

> "No haha sorry you released as MIT at some point so it's now free forever
> mate"

For you existing code that's exactly how it works. Otherwise the concept of
licensing something becomes close to meaningless. Imagine Google releases
Kubernetes as open source, you build your business on it, and suddenly Google
turns around and says "just kidding, everyone who wants to use Kubernetes
after next monday has to pay us absurd licensing fees". Using anything open
source would be an insane risk if that was possible.

Instead what people usually do is to say "everything I do from now on is
closed source. You can maintain a fork of the old version, but good luck
keeping up with my version". Or alternatively "everything I do from now on is
under [GPL/AGPL/similar restrictive license], if you want to use it beyond
that contact me for a more permissive license deal". You can give people more
permissions on things you own, or attach fewer permission to new things than
you did in the past, but you can't take permissions you already gave away.

~~~
madprops
>Instead what people usually do is to say "everything I do from now on is
closed source. You can maintain a fork of the old version, but good luck
keeping up with my version". Or alternatively "everything I do from now on is
under [GPL/AGPL/similar restrictive license], if you want to use it beyond
that contact me for a more permissive license deal".

Yes this is what I was describing as reasonable. "Everything after this is
governed by X terms" is reasonable. But the whole thing can sound like even if
you change terms, previous licenses would still apply, which would be wrong.

~~~
wongarsu
To circle back to the specific case of the VSCode extension URLs, at the time
they were "new stuff" they were published in a repository with an MIT license
notice, effectively publishing them under MIT. For that version that license
applies forever. If they change the URLs and keep the change proprietary
that's fine, they just can't take back the past.

Though it should be added that I'm just expressing the common understanding,
barely anything surrounding open source licenses was ever actually tested in
court. There are also some obvious legal positions that would completely
change this: does every change need to state the license, are open source
licenses actually legally binding etc. However nobody would ever argue those
positions because they are detrimental for everyone (ok, the latter one was
once argued in a GPL trial, but the court decided not to decide on that)

------
slim
this is great. we could make it a proper fork and get rid of the constant
nagging of notifications wanting to manage your git repo, install plugins,
etc...

------
sonnyblarney
I do not trust Facebook with my personal data on their site, but I would
absolutely trust them to turn off arbitrary telemetry data if in fact it said
it was 'off'.

I just don't think there's a big evil conflict of interest or whatever for
this stuff to get slippery.

No yet anyhow.

~~~
ru999gol
> Facebook [...] I would absolutely trust them

there is no hope for you then I suppose

------
fxfan
Are we still on with the FUD about telemetry?

It doesn't help anybody except probably the one guy who 'Showed Microsoft'.

Telemetry helps improve products and opt-out means the product company will
miss out on the behavior of power users thereby not being able to optimize
their software for their usage.

~~~
paavoova
> Telemetry helps improve products and opt-out

Did you mean to write "opt-in", or are you suggesting it's OK for software to
refuse the choice to opt out of data tracking? "Power users" simply do not use
such software or block connections via firewall.

~~~
fxfan
Please don't spread FUD. Tracking makes it sound like I'm being followed. This
is collecting usage-data.

~~~
paavoova
GPS-related telemetry, say in modern cars or smartphones, is akin to being
followed. The latter isn't even anonymized, e.g. recently police identified
suspects by issuing a warrant to Google for devices in the vicinity, or Tesla
having all the car data in case of an accident. Web tracking such as analytics
or canvas, things like "advertising tags" being assigned to your profile, is
you being digitally followed across various sites you visit. "Usage-data"
decided by developers, malicious or otherwise, may not be just usage data from
the user's perspective.

You can hardly dismiss all telemetry concerns as invalid when "telemetry" is a
catchall term for most any data collection. And the other side of it is the
user and being in control of the software they run, which entails opt-in or at
the minimum leaving the option to opt-out.

------
ramon
This is awesome, it's a lot faster than VSCode. I can now use a low end
machine to code finally haha. No need for 12GB Ram notebooks anymore.

~~~
Someone1234
Likely placebo. There's made no changes that would make it faster.

~~~
raidicy
In the main version of Vscode it will give me micro stutters when I use WSR+
vocola. _So far_ there's been none of that with vscodium, however this could
be because as with this fresh install there's no plugins.

~~~
ramon
Same here! I cannot understand why it's a lot faster than VSCode, it's weird.
I know have to try the plugins to see.

~~~
sbjustin
Is it possible the "slowness" was DNS lookups possibly for the reporting?

