Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Mark extensions built directly from a public repo to increase trust #1175

Open
Tomer-Eliahu opened this issue Feb 10, 2025 · 3 comments
Open

Mark extensions built directly from a public repo to increase trust #1175

Tomer-Eliahu opened this issue Feb 10, 2025 · 3 comments
Assignees
@seaniyer

Comments

@Tomer-Eliahu
Copy link

Currently, some developers might be hesitant to download extensions from individuals (over major companies), especially new extension authors.

My understanding is that while you could use the VS Code marketplace website to download an extension and manually inspect its contents, it places a "burden" on the person wanting to install the extension as opposed to the extension author. This (as far as I understand) is the only way to make sure a published extension matches some public repository.

I think an indicator in VS Code that a particular extension release was built and published directly from a public repository would help to increase developer trust in choosing to download said extension. In this system the extension author can choose, for every extension version they want to publish, whether:

  • To use the current system, publish it manually but not have some indicator of additional trust.

  • To use CI/CD to publish an extension, getting an indicator of trust in VS Code for that extension release version. This indicator would communicate that "what you see in the code on repo X is what you are getting here". This makes sense, as effectively the host of the repository (for example GitHub) is "co-signing" that X code (a snapshot of the repo at a point in time) was used without interference to make this extension release.

I think if such a "co-signing" mechanism (between the VS code marketplace and some repository host) could be built (and is not too big of an undertaking), it would be a useful quality of life feature that further increases transparency. I think it is preferable to the alternative of first downloading and manually inspecting extensions from the VS code marketplace.
@Tomer-Eliahu
Copy link
Author

Hi @sandy081, I think this might have fallen through the cracks. From what I understand, this feature request should have been labeled and entered into a voting period. If this idea is not feasible or needs clarification, please let me know.

Thanks

@sandy081 sandy081 assigned isidorn and unassigned sandy081 Mar 4, 2025
@isidorn isidorn transferred this issue from microsoft/vscode Mar 4, 2025
@isidorn
Copy link
Collaborator

isidorn commented Mar 4, 2025
edited
Loading

Thank you for your feedback. This make a lot of sense, but needs to come from the VS Marketplace. And then we can surface it in VS Code. Thus I am moving to the VS Marketplace repo and assigning to Sean.

No need to vote, since I am convinced we need this. I do not think this will happen in next 6 months, but I hope we can have something before end of year.

fyi @dtivel @mariaghiondea

@isidorn isidorn assigned seaniyer and unassigned isidorn Mar 4, 2025
@seaniyer
Copy link
Collaborator

seaniyer commented Mar 4, 2025

@dtivel as FYI

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@seaniyer seaniyer

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@isidorn @DonJayamanne @sandy081 @seaniyer @Tomer-Eliahu