Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
echoangle 4 hours ago

The message displayed when asking if you want to trust the directory is pretty clear about it.

https://code.visualstudio.com/docs/editing/workspaces/worksp...

CjHuber 3 hours ago | parent | next [-]

I don't like the way it is handled. Imagine Excel actively prompting you with a pop up every time you open a sheet: "Do you trust the authors of this file? If not you will loose out on cool features and the sheet runs in restricted mode"

No it doesn't because restricted mode without Macros is the default and not framed like something bad or loosing out on all of those nice features,

theamazing0 26 minutes ago | parent | next [-]

I think Excel does do something similar though with Protected View. https://support.microsoft.com/en-us/office/what-is-protected...

ses1984 2 hours ago | parent | prev [-]

The point of an IDE is that it does stuff a simple text editor does not.

alistairSH 3 minutes ago | parent [-]

Sure, but as noted elsewhere, the IDEs generally don't "do stuff" by default just on opening a file folder. VSCode, by default, will run some programs as soon as you open a folder.

Nathanba an hour ago | parent | prev | next [-]

It's worded really badly, so vscode is the thing that provides the dangerous features? No problem, I know and trust vscode. What the message should be warning about is that the folder may contain dangerous code or configuration values that can execute upon opening due to vscode features that are enabled by default. That sounds worse for them but that would be honest.

Cthulhu_ an hour ago | parent [-]

But you, as a security conscious software developer, know that the phrase "may automatically execute files" can also be "with malicious intent" - the tradeoff that whoever made the text (and since it's open source it's likely been a committee talking about it for ages) had to make is conciseness vs clarity. Give people too much text and they zone out, especially if their objective is "do this take home exercise to get a job" instead of "open this project carefully to see if there's any security issues in it".

This problem goes back to uh... Windows Vista. Its predecessors made all users an admin, Vista added a security layer so that any more dangerous tasks required you to confirm. But they went overboard and did it for anything like changing your desktop background image, and very quickly people got numb to the notice and just hit 'ok' on everything.

Anyway. In this particular case, VS Code can be more granular and only show a popup when the user tries to run a task saying something like "By permitting this script to run you agree that it can do anything, this can be dangerous, before continuing I'm going to open this file so you can review what it's about to do" or whatever.

OoooooooO 3 hours ago | parent | prev [-]

The message, at least for me, does not convey that merely opening may lead to code execution.

hn-acct an hour ago | parent | next [-]

Other IDEs do this too btw

rcxdude 3 hours ago | parent | prev [-]

Really? "May automatically execute files" suggests to me that at least code could execute without me taking any further explicit action.