Honeypots for paranoid users

Opinions about Visual Studio Code are doing the rounds again, most recently on lobste.rs. Yes, many of the useful extensions are proprietary and only licenced for use on the official builds. That kind of sucks. Yes, the official builds of VSCode contain telemetry, although there is rarely much discussion about what exactly this involves. You’re allowed to have a blanket objection to telemetry but you should offer others the courtesy to read the documentation and decide whether this exceeds their own risk appetite.

One of the fun things that always comes up in discussions about VSCode is vscodium, a GitHub project that produces binary releases of Visual Studio Code without the telemetry enabled. It clearly imitates the naming scheme of Chrome/Chromium, where the -ium suffix symbolises the corporate evils having been decanted away. In the article linked above it’s held up as a principled alternative to official VS Code.

Let’s suppose you’re pretty privacy-conscious, maybe a bit paranoid, to the point that you don’t want Microsoft knowing even at a high level which features you’re using. Why on earth would you install VSCodium instead?

There is absolutely nothing in the README to explain who’s behind the project or why we should trust them. There is absolutely nothing in the README to explain why their binary releases are safe or who has access to make changes. Remember, installing this software is by definition remote code execution. It could do anything to your computer. I don’t know who any of the GitHub users behind the project are. Do you? They’re using GitHub Actions to compile the project and push it to winget, which means it’s somewhat auditable. But they’re using an Action created by some other GitHub user I’ve never heard of to do the actual publishing so even the authors aren’t fully monitoring the process.

I’m not completely cynical. If I had to bet, I would guess that all of the individuals involved in creating these repos and actions are principled and trustworthy individuals. Even if that’s true, how’s their own personal security? I have no idea how likely it is that a hacker could get access to their SSH key and introduce a supply chain attack. I have no idea what their personal circumstances are—could they be threatened into it? Everything might be fine today but an attack could be introduced in a subsequent update. If you’re responsible for any link in the chain that verifies mainstream serious software, attackers are incentivised to pop you.

I think it’s only a matter of time before a “privacy fork” is used as a honeypot to attack exactly the users who are most paranoid. I’m not aware of any of any examples to date, but if vscodium can get so much praise without making even the slightest effort to establish its bona fides, it’s clear that principled hackers will be easy pickings in the future.