VSCode is an IDE designed to suffocate the open source alternatives, so that they retain full strategic control. Oh, and it also promotes their tech (Copilot, Github, C#, TypeScript). It's a long list of issues.
It works well though, particularly over SSH and devcontainers, although it has severe bugs that they refuse to fix, and it isn't open source so you can't fix it yourself.
I wish software was secure by design, like browsers are.
But it just isn't a business priority, because consumers have so little to lose.
And enterprise customers have strict environments, separate staging/production environments that reduce blast radius, and so on, so the insecurity is tolerable. Besides, employees can't be trusted anyway, so what's the point of having a very secure IDE if they immediately run curl|sudo bash.
Are there any good web-based alternatives? (like Runpod's openvscode-server)
> It works well though, particularly over SSH and devcontainers, although it has severe bugs that they refuse to fix, and it isn't open source so you can't fix it yourself.
VS Code dev here. Would you like to share that list of severe bugs? Also, can you clarify what exactly isn't open-source in the entire VS Code with SSH and devcontainers flow? It's disheartening to read this, knowing that this simply isn't true.
The remote development extensions don't appear to be open-source. The marketplace page for the "Remote - SSH" extension will point you to a license that says, among other things, "You may not: work around any technical limitations in the software;".
The same page brings you to a github repo for the extension that contains no source code; it claims to be for gathering feedback only.
I don't know how you can imply everything about this is open source, maybe I'm not looking in the right place?
Not OP, but I've been trying to get remote development working for years but to no avail. The official response on the GitHub issue [0] in 2019 was:
> The "remote" functionality (SSH/WSL/Docker) is currently only available for VS Code proper, not 3rd party builds.
> [...] /cc @joaomoreno
Last time I checked, Arch Linux users who have the Arch Linux build of VS Code installed still cannot use remote SSH development nor dev containers. I definitely can't get it working on my own development machines.
Where is the Remote SSH extension code? I always thought that was closed source?
Edit: The reason I think it is closed source is because a StackOverflow answer says so[1]. I’d be very interested in seeing the code if you could link to its repo!
This is what posting sleep deprived gets you. I was referring to the cli[0] and server[1] components, which have most of the meat. Sorry for the misunderstanding. That being said, I'd love to know which severe bugs disrupt your usage.
Embrace, extend and extinguish.
Tell everyone that it is ok to use this crap because it is open source, despite our being impossible to have the exact same fully featured vscode built from source.
Speaking of "disheartening": your fellow devs who wrote the Pylance extension decided to mount a ReDoS attack against anyone who opens it in a debugger. I merely tried to investigate an issue that I had. [0] [1]
Being on the receiving end of a deliberate ReDOS attack feels more than disheartening. This is not shedding a good light on the VS Code development team as a whole. This is a despicable act.
No idea. All I know is whenever I try to execute the module in e.g. VS Code's debugger, it somehow triggers the attack and enters a de-facto-endless 100%-CPU-load loop.
> VSCode is an IDE designed to suffocate the open source alternatives, so that they retain full strategic control
What open source alternatives? Atom was a mess that kept breaking. LSP plugins are now used in almost every featureful editor and have really made editing a lot better. You spent more time configuring Vim and Emacs than they saved you. Microsoft made a really good code editor that set a standard and likely took market share from their own (mostly Windows) Visual Studio.
I do not use it anymore because of the creep of closed source plugins (+ they keep breaking my workflow) but I still think it is a great improvement.
> I wish software was secure by design, like browsers are.
Someone does not remember (or was not around) for the ActiveX or Flash days.
> You spent more time configuring Vim and Emacs than they saved you
I trade whatever default workflow that VSCode and other IDEs are imposing for a better editing experience. And even the initial time investment is short these days due to the trove of config and tutorials online.
After learning Vim, I ditched the files explorer and embrace the buffer workflow instead. Opening many windows at the same time to peek at multiple files, then switching to a new tab only if I don’t want to lose the current windows configuration. Then fuzzy searching for navigation, and using the quickfix list for search and errors. No friction from thought to action.
Another plus for me. I have an emacs session opened for weeks now inside a VM on my desktop to work on a side project. Whatever the computer (laptops or said desktopj, it’s a quick ssh, then resuming the dtach sessiom and my workspace is ready. Multiple files opened (almost all of them), a postgresql REPL, Tasks runners, and a lot of packages (magit, project.el, consult,…) working together to streamline working on code.
> I trade whatever default workflow that VSCode and other IDEs are imposing for a better editing experience. And even the initial time investment is short these days due to the trove of config and tutorials online.
You can configure VSCode with plugins. They aren't imposing any more defaults than vim or emacs do.
As VSCode is good enough, there is no oxygen for an open source effort to reinvent that wheel. At some point it will stale long enough that some bigger communities will want to tackle the challenge, but that won't be tomorrow.
I see VSCode as a net positive, but I think it's healthy to keep in mind the embrance->extend bigger picture.
What are we actually talking about here?
VS Code is open source, the existence of a de-microsofted alternative, that's actually just as capable (VS Codium) is just confirming this.
> there is no oxygen for an open source effort to reinvent that wheel.
Also, VS Code is just a great product. I mean, why is it a bad thing? It's not like Micrsoft is exerting as much negative control if at all on the whole ecosystem like Google did with Chrome. What I can see is that the dev's are keeping a good and healthy relationship to the users. While I see that this can change arbitrarily, given that it's Microsoft, right now you have (or at least I do) give them the benefit of the doubt.
Many important plugins are only in the official marketplace, and it's not allowed to use this marketplace from open source builds.
The practical effect is that open builds like VSCodium don't have access to things like the C# plugin, making them not useless, but much less viable than actual VS Code.
C# has a fork of the official plugin which uses NetCodeDbg by Samsung. And the language server itself is a part of the SDK anyway. It works in VSCodium without any additional effort required.
I didn't know that it isn't allowed?
VS Codium even endorses downloading the files from there and installing them in Codium. Is this against their TOS or something?
> I see VSCode as a net positive, but I think it's healthy to keep in mind the embrance->extend bigger picture.
It is a terrible point. Emacs and vim have been around for 'how' long and they are still niche and difficult to use.
VSCode made it better, especially with LSPs. Make all the terrible arguments you want. Still does not change that before more people used the Windows only VS Studio and now they can use the (mostly free) VSCode on Linux. Whatever attempt Microsoft is making to embrace Linux to prevent a possible dev shift they are still cannibalizing their VS Studio sales to do so and Vim/Emacs still does not offer a good response to Code.
It’s not. Its core is open source, but the actual build that is branded VS Code and that people download is not. I’m not even referring to many of the key extensions that many people use, such as the SSH remote and Pylance, which themselves are proprietary.
If you want to use only open source code, you need a rebuild like VSCodium.
Thirty years, two CEOs, and at least two industry redefining tidal waves ago. The people who trot out Microsoft's HTML 2.0 strategy as a reason their work 30 years later is a trap, are deep in tin foil hat land and jumping at shadows.
Look at their wall street filings for the last decade. If Microsoft is running an elaborate EEE with their open source work, that first "embrace, extend" phase is now 10+ years in and responsible for an enormous portion of their bottom line with the fastest growth rates anywhere in the company. "Extinguish" would be suicidal.
One has to wonder if these same people also think Apple still secretly doubts the "think different" vision that Steve Jobs introduced in the same time frame, and could revert to beige boxes at any time. Or that IBM is really a hardware company and will drop services any moment.
VSCode is part of their Embrace Extend Extinguish strategy.
It embraced open standards.
Then extended them with proprietary plugins.
And then extinguished alternatives by making their plugins incompatible.
Why did they buy GitHub?
Well, it turns out to be massively relevant for AI.
VSCode is well integrated with not just GitHub, but also Copilot, and Devcontainers, all of which strengthen their proprietary grip.
But GitHub provides free hosting? And offers freemium GitHub Actions.
Open source software uses these free solutions, but in doing so make their technology mainstream, to an extent where even suggesting alternative is thought ridiculous, "just use github actions bro".
Speaking of tin foil hats, the CICD pipelines could make it possible to selectively infect binaries at the distribution level, which is virtually impossible to detect, especially if the signing keys are part of the pipeline, which I assume is almost everyone. This is critical militarily.
Cloudflare is another example of a militarily interesting freemium strategy, where a vast number of businesses have allowed a man-in-the-middle, which practically defeats TLS encryption, allowing surveillance. And, selectively and virtually impossible to prove, could hijack your cookies, and gain access to all kinds of things. And infect the binaries you download.
Which is to say that EEE strategy is extremely powerful and effective. Otherwise, why would companies surrender the security of their users so readily?
However, "hard to connect" with Microsoft, is not the case. When it came from their own notes. It's also not hard to connect IBM with the Fuhrer, but that's also in the past. Doesn't mean it never happened, though.
"Extinguish" is about their competition, not the extended product/field. They will always invest to embrace and extend, that's the condition to outpace and cut off the competitors.
Another happy doom user (and formerly unhappy vim configure-er).
Although the objection I see is more like "Why bother learning to use emacs/vim when VSCode is free and does everything I care about and my friends use it?" Which, to be fair, the emacs/vim learning curve isn't for everyone. I sometimes wish they had less "leet programmer" cred, though, since what is cred to the leet programmer is (in this case at least) stigma to the majority.
I want to like/use Doom (also to be able to recommend it to to new-comers), and it neatly solves many "beginner issues", but I can never get it to do code-folding like in my own emacs-config.
Specifically, I'd want these 3 types of folding in the same buffer:
- "Chapter & Block-based", like in `org-mode`
- "Arbitrary lines folded", like in `vimish-fold`
- "Semantic folding, any level", like in `hideshow`
(Un-)folding should always be done with TAB, only for folding vimish-style, initial visual selection is needed.
When doing that in DOOM, I always end up with visual corruption, when some of fancier default eye-candy is switched on and then I use several types of fold in the same document.
I think, I saw code-comments, that there is an all-encompassing folding function in the works, but not yet finalized/activated. Hmm, maybe I should give it another spin, last time was 5ish months ago.
That is "does not work" for most people, including on HN. Nobody should be expected to spend half an hour installing vidual studio and building a project before they can start to use an IDE.
So why not fix that? You can absolutely build a binary and release it and save thousands of people that effort.
Comments like this remind me of people who complain about an error they saw on Wikipedia: "So, you're going to fix that, right?"
If you have a pain point in OSS that you care about, you can fix that. Yes, you the person reading these words right now. That's the entire point of OSS.
I could, but nobody is going to trust my binary. And they shouldn't.
The build should come from the official maintainer. Period.
And participating in open source? Oh, I can assure you I am a seasoned open source contributor, but I am not going to just contribute to a random project. Wasted too much time on issues and pull requests that nobody looked at.
Easy to criticize other people, right? What have you done?
So help the official maintainer. Become the official maintainer of the Windows build.
If you don't want to, or can't be bothered with the time commitment, that's fine, but realise that every time you complain about an OSS project's failings, you're really complaining about your own inability to contribute, not their's.
You're taking offence where none was intended. I was not referring to competence, as I have no means to judge, your inability was a reference to your decision to not to contribute for whatever reason you have chosen.
You've made clear that you are not going to do this. Fine. My point is that this failing you perceive then, is about your decision/inability/choice/forced situation/whatever you want to call it, to not fix it, not theirs.
If you're anywhere near as experienced as you state you are at maintaining OSS projects, you'll know the issue I'm referring to here: entitled armchair quarterbacks telling maintainers what they "should" be doing, but not doing anything to contribute themselves.
Your original remark was that kind of entitled snide, back-handed, snarky comment that deflates OSS maintainers every day.
Engage with it, or accept that's where it is. Don't race around pointing out all the things it doesn't do that you want, that you're not prepared to make happen. You could offer time, you could offer actual hard cash, you could just move on and decide not to care.
That's my point. If you have maintained OSS, you know that's the point, I even contextualised it with an easy to understand metaphor in the form of "broken things" on Wikipedia that literally take seconds to fix.
If you didn't get that on the first or second pass, perhaps you're not quite the experienced maintainer you claim to be, in which case, just hold off criticising for a beat next time, and think about what you could actually do, and if it's nothing that's fine. Move on.
If Zed wants to treat Windows as a second class citizen, I don't want to change their mind. I am sure plenty of people other than me are willing to help and have the ability to contribute. The fact that there is no official build for Windows for so long says plenty about the project. The writing is on the wall.
I am not an idiot. Recent developments in the open source world should already give everybody a better idea of where they should spend their time and energy.
And on Mac, it just does the wrong thing for most shortcuts (the basic moving ones, like Option-Left/Right, which work on any Mac app, including browsers, but not on Kate), which is a huge shame because otherwise it's a very good editor.
> Someone does not remember (or was not around) for the ActiveX or Flash days.
"Hey wouldn't it be handy if every webpage can download binary code and run it? Oh and let it talk to every DLL in the system as well. Super handy! What could go wrong?" - Microsoft in 1998 :)
I mean sure we were all a bit naive in the 90s and 00s but did they really not see that coming?
Doom kept breaking, spacemacs is just kinda annoying, and I don’t wanna go through doing my own from scratch again. I basically only use emacs for my couple literate configs because I haven’t found an equal alternative
That’s why I’ve been checking out zed/helix/kakoune lately. Zed to replace VSCode which feels bloated and the other two to replace vim. The keybindings are more intuitive to me and having auto complete of commands out of the box with a full menu showing shortcuts saved me a lot of frustration from day 0
> You spent more time configuring Vim and Emacs than they saved you.
Uh? I‘ve always used vim out of the box, and Emacs I got it just like I like by searching the .emacs file of a youtuber who has a configuration I likes. Exactly 1 minute.
> I wish software was secure by design, like browsers are.
I don't. Browsers are already close to "security or utility, pick one"[0] if you try to go beyond the TV + form filling appliance experience. I don't want this kind of thinking to leak out to all software I use. Like, I'm happy to be able to write:
find . -type f [stuff] -exec rg 'foobar' {} +
without worrying about rg (or anything) refusing to run because its vendor didn't set up Access-Control-Allow-Origin header correctly, or similar such bullshit that's just commonplace whenever you try to operate (instead of consuming) or integrate anything on the web. And no, I don't want to have to buy a domain and publicly spell out my computers and get them legit certificates just so they're allowed to talk with each other when physically next to each other and on the same LAN.
I don't want my OS to start looking like Android either, where everything is hidden and nothing is allowed to talk to anything else - i.e. literally the opposite of the promise Android started with.
--
[0] - Security and usefulness are fundamentally opposing forces. In the limit, the most secure computer system is a dead rock.
Android has very good reason to have such strict process isolation. For example, that third party calculator app I downloaded shouldn't be able to interface with my bank app. That said, I do feel it (Google) has used security as an excuse to build a walled garden.
First time I see someone criticize Access-Control-Allow-Origin. You do realize it prevented countless script injection attacks from affecting users? Most of whom are not people who are on the web for the purposes of hacking random integrations.
Also seems like your idea of integration is using someone else's server without permission.
> First time I see someone criticize Access-Control-Allow-Origin.
From the POV of API integrations it's basically annoyance. It doesn't prevent or discourage using an endpoint from scripts and applications except browsers, which voluntarily handle it and also don't give the end-user any control over it.
> You do realize it prevented countless script injection attacks from affecting users?
I do. We're talking about making software as secure as web browsers. I can begrudgingly accept that the World Wide Web is what it is because it is World Wide, but I don't want any of this bullshit to spill over to general-purpose personal computers. It's bad enough that we increasingly do most of our computing in the browsers.
> Also seems like your idea of integration is using someone else's server without permission.
Not server but software, and the very phrasing of it is... I don't know where to even begin addressing it.
I am not and am never gonna ask permission to use software for whatever purpose I want. That's, like, the basic philosophy of computing. Integrations - voluntary or not - are basically an extension of that. Adversarial interoperability is a sad necessity today, but we're not even talking about that - we're talking transplanting "browser security" like CORS to places and use cases where it would be mostly annoying, leaving users at the mercy of the software provider to kindly relax the security flag a bit.
> I wish software was secure by design, like browsers are.
I feel this is one of those "repeat it until it is true" marketing things, like "apple believes privacy is a fundamental right"
But really, I think vscode, browsers and apple products only tangentially secure because business goals, features and convenience trump these kinds of broad statements.
I so wish it was otherwise. There are so few islands of common sense in our world and the water level keeps rising.
I think it's more a case that browsers take security into account at the feature design phase, whereas other applications don't. That's actually a huge step in the right direction. Same thing with mobile OSes, which have a very preferable decision to sandbox individual applications, instead of running them with full user permissions & full user data access, like desktop OSes do.
Now, whether the browsers or mobile OSes actually are secure because of that, is a separate thing, but those are good steps to take.
> which have a very preferable decision to sandbox individual applications, instead of running them with full user permissions
It's great that they took security into account during the design phase. I wish they had also taken into account user empowerment. They sandboxed all the apps and in so doing made interoperation, plugins, patches, mods, etc basically impossible. Now the most widely-used form of personal computer is more like a portal to digital services than it is a computing platform. It's sad to see, and I refuse to believe that it's one-or-the-other when it comes to security vs power.
Browsers weren't really secure by design until IE first introduced a browser sandbox sometime in the IE8 days and then Chromium came along and set the standard for sandboxing.
> what's the point of having a very secure IDE if they immediately run curl|sudo bash
Docker is a technology that downloads random unsigned tarballs from the Internet and runs them as root. Also it turns off your system firewall in the process, to make all this more "convenient".
Really we have much more low-hanging fruit to pick.
It’s a bummer that those aren’t the defaults, but it would directly make things less convenient and therefore make people less likely to use it (same reason why installing various software is still offered as a Bash script that you curl and pipe to your terminal, e.g. Ollama; at least it’s not offered as the only way usually), what a world.
and everything just worked, though the directions on that page look complicated, so it might be the wrong project. It was in the store that ships with the open source build and was definitely open source.
Eclipse theia. It is an almost pixel-perfect ripoff of VS Code that integrates the open source components such as Monaco. It is what you are using if you've ever started a Google Cloud Shell Editor.
After decades of using IDE's from Think Pascal/C, MCL, Borland C++/JBuilder and lots of Visual Studio and mostly PyCharm these days, I was forced to use an Eclipse IDE for a model driven dev project a few years ago.
Worst IDE experience ever and this tainted the 'Eclipse' brand for me forever.
Amazing that most commenters seem to even be unaware of Eclipse Theia which is basically THE open-source VSCode. They need better marketing (well, being open-source, they'll never have great marketing like MSFT, of course).
I would add: ...and being Eclipse they will have no marketing at all. Eclipse offers tons of interesting IDE's, languages ranging from C, Java, PHP, there used to be Haskell support as well. Granted, not every language has the same depth of features, and some plugins are practically abandoned. There are tools for the automotive industry, tools for building Dsl's and IDEs, hardware programming, the list goes on.
Eclipse is built as an IDE, but also as a platform to build your own IDE. I think that DBeaver is also based on Eclipse-the-platform.
But eclipse also reinforces memes, look at eclipse.org
- Software from the US: Great marketing, invasive, beginner friendly, attention to UX, great design, steals your data by default.
- Software from the EU: Deeply buried on a 2007 website, great feature depth, interface tailored to power users, designers have been killed, community equals you + 20 experts on some mailing list, no data sharing or only as opt-in
That's a lot of accusations without evidence. VSCode does questionable things, but nowhere near the levels you are describing.
And is there any evidence that VSCode is not secure, by Node.js standard? Has there been significant security incidents that were not handled properly? Has VSCode been neglecting security issues?
No to all those questions, based on my experience. Node.js inherently is loose on permissions -- by default you can do IO/connect to Internet however you want -- but that's not VSCode's fault. Otherwise, VSCode team has been very responsive at handling security issues.
(Saying this as an experienced VSCode user and extension developer.)
Cool theory but no one uses typescript, github or C# because of VSCode. It's a nonsensical narative if you just spend more than a few seconds thinking about it. All those things dominated their niche before VSCode came into the picture.
Any better product can be accused of "trying to suffocate the OSS alternatives". Do Microsoft somehow have the power to make other OSS projects suck?
Other companies don't say EEE (MS also doesn't anymore, as far as I know), but that doesn't mean they are any better. In fact, I would say that Apple is far more guilty of doing this than MS is these days. But even so, what is the alternative? If MS creates any good product, people will accuse them of being at some phase in EEE, which is unfalsifiable.
I guess the alternative would be for MS to make this great product fully FOSS, so that there wouldn’t be a problem in the first place. But ofc that isn’t realistic for a plethora of reasons.
Also not saying that MS is somehow unique or worse than Apple, or Google or whatever, they each have their good and bad bits.
It's Microsoft's actions which lose them trust, regardless of what they might state in official communications.
Actions like the C# dev kit license footgun/rug pull, the closed source remote development extensions, and training copilot on GPL while pretending that you own any code it generates.
You don't need even need a rant on the Windows team, it would be beating a dead horse.
C# dev kit is completely optional. The debugger, language server integration and all the other features that you'd expect ship with the base C# extension.
The first two are forks that fundamentally did not change all that much, the latter aims to create a "true" opensource alternative of VSCode (including the ecosystem, where VSCodium falls flat) to serve as a common base for (and by) a few industry giants to build their next-gen of IDEs on top of (an "IDE framework", per their description).
As for the first two, last I checked openvscode-server was just enough to host VSCode for the browser, code-server had a few extras, like hosting at a subpath.
I hate to break it to you but that's a large percentage of open source projects. The high majority of code is by a low minority of people
I think this is because the barrier to meaningfully contribute is too high simply because large code bases are almost always complicated and hard to understand.
There's a few extraordinary exceptions (NetBSD source comes to mind) but they're extreme outliers
It works well though, particularly over SSH and devcontainers, although it has severe bugs that they refuse to fix, and it isn't open source so you can't fix it yourself.
I wish software was secure by design, like browsers are. But it just isn't a business priority, because consumers have so little to lose. And enterprise customers have strict environments, separate staging/production environments that reduce blast radius, and so on, so the insecurity is tolerable. Besides, employees can't be trusted anyway, so what's the point of having a very secure IDE if they immediately run curl|sudo bash.
Are there any good web-based alternatives? (like Runpod's openvscode-server)