abadideainfo on the github breach appears to only be available on xitter 🙄 , I fished it out for you.
David Chisnall (*Now with 50% more sarcasm!*)@0xabad1dea Huh. It’s almost as if an editor with a marketplace for extensions and zero thought to the security model (beyond ‘extensions have complete access to your computer’) might not have been the best idea after all.
Phil@david_chisnall @0xabad1dea
While yes, I think it's more about the perception of extensions being secure. Emacs has the same security model, but you don't see Big Newsâ„¢ about it.
Granted part of this is that Emacs itself requires a certain level of understanding to use so it filters out users who Just Install Things© but still.
While yes, I think it's more about the perception of extensions being secure. Emacs has the same security model, but you don't see Big Newsâ„¢ about it.
Granted part of this is that Emacs itself requires a certain level of understanding to use so it filters out users who Just Install Things© but still.
I’ve thought about this for a while and I think the difference is the marketplace. I use a bunch of vim extensions but vim and emacs don’t have a built-in thing that advertises extensions to me. There’s no ‘click here to install…’ button with flashy marketing. There’s no built-in concept of ‘recommended extensions’.
When I install an extension in vim, it’s almost always because someone looks over my shoulder and says ‘wow, I forgot how bad vim was without [my favourite extension]’ and I try it and decide it actually does make life nicer. When people install extensions in VS Code it’s because they’ve been trained that there’s always an extension in the store and it’s the top result for their search. And that gives people a big incentive to put malicious extensions in the store.
Duncan Bayne@phil @0xabad1dea @david_chisnall No no, Emacs has a *far* more sophisticated security model than VSCode.
Malware authors sit down to learn Emacs, so they can write Elisp malware ...
... and ten years later they're still customising their editor, and haven't written a single line of malicious code.
(Posted with love as an 
user for several decades ...)
Lars Wirzenius@david_chisnall @0xabad1dea I could not ever have thought that to be a problem! Who has ever heard of it being problematic to download random code from the Internet and run it with full privileges on your computer? This realization is a breakthrough in infosec. Someone deserves a Nobel price for this. And a Turing award.
(#sarcasm just in case)