It is scary that a text editor can run hidden code just by opening a folder. We traded our safety for convenience and now we are paying the price. Users will always click the button to trust a file if they think it helps them work faster. We cannot blame them when the software design makes it so easy to make a mistake.

▲

mmh0000 11 hours ago | parent | next [-]

Tooooo be fair

Vim had also had its share of execution vulnerabilities over the years.

https://github.com/numirias/security/blob/master/doc/2019-06...

▲

scrapheap 6 hours ago | parent | next [-]

Yep, it's a shame that we keep making the same mistakes when it comes to basic security practices.

▲

trelane 2 hours ago | parent | prev [-]

Was going to say the same thing about emacs: https://news.ycombinator.com/item?id=42256409

▲

direwolf20 2 hours ago | parent [-]

What is share dot google? Here's the real link: https://news.ycombinator.com/item?id=42256409

	▲	trelane 2 hours ago \| parent [-]
		Bah. It's what chrome on Android is doing now when I ask it to give me the link. Fixed it. Thanks! I had searched for it in the search bar at the bottom of the home screen, which opened it in a chrome window. If you tap the share icon on the top right, you get the share.google link. If you tap the three dots and then something like "copy link" you get the actual link.

▲

EE84M3i 12 hours ago | parent | prev | next [-]

Doesn't it ask you if you trust a folder when you open it?

▲

dfajgljsldkjag 12 hours ago | parent | next [-]

You are right that the computer asks you. But people click yes because they are used to ignoring warning signs. The software relies on people making perfect choices every time and that never happens.

	▲	whs 11 hours ago \| parent [-]
		It should tell me what should I look before I trust it. Not trusting the workspace means I might as well use Notepad to open it. I wouldn't think that tasks.json include autorun tasks in addition to build actions.

▲

nottorp 4 hours ago | parent | prev | next [-]

I always wondered why. Now I finally know that it auto runs code in that folder.

Who thought this is a good idea and why wasn't it specified in ALL CAPS in that dialog?

Is it even documented anywhere?

Very infrequent vscode user here, beginning to think it's some kind of Eclipse.

	▲	Levitz 2 hours ago \| parent [-]
		I mean it's not in caps, but it's literally the first line in the dialog after the header: https://code.visualstudio.com/docs/editing/workspaces/worksp... I'm big on user first, if that dialog had sirens blaring, a gif and ten arrows pointing that "THIS MAY EXECUTE CODE" and people still didn't get the idea, I'd say it needs fixing. It can't be said that they didn't try or that they hid it though.

▲

esseph 9 hours ago | parent | prev | next [-]

Who remembers autorun.exe

▲

IshKebab 6 hours ago | parent | prev [-]

Yeah but it's one of those useless permission requests along the lines of "Do you want this program to work or not?"

They're pawning off responsibility without giving people a real choice.

It's like the old permission dialog for Android that was pretty much "do you want to use this app?". Obviously most people just say yes.

There's a reason Google changed that.

To be fair I'm sure Microsoft would switch to a saner permission model if they could but it's kind of too late.

	▲	azornathogron 3 hours ago \| parent [-]
		It's not a false choice - "Trust" and "don't trust" are both perfectly viable options. The editor works fine in restricted mode, you just won't have all your extensions enabled.

▲

croes 11 hours ago | parent | prev [-]

> We traded our safety for convenience

Not the first time. Same with LLMs.