Zed Editor automatically downloads binaries and NPM packages without consent

239 点作者 gantengx10 个月前

20 条评论

daghamm10 个月前

This is what I hate about vscode, and they at least ask for consent. Some of the stuff vscode needs for golang are (to me) developed by Random Joe on github. It's just a matter of time before it is abused for supply chain attacks.

评论 #40903622 未加载

评论 #40903571 未加载

评论 #40903278 未加载

评论 #40903287 未加载

评论 #40903412 未加载

评论 #40904287 未加载

alberth10 个月前

While I share similar concerns, I also want to point out that:<pre><code> - Zed is (currently) free - still pre 1.0 release - being developed quickly by a small group of developers </code></pre> For those of us who enjoy Zed, we should give appreciation for what they have created.As someone who's maintains OSS myself, the onslaught of people who can swarm in fast to piss on your hard/long efforts can demoralize you.So let's be kind in our words (and tone) to these folks.

评论 #40905077 未加载

theultdev10 个月前

I don't really see the big deal here. Who wants to approve and configure all of their language servers?If you open a file for that language, is there ever a time you would deny the download?I just don't want a huge amount of popups like VSCode.Also, the binaries are downloaded from their release on github. As long as that is secure I don't see a problem.

评论 #40903215 未加载

评论 #40903628 未加载

评论 #40903167 未加载

评论 #40903173 未加载

评论 #40903198 未加载

评论 #40903850 未加载

评论 #40933905 未加载

评论 #40904848 未加载

DanielVZ10 个月前

This broke Zed for me and had to go back to Neovim at my workspace. The corporate AV software was going crazy with all these automated downloads and installations. It wasn’t blocking them but just vetting them was taking so long, I just didn’t find it worth using

xpe10 个月前

Zed is my favorite editor, but I'm not going to minimize concerns that people raise simply because I think the editor is stupefyingly awesome overall.Questions: What control does a user have right now over what gets installed automatically? What are the levers we can pull to get more control? (These levers include configuration options, pushing back on the project, and so on.)P.S. Not that this is an excuse, but VS Code's security posture (sandboxing, prompting users, etc.) probably didn't happen overnight without user pressure. Who knows the history?

评论 #40905745 未加载

haddr10 个月前

Zed is supposed to be a lightweigh and fast text editor. That was my hope when trying it. This is not the case. When I was editing some JS or HTML file I noticed that my laptop is quite warm. I checked all processes and there was some node process taking up 100% of one of CPUs. It was some language server running in the background in some non-efficient way. The problem with Zed is that its mission is to be "engineered for performance", while in the background they cut corners and run some heavy unoptimized stuff. I think this is not a right strategy, even cosindering it is still in beta.

评论 #40904694 未加载

WuxiFingerHold10 个月前

They could ask during install whether silent installation of LSPs should be done or whether Zed should ask explicitly for every LSP.With Zed, I have another issue. I don't understand which niche it is trying to fill. The advertising story doesn't convince me. The performance bottlenecks are typically the LSPs after all, not if text is rendered in 10 or 20 ms. Startup time is secondary. Yes, memory usage is a concern. I get that and that's where Zed is miles ahead of VS Code and Jetbrains IDEs. But overall I think:- If you want easy and free, go VS Code.- If you want ultimate IDE features and mouse and GUI, go Jetbrains.- If you want ultimate productivity, follow this beautiful guide: <a href="https://lazyvim-ambitious-devs.phillips.codes/" rel="nofollow">https://lazyvim-ambitious-devs.phillips.codes/</a>

coolgoose10 个月前

I don't get why having a modal for each tool asking for consent is too hard.

评论 #40903112 未加载

评论 #40903444 未加载

评论 #40903133 未加载

评论 #40903147 未加载

notorandit10 个月前

Being it binary or not, it doesn't make any difference.It's the "modern times" craze about plugins pulled from different unauditable, unknown sources. The fact that it is on GitHub or any other "publicly available" source it is irrelevant.I keep using vim and Kate and manually install anything I need form my distro (Arch Linux) repos. If it is not there, then, sorry I cannot use it.

评论 #40904395 未加载

mapcars10 个月前

Zed is version 0.1-something, you can't expect them realistically have their own maintained packages at this stage. And these things do happen when you use software at the early stages, just wait for 1.0 and see what happens then.

legobeet10 个月前

The security side of free editors and IDEs is not great anywhere today for JS development. Once you start wanting more features and integrations, you start facing an apparent choose-any-2 of security, convenience, and productivity.I don't think it has to be this way. I think we can have both better compartmentalization and tighter workflow integration without having it becoming a part-time job.Here is my ongoing attempt at addressing the issue, currently scoped for neovim[0]:<a href="https://github.com/legobeat/l7-devenv">https://github.com/legobeat/l7-devenv</a>(I did share this to crickets as a Show HN the other day, hope it's on-topic enough to OK to reshare here)[0]: The same framework should, at least in theory, be extensible to do something similar with Code/VSCodium. While working on this I realized there is some overlap with their Dev Containers and am yet to look into if and how one would run those in a similar fashion and if they could be leveraged to the same end

throwaway20240710 个月前

This was also documented here, nearly 1-year ago:<a href="https://github.com/zed-industries/zed/discussions/6659">https://github.com/zed-industries/zed/discussions/6659</a>Where there is a VSCode theme importer for Zed.And what it does is silently install a Home Brew package and attempt to execute it on your machine.

评论 #40906591 未加载

biosboiii10 个月前

Not asking the user for consent for software updates is quite common.My corpo rejects a lot software, because they do exactly that.

评论 #40903480 未加载

perryizgr810 个月前

There is a balance between asking too many confirmations and not asking at all. VS code had this feature called "Workspace Trust" or something like that. It was so incredibly annoying. Always asking me for my own repos or repos which are in my org, if I trust the authors. I ended up disabling it completely and it will remain that way. I hope Zed finds a way to strike the balance in a better way than bombarding the user with confirmations, otherwise I'll be completely disabling that too, probably to the detriment of the security of my computer.

james112000010 个月前

I lost my investment capital and profits trading online, they kept on requesting for extra funds before a withdrawal request can be accepted and processed, in the end, I lost all my money. All efforts to reach out to their customer support desk had declined, I found it very hard to move on. God so kind I followed a broadcast that teaches on how scammed victims can recover their fund through the help of Gavin ray a recovery specialist, I contacted his email provided for consultation, I got feedback after some hours and I was asked to provide all legal details concerning my investment, I did exactly what they instructed me to do without delay, to my greatest surprise I was able to recover my money back including my profit which my capital generated. I said I will not hold this to myself but share it to the public so that all scammed victims can get their funds back. Contact his email:gavinray78@gmail.com or whatsapp +1 352 322 2096

idk110 个月前

This might be a very very silly question so bear with me, why would it need to download these binaries? I'm on sublime text atm, and I can't think of a reason why it would download anything other than the app itself or an update to the app when I'm asked. I know that might sound very stupid and I'm sorry.

jarule10 个月前

This is why you never want to sell to developers.

as-cii10 个月前

Hey, Antonio here. Co-founder at Zed.Sorry that we haven't replied to that GitHub issue yet. We try our best to listen to the community (here, on GitHub, on Discord, ...), but we're a small team and, admittedly, it's tricky to keep up with everything.I agree that we should ask users for consent before downloading language servers (and other executables).For everybody who's come across the ticket here or on Reddit and hasn't worked with the Zed codebase yet, let me provide some context on how language support is implemented.In Zed, we have three ways of supporting a language (and its language servers):1. Extensions that users can install from the `zed-extensions` repository [0]2. Pre-bundled extensions that ship with the Zed binary, but still need to be installed [1]3. Built-in language support [2].For (2) and (3), the code is owned by the Zed team and we make a conscious effort to review contributions from the community in that area.That code can automatically download language servers, but we try to vet which exact scripts/binaries are downloaded from where. For example: we heavily use rust-analyzer ourselves and keep up to date with its releases, the Go language server `gopls` is downloaded from the Go team using the official `go` tooling, the ESLint language server comes from Microsoft, etc.For the longest time, we only had built-in language support (3). A couple of months ago, we shipped extensions for Zed (point 1 and 2 above, parts of it described in [3]). The goal was for built-in language support (3) to gradually move to pre-bundled extensions (2) so that users had the ability to choose which ones to install. We did make some progress, but we haven't ported all languages yet.We're a small team and can only do so many things at once. So after investing quite a bit of time into extensions, we chose to pause that work and invest into other areas for a while (porting Zed to Linux, for example). Once those areas are in a better state, we plan to come back to extensions, build them out some more, and port the remaining languages.So, TL;DR: we hear you loud and clear. We try to vet things that are currently installed automatically. But we agree that we should ask users whether they want to install arbitrary binaries on their computer. We also plan to transition all language support to manually-installed extensions once we finish other projects.[0]: <a href="https://github.com/zed-industries/extensions">https://github.com/zed-industries/extensions</a>[1]: <a href="https://github.com/zed-industries/zed/tree/main/extensions">https://github.com/zed-industries/zed/tree/main/extensions</a>[2]: <a href="https://github.com/zed-industries/zed/tree/main/crates/languages/src">https://github.com/zed-industries/zed/tree/main/crates/langu...</a>[3]: <a href="https://zed.dev/blog/language-extensions-part-1" rel="nofollow">https://zed.dev/blog/language-extensions-part-1</a>

评论 #40904130 未加载

评论 #40904429 未加载

评论 #40904200 未加载

评论 #40923948 未加载

评论 #40904051 未加载

AlexDragusin10 个月前

> We created the hackable text editor, Atom, and the pioneering software platform that launched an entirely new generation of desktop apps, Electron.

评论 #40903642 未加载

rs_rs_rs_rs_rs10 个月前

At this point I really believe we need a consent popup after every letter typed, got forbid you typed a wrong letter.