Hey y'all, I made the most prominent fork of this extension "Material Theme (But I Won't Sue You)"
The maintainer went off the deep end last year. He pulled the (originally apache 2) source offline, then started threatening to sue people for hosting alternative versions, including them in other IDEs, etc. Genuine lunatic.
Out of an abundance of precaution, I've taken the following action on my fork:
1. I have the VS Code team auditing it as we speak, and I've given them full permission to immediately pull it from the marketplace & force uninstall it from users if they find ANYTHING malicious.
2. I have audited the code base thoroughly (nothing seemed malicious)
3. I have removed ALL code related to changelogs, analytics, Open Collective and html rendering.
The only thing that seemed slightly concerning was the html + sanity loader for changelogs, so I gutted it entirely. Two PRs removed almost all the deps and over 7,000loc (mostly package-lock)
To me it seems ridiculous, that a theme could even accumulate such things as analytics and even lots of dependencies. A theme is usually something self-contained. And even more ridiculous, that anyone can, as you write, "force uninstall" anything from my machine. So glad I am not a VS Code user. It seems all the typical corporate BS is happening with its marketplace and plugins.
It is, but that's the reality of today - auto-updates, "evergreen" releases. This was popularised by Chrome, and IMO fixed a LOT of headaches and allowed for much faster and more agile release cycles - the reality before was that a company like Microsoft would have to provide support for older versions of their software for X years and deal with the fallout of security issues with remaining older versions. (Web) developers had to be careful about adopting newer features because X% of their user base would still be on older versions of the runtime, leading to the invention of transpilers and the start of what is still a very complicated system in web front-end world.
I don’t think went that hard though? I was just pointing out the discrepancy between what they said and what they mean. Not everyone might know that the marketplace doesn’t need you permission to remove your extensions.
They don't need it. They offered to "notify me before any action is taken" and I politely declined - explicitly telling them to IMMEDIATELY take it down if they find anything at all
Never beating the insecurity allegations are you? I don’t know what I did to trigger you but this whole conversation is really sad. The “Reddit level insult” projection is extra sad since I come to this site over Reddit to get away from people like you.
In my personal life I have a lot of health issues (mostly autoimmune diseases) that cause me a lot of pain through out the day. It’s inescapable too so its really hard to cope. Sometimes it’s tolerable other times I’m in a black hole of pain and suffering. But it’s actually heart warming to know despite all my struggles that I’ll never be even half as lonely and miserable as you.
The maintainer went off the deep end last year. He pulled the (originally apache 2) source offline, then started threatening to sue people for hosting alternative versions, including them in other IDEs, etc. Genuine lunatic.
Out of an abundance of precaution, I've taken the following action on my fork:
1. I have the VS Code team auditing it as we speak, and I've given them full permission to immediately pull it from the marketplace & force uninstall it from users if they find ANYTHING malicious.
2. I have audited the code base thoroughly (nothing seemed malicious)
3. I have removed ALL code related to changelogs, analytics, Open Collective and html rendering.
The only thing that seemed slightly concerning was the html + sanity loader for changelogs, so I gutted it entirely. Two PRs removed almost all the deps and over 7,000loc (mostly package-lock)
Repo is here if anyone else would like to audit https://github.com/t3dotgg/vsc-material-but-i-wont-sue-you