-
-
Notifications
You must be signed in to change notification settings - Fork 45
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[proposal] Set up a central list of deprecated, malicious and pre-release extensions #1121
Comments
From gitpod-io/gitpod#10847 (comment):
I like this solution. I was briefly thinking about whether upstream support should be added, but I don't think so. Is there a JSON schema for the |
In the future, I can see us being able to serve a "merged output" of one origin and one upstream file, but do not think we should be considering that in the first iteration of this.
There's no official JSON schema AFAIK, but there are TS Types, from which I made a JSON schema for us to use. I agree something that could validate PRs would be great there 💯! |
Some other questions popped up as I thought about this a little more: How is it determined that an extension is malicious, deprecated, etc.? Should the openvsx server also perform actions?
|
Unsure about malicious extensions, but it is mostly about extension that do malicious like steal some user data, implement some back door or behave as any other malware. These are then removed from the Marketplace, but this doesn't remove the extensions from the users who have downloaded it. The For deprecated extensions, I only have some assumptions about the steps Microsoft took:
Thanks for bringing this up, @amvanbaren, I'll add that to the RFC.
For the actions taken by the ovsx server, I really like all 3 of your examples, although I think that this is indeed not in scope of this initial RFC, since it's just for kicking things off, but awesome ideas for the next iteration(s)! |
Another related issue:#1412 |
Summarizing a call today with @filiptronicek and @waynebeaton:
@amvanbaren FYI |
There is follow on work needed to visualize the list both on open-vsx.org and in Theia. |
@filiptronicek Any news on this? |
I am happy to report back, having applied the latest updates from upstream, that the extension control file is now maintained in the https://github.com/open-vsx/publish-extensions/blob/master/extension-control/extensions.json |
@filiptronicek Thanks and sorry for the delay in responding. IIRC, we currently don't reflect the status of these deprecated extensions in the UI, right? |
Yes, we have not made any mentions of the list in the openvsx codebase. |
@filiptronicek @mbarbero @amvanbaren What do you think we should do, understanding that development would likely be required that we'd have to prioritize? It seems to me that anything that shows up in the The |
This process should be that we first remove the extension from the registry, then update the list, meaining that the malicious list entries won't be of any use to the website. The field is there primarily for VS Code clients which may have the extension installed and would act accordingly.
💯 |
I 👍 everything that can help openvsx offering more security to end users.
This sounds like a very good first step. |
So the process would be similar to a namespace change or extension removal?
|
Should deprecated extensions be discounted or excluded in search results? |
I'm aligned on steps 1-3, but because because the list is rather a file hosted in a separate repo, the best approach IMO would be to raise an automatic PR against the file contributing the new malicious entry. |
Ok, will Open VSX be the only one raising PRs or should Open VSX periodically pull the file and check for changes? |
@amvanbaren we expect the community to be raising PRs about deprecated extensions and there may be some entries under |
@filiptronicek In that case I think it's easier to have the Open VSX can check for changes or a bot account can push the changes to Open VSX when the file is updated. |
@amvanbaren sounds good and less complicated 👍 |
@filiptronicek @amvanbaren @mbarbero Summarizing:
Questions:
|
We should. I think it's fair to have it run on a weekly schedule and raise PRs which we can easily review and merge. |
These steps are no longer relevant. Under the new process Open VSX pulls in the list (or gets notified of changes). No Open VSX admin action required. |
Hey folks, I am happy to say that Gitpod has now been using the official extension control manifest in its VS Code Browser implementation for quite some time without any issues. There also is now a dedicated JSON schema we've made to support the adoption of the file and updates are conducted regularly to reflect the state of the upstream (so far, we've received no requests to add anything exclusive to https://open-vsx.org). I am also happy to support testing for any features that may land on the https://github.com/eclipse/openvsx/ repo, so that we can make the file even more useful and convince even more VS Code forks to adopt it. |
@filiptronicek Nice work! I see a |
@kineticsquid the search section we can get a bit creative with the surface extensions to users they probably want to install depending on some keyword. Microsoft for instance uses it to push some of its extensions as preferred results in VS Code, for example if you search for "ai", the GitHub Copilot extension will be at the top, even though it does not best fit the search (by title, description, downloads, ratings, etc.). There is no need for us to add any extensions, but it's good to keep it in mind as a tool in our tool belt (for instance for promoting open-source alternatives to extension exclusive to Microsoft's Marketplace). |
@filiptronicek Understood, makes sense. @amvanbaren The UI treatment looks good. A couple of questions. I see in extension-control/extensions.json different types of entries. E.g., Also:
and:
How do the UI treatments differ? Also, before we make this live, we'll need to prepare some documentation on what folks need to do to deprecate and I think we'll want to include a new banner message, #2750. |
When it's just a boolean ( |
Understood, thanks. |
Related question to updating the UI. Should the |
I think we shouldn't expose that info through the API just yet and just let users query the control manifest directly if they want that information. Microsoft leaves these two components (the web marketplace and control manifest file) decoupled and does not integrate their list into the API or the interface. |
@kineticsquid The webui uses the API to get the extension data. |
Before we go live with this, we'll need to provide documentation on how to deprecate an extension. |
Since VS Code 1.68, Microsoft maintains a list of deprecated and malicious extensions for their Marketplace. This list is very helpful for keeping users off of unsafe extensions, while ensuring a good experience with suggestions on extensions they should migrate their deprecated ones to.
At Gitpod, we discussed the idea and settled on not maintaining our own list, but rather introducing one that would be owned by Eclipse while at the same time being maintained by the community along with maintainers of projects like VS Codium, Gitpod, Theia or Code-server. I would love an approach similar to the one employed by https://github.com/open-vsx/publish-extensions, where the community engages itself in a lot issues and PRs.
Implementing such a list would require every fork of VS Code adopting it to change the
product.json
file for the newextensionsGallery.controlUrl
property. This means it's independent from the Marketplace and can be any URL.We have implemented a repository which we will be using in Gitpod after gitpod-io/openvscode-server#380. It is located in https://github.com/gitpod-io/gitpod/blob/main/components/ide-proxy/static/code/marketplace.json.
Further details can be found in the links below.
The text was updated successfully, but these errors were encountered: