Material Theme has been pulled from VS Code's marketplace
423 comments
·February 25, 2025isidorn
Hi - Isidor here from the VS Code team.
A member of the community did a deep security analysis of the extension and found multiple red flags that indicate malicious intent and reported this to us. Our security researchers at Microsoft confirmed this claims and found additional suspicious code.
We banned the publisher from the VS Marketplace and removed all of their extensions and uninstalled from all VS Code instances that have this extension running. For clarity - the removal had nothing to do about copyright/licenses, only about potential malicious intent.
Expect an announcement here with more details soon https://github.com/microsoft/vsmarketplace/
As a reminder, the VS Marketplace continuously invests in security. And more about extension runtime trust can be found in this article https://code.visualstudio.com/docs/editor/extension-runtime-...
Thank you!
danhau
Letting you know that VSCode is unable to uninstall the extension. It prompts me to uninstall, but when I confirm the window refreshes and the extension is still there, triggering the same "is problematic" prompt. This is an infinite loop. Same behavior when trying to uninstall the usual way from the extensions panel.
I had to manually delete the extension's folder in %USERPROFILE%\.vscode\extensions and delete the entry from the json (%USERPROFILE%\.vscode\extensions\extensions.json).
VSCode 1.97.2, commit e54c774e0add60467559eb0d1e229c6452cf8447
isidorn
Thank you for letting us know. We are investigating.
registeredcorn
Any update on this? I am not directly impacted, but am unsure about others in my company. Assuming that they may be:
* Any specifics on the (potential) impact for affected users?
* What they should do to get it removed?
Edit: There does seem to be a little bit more information available over at Bleeping Computer[1], but the precise nature of what the malware does is unclear at this time other than that it may be some type of "supply chain attack". It would be good to hear more about the specifics.
1: https://www.bleepingcomputer.com/news/security/vscode-extens...
shdw
Thank you man, I was getting nuts here trying to uninstall this crap but unable.
vlovich123
Help me square this circle:
> A member of the community did a deep security analysis of the extension and found multiple red flags that indicate malicious intent and reported this to us.
> As a reminder, the VS Marketplace continuously invests in security
If you’re relying on the community to alert you to the issues in the marketplace, perhaps you’re not investing enough in auditing popular extensions yourself?
I would also suggest that the trust model for VSCode is fundamentally broken - you’re running arbitrary third party code on client machines without any form of sandboxing. This is a level of security you would not deploy into Azure, so why is “run arbitrary 3p code on someone else’s machine” appropriate for VSCode?
While I appreciate the work that the VSCode team does and I use it, the lack of any form of sandboxing has always bothered me.
CodeWriter23
PSA: every package you install from any package manager from browser extensions to npm/composer etc presents the risk of malware. Because the open source community lacks the financial resources to vet every single version of every package. Demanding this level of security from software provided at no cost that relies on open contributions is wholly unreasonable. If you need that, buy an IDE from a company financially capable of ensuring security and accept the limitations of their offering.
Mitigations like running in a VM might protect your dev workstation. But not code you put into production that relies on third parties.
lolinder
> Demanding this level of security from software provided at no cost that relies on open contributions is wholly unreasonable
VS Code isn't some kind of hobby project by a couple of dudes on laptops with nothing but the best interests of the community at heart. It's a flagship IDE produced by one of the most valuable tech companies in the world, released for free as a loss leader in service to very specific corporate goals.
When a tech behemoth releases a free IDE as a loss leader and it drives out all of the scrappy open source projects one by one, I think it's reasonable to hold that tech behemoth to tech behemoth standards rather than scrappy open source project standards.
ajross
> Because the open source community lacks the financial resources to vet every single version of every package.
I made the point elsewhere, but this seems to fail in the face of Debian and Red Hat and Canonical who have been publishing mostly-secure distros of exclusively open source software for decades now.
There's a reason why MS and NPM get caught by this sort of shenanigans, but it's not "open source".
vlovich123
It presents a risk sure. But your browser sandboxes those extensions. VSCode runs extensions with the same permissions that VSCode itself has.
LocalH
You do realize this is Microsoft we're talking about here? Not merely a couple dudes in their bedroom doing this in their spare time? I guarantee you that a non-zero percentage of the code in VSCode was paid for.
bogwog
I was going to point this weird part of their comment too.
Reminder that the Open-VSX extension registry exists: https://open-vsx.org
Idk if they removed the malicious theme (or if they have it at all), but if MS isn't doing anything beyond just responding to user reports, you might as well switch to an open registry that probably does the same level of security work, and avoid giving them yet another monopoly.
nmstoker
Remember, this is Microsoft! A friend told me of a fairly major corporate firm that found MSFT had arbitrarily pushed an AI tool to run on their SharePoint, scooping up site data outside of any formal agreement to do so. MSFT are no doubt covered by a general agreement but this seems underhand/inept and yet a remarkably common flaw in their approach (I've seen similar behaviour with Teams apps)
ajross
> If you’re relying on the community to alert you to the issues in the marketplace, perhaps you’re not investing enough in auditing popular extensions yourself?
I think that's sort of unfair. Of course MS should be relying on the community! That's arguably the best single practice for detecting these kinds of attacks in open source code. Objectively it works rather better even than walled garden environments like the iOS/Android apps stores (which have to be paired with extensive app-level sandboxing and permissions management, something that editor extensions can't use by definition).
The reference case for best practice here is actually the big Linux distros. Red Hat and Canonical and Debian have a long, long track record of shipping secure software. And they did it not on the back of extensive in-house auditing but by relying on the broader community to pre-validate a list of valuable/useful/secure/recommended software which they can then "package".
MS's flaw here, which is shared by NPM and PyPI et. al., is that they want to be a package repository without embracing that kind of upstream community validation. Software authors can walk right in and start distributing junk even though no one's ever heard of them. That has to stop. We need to get back to "we only distribute stuff other people are already using".
vlovich123
I think you missed the part where I’m asking why the extensions aren’t sandboxed whereas they do invest into sandboxing when it comes to renting out their own machines in the cloud. Even browsers try to do sandboxing of extensions. It’s a jarring disconnect and VSCode is well beyond the prototype stage at mass adoption - the lack of sandboxing is confusing and worrying.
davely
> you’re running arbitrary third party code on client machines without any form of sandboxing. This is a level of security you would not deploy into Azure, so why is “run arbitrary 3p code on someone else’s machine” appropriate for VSCode?
More and more, I am starting to think I need to run my development environment (for both work and personal projects) in a VM.
I am on MacOS, so UTM or Parallels would work pretty well I think. Sadly, I think my work explicitly forbids us from running VMs or accessing our services from them.
jerpint
VSCode in cloud would be great, GitHub tried something similar with GitHub.dev , I haven’t tried it in a while but it didn’t feel quite ready at the time, maybe things have changed
fennecfoxy
Lmao why should they have to spend money auditing random 3rd party extensions that you choose to install? VSC is free, we're not paying for it.
paulddraper
> Help me square this circle
Sure. As a general rule, you get what you pay for.
anakaine
You might need to chase down reuploads, too.
https://marketplace.visualstudio.com/items?itemName=t3dotgg....
isidorn
Thanks. Our security researchers will review this today and we might take it down. We reached out to the new author and he does not have malicious intent, and agreed that we just take down the new extension if we see something is off.
yesthis
> We reached out to the new author and he does not have malicious intent
Because he said so?
Lermatroid
This is a older pinned version before the license and malware stuff started going down afaik
rfl890
Maybe point to the actual reupload instead? https://marketplace.visualstudio.com/items?itemName=fanny.vs...
riquito
Wild how its github page (1 commit, 1 hour ago) has already 885 forks and 11.2K stars to mislead people
filiptronicek
> Expect an announcement here with more details soon https://github.com/microsoft/vsmarketplace/
Hi Isidor, excited for this! At Open VSX, we'd love to take a look and potentially flag the extension as malicious on our side as well. Are you aware of the version range that the malicious code was included in? I'm asking because https://open-vsx.org does not have any version published since the extension went closed-source.
flutas
The extension file is still available to download directly from MS.[0]
I downloaded the file, and unzipped it, but on a cursory glance I only see obfuscated code nothing malicious.
[0]: !!!WARNING MAY BE MALICIOUS!!! https://marketplace.visualstudio.com/_apis/public/gallery/pu...
HelloNurse
Obfuscated code is malicious, even in case it's harmless.
shanselman
False positives suck, and it hurts when it happens.
The publisher account for Material Theme and Material Theme Icons (Equinusocio) was mistakenly flagged and has now been restored. In the interest of safety, we moved fast and we messed up. We removed these themes because they fired off multiple malware detection indicators inside Microsoft, and our investigation came to the wrong conclusion. We care deeply about the security of the VS Code ecosystem, and acted quickly to protect our users.
I understand that the "Equinusocio" extensions author's frustration and intense reaction, and we hear you. It's bad but sometimes things like this happen. We do our best - we're humans, and we hope to move on from this We will clarify our policy on obfuscated code and we will update our scanners and investigation process to reduce the likelihood of another event like this. These extensions are safe and have been restored for the VS Code community to enjoy.
LINKS: Material Theme https://marketplace.visualstudio.com/items?itemName=Equinuso... Material Theme Icons https://marketplace.visualstudio.com/items?itemName=Equinuso...
Again, we apologize that the author got caught up in the blast radius and we look forward to their future themes and extensions. We've corresponded with him to make these amends and thanked him for his patience.
Scott Hanselman and the Visual Studio Code Marketplace Team - @shanselman
solomatov
Is it possible for you to add color theme/icon theme/keymap only extensions, without any executable code? I think, it will improve the security situation a bit. I don't see why the mentioned kinds of extensions should have any code.
bagels
This is really confusing to me. The original discussion was about changing licenses, but somehow (coincidentally?) there was malicious code discovered shortly after? Are these related?
dark-star
It's a common theme:
- build an open-source thing
- wait till thousands or millions of people are using it
- change the license and close down the source
- implement malicious code
- push an update
- profit! you now have your malware running on millions of systems
jeroenhd
Should be added that the malicious part is often done by a third party that takes over an open source project when the original developer doesn't have the time/energy/money to maintain their open source/free work. Many Chrome extensions end up being sold for thousands or just hundreds of dollars because there's no money in them and the dev isn't all that interested.
Society as a whole could easily avoid this by funding open source/free utilities to the point where malware makers need to spend significant cash to outbid yearly community support, but unfortunately maintaining anything available online for free is a thankless job that barely covers the electricity required to maintain the code.
In this case too, the developers behind the theme seemed to want to monetise their work, which had attained almost 4 million installs, in the past, but found themselves with a rather unwilling customer base. I don't know if they snapped and uploaded something malicious or if they're intentionally making it hard for forks to copy their work, but either way the lesson learned is that if you want to make money you should just abandon your free projects and start something else.
notpushkin
The closing down step is optional. Just don’t build on a public CI, and inject malicious code in your builds, xz-style.
not_wyoming
Are you contending that's what happened here? This is not a leading question, I genuinely do not know and am trying to learn more.
pickledoyster
yup, many mobile app developers do this (inject any SDK that'd pay them) too. Doesn't need to be open source, though
oneeyedpigeon
This is a good description of the problem. I'm not sure why it's been downvoted, except that "common" is overstating it a bit.
mightysashiman
reminds me of mx player on android (nova launcher also?)
talkingtab
Hey! Isn't that the Microsoft business model? Doesn't MS control VS Code? (google microsoft antitrust).
joshka
Can you please clarify whether the fork also suffers from the same security issues (or engage the fork's owner to ensure that it doesn't https://github.com/t3dotgg/vsc-material-but-i-wont-sue-you)
theobr
Hi, owner of the fork here.
I did a thorough combing of the code base when I forked. Just did another audit and still not seeing anything suspicious. Gutting all of the opencollective and changelog code to be 1000% sure.
maxloh
Hi. Please do not replace the original author's copyright notice in the LICENSE file. That is a violation of the Apache License.
You could instead "append" your name to the copyright notice though, which is legal.
https://github.com/t3dotgg/vsc-material-but-i-wont-sue-you/c...
theobr
The only potential risk was the use of sanity to render a changelog. I didn't want to risk it, so I gutted that and a ton of other stuff. Just published a new, stripped down version.
https://github.com/t3dotgg/vsc-material-but-i-wont-sue-you/p...
theobr
Hey y'all, I made the most prominent fork of this extension "Material Theme (But I Won't Sue You)"
The maintainer went off the deep end last year. He pulled the (originally apache 2) source offline, then started threatening to sue people for hosting alternative versions, including them in other IDEs, etc. Genuine lunatic.
Out of an abundance of precaution, I've taken the following action on my fork:
1. I have the VS Code team auditing it as we speak, and I've given them full permission to immediately pull it from the marketplace & force uninstall it from users if they find ANYTHING malicious.
2. I have audited the code base thoroughly (nothing seemed malicious)
3. I have removed ALL code related to changelogs, analytics, Open Collective and html rendering.
The only thing that seemed slightly concerning was the html + sanity loader for changelogs, so I gutted it entirely. Two PRs removed almost all the deps and over 7,000loc (mostly package-lock)
Repo is here if anyone else would like to audit https://github.com/t3dotgg/vsc-material-but-i-wont-sue-you
zelphirkalt
To me it seems ridiculous, that a theme could even accumulate such things as analytics and even lots of dependencies. A theme is usually something self-contained. And even more ridiculous, that anyone can, as you write, "force uninstall" anything from my machine. So glad I am not a VS Code user. It seems all the typical corporate BS is happening with its marketplace and plugins.
bmicraft
Try Qt themes, they're binaries compiled from C++ code :)
qbane
If one can "force uninstall" for safety, then it implies that automatic upgrading an extension with the user's consent is unsafe at the first place.
Cthulhu_
It is, but that's the reality of today - auto-updates, "evergreen" releases. This was popularised by Chrome, and IMO fixed a LOT of headaches and allowed for much faster and more agile release cycles - the reality before was that a company like Microsoft would have to provide support for older versions of their software for X years and deal with the fallout of security issues with remaining older versions. (Web) developers had to be careful about adopting newer features because X% of their user base would still be on older versions of the runtime, leading to the invention of transpilers and the start of what is still a very complicated system in web front-end world.
qbane
* without the user's consent
e40
Isn't the problem that VS Code has no permission model (restricting of them), so all extensions can do anything?
tabony
While it is, the same issue exists in Sublime, Vim, Emacs, Gedit, pico/nano[1], IntelliJ, Android Studio, Eclipse, and every editor.
[1] https://threatpost.com/researchers-show-how-popular-text-edi...
I think Xcode may be the exception but Xcode plugins also can’t do much.
knowitnone
yeah. I hope you leave malicious code running on your computers to prove your point.
notwhereyouare
how is there not a single screenshot of what it looks like either in the repo or on the marketplace page? Or did I just miss them?
drywipes
it's ugly, don't worry.
however, I found this from the malware creator's website itself: https://framerusercontent.com/images/G17CYe9tTL2GP1Rw4mUI8YC...
null
thatgerhard
thank you!
c048
Thank you
ukFxqnLa2sBSBf6
[flagged]
Apfel
He's being as helpful as possible, there's no need to go hard on his language like this.
ukFxqnLa2sBSBf6
I don’t think went that hard though? I was just pointing out the discrepancy between what they said and what they mean. Not everyone might know that the marketplace doesn’t need you permission to remove your extensions.
theobr
They don't need it. They offered to "notify me before any action is taken" and I politely declined - explicitly telling them to IMMEDIATELY take it down if they find anything at all
oneeyedpigeon
Maybe "blessing" is more appropriate, but this is really splitting hairs.
theobr
My haters live in a different dimension of hair splitting, it's honestly kind of unreal
WithinReason
I don't think they need his cooperation either
fatata123
[dead]
sigmoid10
Curiously, someone on reddit noticed suspicious changes in this extension 7 months ago [1]. Obfuscation in open source is usually an extreme red flag. Microsoft really needs to rethink their security model for vs code extensions. It has simply become way too profitable to target given whatever they are doing against it. For every dev they ban 10 will come with new malicious extensions.
[1] https://www.reddit.com/r/vscode/comments/1eq40o2/has_the_mat...
bun_at_work
Be careful what you wish for.
VS Code is maybe the best product Microsoft has ever released, largely because the extension market. If Microsoft polices the marketplace more, you can probably expect VS Code quality to degrade.
Here's my argument: More scrutiny of the marketplace will lead to less extensions overall (the scrutiny process will reduce the number of extensions overall as barrier to entry will be increased). Less extensions available will create an incentive for Microsoft to add features to VS Code directly. The more features MS adds, the more bloated VS Code will become.
So then, more security auditing in the extensions marketplace will lead to a more bloated VS Code.
All that said, it would be nice if there were better security controls in the extensions marketplace, I just don't trust Microsoft to do anything in a way that actually improves their products for the people who use them.
homebrewer
You do not have to police everything, copy what Mozilla is doing: pass the top X extensions through manual audits (including looking at code diffs on every update) and mark them as trusted. Maybe also add a giant warning "this extension may steal your stuff" when installing everything else.
null
sigmoid10
It took a while, but Microsoft got it pretty much right with Windows Defender. It quietly made all other active scanners obsolete. It's just a question of how much effort they're willing to spend on a free product's infrastructure.
compootr
Reading the commentary, this guy seems unhinged. He thinks he owns literal hex codes
he sucks at tech and has driven away everyone good at it. I don't use his software, but I hope he gets out of this episode soon (and learns he didn't invent material!)
ukuina
> He thinks he owns literal hex codes
Pantone would like a word.
donatj
Pantone is a lot more than hex codes, it's a whole system of material science for colors.
Dylan16807
Pantone does a lot of legitimate work, but also they pretend to own the hex codes for their colors.
Krutonium
Yep - Give them a Pantone Color and a Material, and they can tell you how to get that material in that exact color.
Telemakhos
Someone else described him as a lunatic. But, this is a security issue, and you shouldn't assume that someone who is successfully putting malicious code into developers' IDEs around the world is unhinged or a lunatic, but rather cunning and deceptive (or a front for an intelligence agency). It's not paranoid to have such suspicions about someone who is getting malicious code into developers' tools.
Bjartr
> unhinged or a lunatic, but rather cunning and deceptive
These aren't mutually exclusive.
do_not_redeem
Someone uploaded a replacement, Material Theme (But I Won't Sue You)
https://marketplace.visualstudio.com/items?itemName=t3dotgg....
oefrha
The original author seemed to talk a lot about funding development/maintenance, so I got curious about what the hell needs to be maintained. I cloned the https://github.com/t3dotgg/vsc-material-but-i-wont-sue-you repo and had a look. Here's a LoC summary:
===============================================================================
Language Files Lines Code Comments Blanks
===============================================================================
CSS 2 142 119 0 23
TypeScript 32 2026 1650 243 133
-------------------------------------------------------------------------------
HTML 2 59 49 1 9
|- JavaScript 2 2 2 0 0
(Total) 61 51 1 9
===============================================================================
Total 36 2227 1818 244 165
===============================================================================
So the question remains: what the hell is there to maintain (that takes more than a couple minutes every $godknowshowlong)? I've published and maintained waaaaay more substantial open source projects for years without expectation of any financial contribution.
bad_user
There's nothing wrong with building proprietary software of a couple of thousand lines of code, including themes. And people should be able to ask for money in exchange for their work.
What's wrong is the bait and switch, as these projects end up being popular because of their FOSS nature.
miyuru
He had raised about $7.6k total funding using opencollective.
https://opencollective.com/material-theme
that's pretty good, especially for a vscode theme.
Capricorn2481
> There's nothing wrong with building proprietary software of a couple of thousand lines of code, including themes. And people should be able to ask for money in exchange for their work.
The issue is not someone wanting to be financially rewarded for work, however small. That's completely different from saying you need money to "maintain" what is essentially configuration for colors. That's a deceptive use of that word.
Let's call this what it is: a grifter asked people to pay him for the privilege of hacking them.
weinzierl
"What's wrong is the bait and switch,[..]"
Morally wrong, legally not so much. If it is under a permissive license (and it was MIT originally as others have pointed out) you can always cut a proprietary version.
That doesn't take away the right to use the permissively licensed code of course.
gamedever
it's a problem. As soon as it became easy to ask for money via Patreon or githib sponsorship, etc... tons of people are going to try to get some for minimal effort. It's just the nature of the beast.
oefrha
Asking for money isn’t a problem. The problem is this person went out of their way to extract money by harassing people who rightfully use the open source Apache 2 version, switching the marketplace extension to a closed source version with obfuscated code (likely malicious according to MS), and possibly more, all this for doing a quite small amount of work. That’s after already raising $7.6k, apparently.
phyzix5761
I think effort is irrelevant. Value is what we really look at when deciding what price to pay. It doesn't matter to most people if it took someone a 1000 hours to produce a loaf of bread. They're not going to pay 100x the price of the bread that took 10 hours to produce. Especially, if the products are mostly indistinguishable.
theobr
hi, maintainer of the fork here
just did a pass and removed everything that was not necessary - it's even less code now lmao
-------------------------------------------------------------------------------
Language files blank comment code
-------------------------------------------------------------------------------
TypeScript 23 50 169 1307
Markdown 6 129 0 224
YAML 2 8 6 52
INI 1 1 0 7
-------------------------------------------------------------------------------
SUM: 32 188 175 1590
-------------------------------------------------------------------------------yellow_lead
Looks like the creator of the replacement is the tech YouTuber theo (https://m.youtube.com/@t3dotgg)
jmkni
Just made that connection, I've been watching a lot of his content recently, it's excellent
theobr
Oh hey, that's me! Not surprised this guy went kind of insane tbh
Starlevel004
What is it about material themes that does this to people? The same kind of thing happened to the IntelliJ one half a decade back.
At least that one wasn't literally just colours.
re-thc
Just whatever that's popular and has a chance of monetization.
sitkack
So the possibility of grabbing the golden ring.
mallowigi
[dead]
Alifatisk
Can anyone help point out where in the repo the malicious part was? Can't find it.
Found the obfuscated code here https://web.archive.org/web/20250226020241/https://github.co...
firesteelrain
So weird that this person took contributions from others then made it closed source. It doesn’t seem right, but not a copyright expert.
schneems
Speaking generally:
It’s assumed that your contribution will be licensed with the current license (generally). Maintainers can change the license but that wouldn’t affect prior contributions. Basically anything up to that license change would still have the original license. This is what makes forks possible when popular software changes their license.
In order to go back in history and change a license, you need either the consent of your contributors or a document that would grant you the power to do that. A CLA could (but not all CLAs will) grant a maintainer to change a license at will back in time.
Other famous software that has seen a license change: Redis and Terraform. In those cases the license changed but already released software is still available with the old license and that old license allows for forks.
alwayslikethis
My understanding is that permissive licenses (BSD,MIT) can generally be relicensed. For example you can fork a MIT project under GPL. But to do the same for a GPL project requires agreeement from all copyright owners, or just you if you made everyone sign a CLA. This is the whole point of GPL.
bad_user
Your general understanding is wrong, as there's nothing in either BSD or MIT that allows for re-licensing, and nothing else gives you that right.
You can incorporate MIT/BSD code in a proprietary project, but that imported code itself remains BSD/MIT licensed. For many projects, this is a technicality, but no, you can't claim copyright on MIT/BSD code that isn't yours.
KennyBlanken
Was Material even his work in the first place?
mook
Looks like it was, or at least the initial commit was. This was back in 2017.
https://github.com/material-theme/vsc-material-theme/commits...
I'm not sure why the initial commit already says "official", but that's almost a decade ago.
joshka
The initial commit was in 2015 and was MIT licensed for a couple of years before it was changed to Apache licensed. It's unclear if any of the other contributors gave permission for this change to happen.
https://github.com/material-theme/vsc-material-theme/commit/...
rldjbpin
just like many open-source projects (primarily maintained by a company) turning their projects non-commercial, a la redhat, terraform
KronisLV
I'm quite happy that nowadays most tools have competently made themes out of the box, so that if someone wants to minimize risks from something like this and keep the extensions/addons they install to a minimum, that's pretty viable.
Of course, it's also nice that it's possible to theme the software to such a degree and improve usability and accessibility in some cases, just that the feature requests about limiting permissions need to be addressed.
oneeyedpigeon
I find it curious that themes can be a security risk at all. Clearly, they consist of more than just the colour codes and don't definitions one might assume. Maybe the theming system needs to be tightened.
TZubiri
One of the things I love about the internet is learning how different people can be, I perceive it as different than me but I assume everyone has their quirks.
In this case, this is one of the most extreme instances of people installing lots of dependencies. The moment I realized something was different in me was left pad, I already felt that couldn't be me.
The log4j incident hit me different, it COULD have easily been me. A security vulnerability is like death or a terminal illness in my eyes. Successful companies that scale do so without incidents, If you are running a company and you have a vuln you are out of the race. So I tightened up a lot after that.
I realize something similar with sex I just can't fathom putting my whole life on the line just to have sex with somebody and then have nothing to show for it, no relationship, nothing.
And today we see this, people are really risking their companies, their reputation, their pride to have pretty colors on their IDE.
I used to fight it, try to convince people, of course I still keep the pride of being different and weary, but in the end, you will likely be fine, and I only hold a statistical advantage, both are valid strategies of going about life I guess.
Cthulhu_
A theme is fine - Google has been pushing Material for a while now, after all, so if you come from Google land the colours are familiar and preferred to you, same with themes like Solarized and whatnot.
That said, I do agree that dependency management and reliance is a Problem these days. left-pad was the camel that broke the proverbial camel's back for many people, and it made people realise how ridiculous dependencies in at least NodeJS land has become. It was already silly in Java land since the 2000s, but more from the layers of abstraction and overhead that frameworks like Spring add (which is ironic because Spring was originally conceived to be a lightweight alternative to J2EE, but that's a thread on its own).
I know the general community atmosphere in the Go ecosystem is adverse to adding dependencies and frameworks; it has a good standard library which was complete enough and which isn't yet fully bogged down by design by committee like Java and JS were (to their credit things are moving again), and its users are like "you know, plain Go is good enough", so they are much less likely to add frameworks or DSLs like assertion libraries.
I'd like to know if the same thing is happening in the Rust ecosystem, I've never ventured there before.
Narishma
The same thing is happening in Rust. Try to compile any random app and it pulls dozens if not hundreds of dependencies.
Macha
It had not occurred to me that a VS Code Theme was a full blown extension, since I've never installed one. I wonder if a lot of people have a mental model of a VS Code theme as a collection of CSS files, which should be relatively safe (even including those that install them).
wizzwizz4
> The log4j incident hit me different, it COULD have easily been me.
That couldn't be me, because I don't use Java, PHP, Windows APIs, or `xdg-open`. The closest I come to Java-esque "include ALL THE BATTERIES" is the occasional Python script, but I won't use `http.server`. (Incidentally, I don't get very much done.)
TZubiri
> (Incidentally, I don't get very much done.) Lol, that's definitely part of the tradeoff of security in life.
> I don't use Java I didn't use Java either, but whatever I was using at the moment (Python) could have been anything, if I stayed in my other job or gotten a different one I could very well been using Java and been the one that installed the thing.
>Python script, but I won't use `http.server`. (Incidentally, I don't get very much done.)
Interesting, I use http.server or the Tcp socket server thing, but I consider myself to be in the extreme, there's still people that use Flask (and I do partake ocasionally) or things like Django, Spring, Next,etc... Same with binaries like Apache, Nginx.
I mean you gotta use something, and if you go too far on the deep end, you get the risk of introducing the vulnerabilities yourself, (in addition to the risk of getting nothing done as you mentioned). I know my limits I wouldn't implement cryptography for example.
wizzwizz4
I consider it safe to use ASGI / Uvicorn or (if you're careful about which extensions you install) Django. Python has fewer, less-prominent built-in footguns than Java, so even though it's less secure in principle, it's easier to write / audit for security in practice.
Not getting very much done isn't because I practice secure software development. It's easy to write secure software that works. I don't get much done because I try to find new ways to write secure software: experimentation and tool-building takes up a lot of my time, when I should really be writing hacks, documenting them, and moving on.
Never roll your own crypto, unless you understand systems programming on that platform/arch very well: modern systems have all the side-channels, and take great pains to subvert your attempts to mitigate them.
joshka
If you do a bit of a repo dive, the repo was initially MIT licensed from its initial commit for at least a couple of years before that license was replaced by Apache 2.0, so there's an argument to be made that that license also applies.
sparkie
The Apache or MIT license would permit you to continue using it for all versions up to the last commit which used that license. Any later commits under a different license would not be Apache licensed and you would need to follow the new terms if using those newer versions. The new license doesn't prevent you from sharing forks of the older version which was Apache/MIT licensed.
joshka
Kinda, it's complicated. When someone other than the owner of the repo contributes code, they own the copyright to that code. When the author changes this repo's license like this they're redistributing the external contributor's copyrighted code. The permission to do so is granted by the Apache 2.0 license and is subject to the conditions of it. Without the permission to distribute the contributed code, the author is engaged in a violation of copyright law. Note the Apache terms:
> "You" (or "Your") shall mean an individual or Legal Entity exercising permissions granted by this License.
This covers not just the users, but also the "author" here who exercises the permissions granted below:
> 2. Grant of Copyright License. Subject to the terms and conditions of this License, each Contributor hereby grants to You a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable copyright license to reproduce, prepare Derivative Works of, publicly display, publicly perform, sublicense, and distribute the Work and such Derivative Works in Source or Object form.
> 4. Redistribution. You may reproduce and distribute copies of the Work or Derivative Works thereof in any medium, with or without modifications, and in Source or Object form, provided that You meet the following conditions:
> (a) You must give any other recipients of the Work or Derivative Works a copy of this License; and
So let's interpret that. Regardless of the whatever intent to re-license the code exists in the mind of the author, in order to distribute the code which was contributed by others, the only legal means to distribute this code must comply with the requirements of the license. Technically they could remove all code contributions which were contributed by others (I've done this in the past, it's a pain to do right), or seek permission from the others to add additional grants that are not included in the Apache license here (I've seen various projects do the post-facto CLA thing for this). But that has not happened here.
So (in my opinion) the github repo of the author is a currently infringing the copyright of all the other contributors. Any one of whom could enforce it or raise a DMCA take down notification on the repo.
So given that we're talking about material that is in breach of copyright, it's likely that being able to enforce a license on that as a consumer is not really a thing which is possible as the conditions on what must be included bind the person distributing the material not the person receiving it.
The post has been deleted: https://web.archive.org/web/20250226020241/https://github.co...