Hacker News new | past | comments | ask | show | jobs | submit login
You Think the Visual Studio Code Binary You Use Is Open Source? Think Again (carlchenet.com)
113 points by pabs3 on Sept 18, 2018 | hide | past | favorite | 30 comments

This has been known for nearly two years now[1], and was talked about here a few months ago[2].

VSCode also downloads code from MicroSoft servers during the build process and won't build without an Internet connection. I'm pretty sure someone had forked VSCode like ungoogled-chromium but I can't find the repository.

[1] https://github.com/Microsoft/vscode/issues/17996 [2] https://news.ycombinator.com/item?id=17346492

Are you thinking of https://github.com/VSCodium/vscodium ?

Covered here just a few weeks ago: https://news.ycombinator.com/item?id=17850960

This article is similarly alarmist with some stupid click bait title suggesting that you are too stupid to read the documentation that comes with VS Code which points all of this out but somehow smart enough to read the genius bit of journalism that uncovered this terrible truth.

Just checkout what vscodium actually modifies. There are a few small diffs to disable telemetry and take out branding and a few other things.

But this is hardly some secret plot by MS to do something evil. It's a nice product provided to you by free by MS that is almost entirely open source. Yes it has a bit of branding and a bit of telemetry, which is presumably there to help them improve the product.

If the handful of stuff in there that isn't OSS bothers you for whatever reason, you can indeed build from source and take these things out like vscodium seems to be doing. You'd be well in your rights to do that. And it's very relevant for e.g. linux distributions like Debian or OSS purists.

Yeah that's it.

Flathub has the free version https://flathub.org/apps/details/com.visualstudio.code.oss and the non-free one https://flathub.org/apps/details/com.visualstudio.code

Tangentially, this is one of my gripes with stuff like flathub/snapstore since they are hybrid stores of both free and non-free software. In the traditional model, you can trust your debian/fedora maintainers to have strict standards for anything that gets to the base system. Now, with more and more distros enabling snap/flatpak by default, it dilutes that guarantee. Perhaps snap/flatpak ought to adopt a granular free/non-free distinction like repos.

Is there any technical evidence that Microsoft is doing something suspicious with the binaries? Differing hashes? Weird network traffic? Binary de-compilation? Its not hard to find evidence if you've got a hunch, instead of publishing a fear piece like this.

The license forbids you to reverse-engineer, so how would you find out without breaking the license?

Come on, nobody is preventing anyone from running the binary with strace or with wireshark open and comparing it to a version compiled from their sources. It's absolutely something which would've been relevant in a post like this one.

None of that would fall under ‘reverse engineering’ in this context since those techniques are basic due diligence that would be required before running software from a disreputable source like Microsoft.

Simple: you don't accept a license. If you want to reverse engineer it, just do it. You don't need their permission.

You can download the .deb/.rpm without accepting the license.

I strongly agree, as I said in the article by license using VSC your renounce your rights to reverse-engineer the VSC. So you take a legal risk making it and blogging/talking/podcasting about it on Internet and can face legal actions.

I’m certain the community would be very surprised if Nadella’s “OSS is good” Microsoft tried to go after an independent research post citing that clause. It’s there so they have some legally valid substance to roll with if they want to go after a significant case. Say, Jetbrains implementing something that blatantly seems to have been inspired by reverse engineering a proprietary part of VSCode. Not a good example and VSCode’s proprietary bits are so minor it probably isn’t worth pursuing but it should highlight the difference. Keep in mind too it could gain more proprietary features in future, added without needing to update the EULA and bothering users with Yet Another Policy Update they have to agree to.

Reverseenigneering might be forbidden in the united states. In many other countries however it isn't, especially for those cases, where you aren't trying to steal a product but to learn/research something about it

It is a fear piece, but the premise that the binary is not MIT-licensed is true. This is the same for the dotNET core binaries, they don't have the same license as the source either. Now I think of it, this probably applies to most open-source libraries including ASP.NET MVC. Perhaps because they use hardware-based signing of the binary?

>It is a fear piece,

Why, you are even forbidden to reverse engineer or hack the binary so it is the total opposite of free software.

Any idea why would they put this limitations on the binaries? What does MS gains for this ?

What it gains is the ability to include some proprietary bits, including their branding, the extension system, and the option to send telemetry back.

Just the same reason that the chrome binary isn't open source. Though MS doesn't make it's money on personal information, so the telemetry part is much more restricted.

>telemetry part is much more restricted

Are you saying that Microsoft is collecting less information than Google would in the same situation? I find that very hard to believe looking at Microsoft's history. Do you have anything to back it up? The only comparison I can come up with is Windows 10 versus ChromeOS.

Here's google's quarterly 10-Q statement.[1]

"We generate revenues primarily by delivering relevant, cost-effective online advertising." For the quarter ending June 2018, google advertising revenues were $28,087 million, out of $32,657 million total. That's 86% of their total revenue, for those keeping score at home.

Here's the relevant section of Microsoft's financial statement for the same time period. Advertising revenue is $6,100 million, out of $36,400 million. That's 17%. Microsoft doesn't even include the figure as a sub-line item, because their money makers are Azure and Office 365.

I understand that MS has a history of being the great opponent to software freedom. I understand that they've made moves that are anti-developer, and anti-customer in some ways. But their business model has never been based on collecting information. It was based on selling licenses, and now it's based on paid PaaS and SaaS.

With that in mind: it's hard to compare giant, decades-old corporations like this. We will inevitably come up with an incomplete list of anti-privacy things that both have done. But the profit motive lines up pretty clearly here.

But because I can't resist... google privacy issues have a wikipedia page: https://en.wikipedia.org/wiki/Privacy_concerns_regarding_Goo... . There is no analogous page about Microsoft privacy issues.

[1] https://www.sec.gov/Archives/edgar/data/1652044/000165204418...

[2] https://www.microsoft.com/en-us/Investor/earnings/FY-2018-Q4...

Telemetry is added in the Microsoft code for sure, plus some suggestions to Microsoft extensions.

If people don't trust Microsoft to do the right thing then it is prudent to not trust any of the code until someone has had chance to audit the entire codebase. Even compiling from sources does not imply that it is safe.

Wrong title. Article says "free software" which makes much more sense than "open source" in title. On HN you should know the difference.

They're pretty much interchangeable in this title. Saying "open source" instead of "free software" preserves the meaning but makes it less ambiguous. The difference matters when you're talking about ideology, but it's not so important when you're talking about the legal status of a piece of software.

The Open Source Definition was adapted from the Debian Free Software Guidelines, which the FSF approves of.

According to gnu.org: "The two terms describe almost the same category of software" (https://www.gnu.org/philosophy/open-source-misses-the-point....).

The software is "open source" not just "free software". The binary itself is not "open source".

"MIT allows this" is a red herring.

Even if the source was GPL, if Microsoft own[1] it, they can do whatever the hell they like with it.

[1] own or own enough rights. Before any PRs are accepted, you need to sign the CLA https://github.com/Microsoft/vscode/wiki/Contributor-License...

This is not a secret. And its really easy to compile it by yourself. So not really sure why this article is making such a big deal out of it.

I still don't get the love ( real or manufactured ) for VS Code. There are far better tools to use on linux. On windows, you should use visual studio. VS Code doesn't make much sense unless you want to install additional spyware.

It's funny to see people say how "light" VSCode is when they use it as a glorified notepad for a few days. Then they install more and more extensions and then slowly VS Code evolves into Visual Studio.

I like it because it is lightweight and runs similarly on windows and mac. And it’s free so a good compromise for people I work with who are deep in the IDE wars. I haven’t used it on Linux so can’t speak of that environment.

I don’t code all day, so it’s a good drop in editor that doesn’t require paying a license, but has more functionality than vim.

So what’s so bad in the end? If vscode is good and closed source, I’d still use it.

The difference, according to the article, is in the way Microsoft apparently misleads users into thinking that the binary is the straight product from open source code compilation, which it seems it is not (see https://news.ycombinator.com/item?id=18012688)

This can drive privacy concerned people to use the product because they (wrongly) think it's open source and fully community reviewed.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact