In order to facilitate the analysis of the source code associated to an Extension version,
it's essential to have proper coordinates to the corresponding source code.
Today, the extension meta-data is polluted with some extensions listing invalid URLs, or URLs requiring credentials, see some examples at [2] below.
When the URL is valid, it is also not possible to find the corresponding release associated to the version.
Adopting a well known standard to associate a VSX version with well defined coordinates will make vetting of extensions feasible.
This issue, proposes to adopt the Package URL specification (see [1]).
This would make it possible to resolve VSX version's source code
and therefore facilitating vetting and analysis of it.
References:
[1] PURL spec
[2] Example of invalid URLs for open-vsx published VSXs:
In order to facilitate the analysis of the source code associated to an Extension version, it's essential to have proper coordinates to the corresponding source code.
Today, the extension meta-data is polluted with some extensions listing invalid URLs, or URLs requiring credentials, see some examples at [2] below.
When the URL is valid, it is also not possible to find the corresponding release associated to the version.
Adopting a well known standard to associate a VSX version with well defined coordinates will make vetting of extensions feasible.
This issue, proposes to adopt the Package URL specification (see [1]).
This would make it possible to resolve VSX version's source code and therefore facilitating vetting and analysis of it.
References: [1] PURL spec [2] Example of invalid URLs for open-vsx published VSXs: