inverted-capital
commented
3 years ago this conflict where Microsoft insist on keeping the remote SSH code closed source prevents use of VSCodium in the described architecture
I personally could not handle the productivity degradation of other options for anonymously using vscode, so chose to accept the risk. Once someone gets around to making a visual threat model using threatdragon or similar, we should highlight the vscode element with the Information Disclosure and Elevation of Privilege vulnerabilities.
I don't know how to model the scenarios and incentives under which Microsoft would care enough to disclose their telemetry gathering to anyone, and even more specifically on us, so I need some help describing that too. It's some kind of incentive threat modelling.
A better architecture that has been setup and used productively would be very welcome. I think it is stupid that it is so hard to contribute code anonymously right now, but here we are nonetheless, still operating on the internet from the 90's
There must be a way to make an extension for VSCodium that can do development work on a mix of remote and locally run interblock blockchains somehow.... then provided you trust the VSCodium build, you could get anonymity, distribution, sharing, burstable cpu for CI, and realtime collaboration - without having to jump thru all the hoops we have to right now.
The threat modeling blog post suggests using VSCode.
Note that the Microsoft binary includes additional proprietary code in addition to that in the VSCode OSS repo. Specifically, it includes un-auditable telemetry code that phones home to Microsoft.
Consider using VScodium instead. The VScodium project offers binaries of VScode which are compiled directly from ths OSS repo.
References