Most AI only sends a limited context. These are sending all files it can access as well as all edits.

Yes because there's no difference between a voluntary service with limited context needs and a malicious extension

“I donate money to animal shelters”

“Oh that’s cool, I already donate to my local neo nazi group. We are both philanthropists!”

Nothing makes me go from apolitical to a red blooded American faster than seeing someone make a stupid false equivalency about the US on this forum

It's a bit trite, but the answers are: 1) money 2) money

Can't repair your own stuff and either need to use authorized repair shop or buy new? The company gets more money.

Force your developers to forgo quality in efforts to produce more cruft in less time? The company gets more money.

Of course, only considering short-term, long-term they'll lose money, but at that point all the executives and managers already got their bonuses and probably moved on to doing the same in some other company.

Uhh a lot of companies did and are strict on what AI tools are allowed.

The main thing I had to wait on for a long time was support for preventing 3rd party code from being plagiarized since our code base was intermingled with partnered companies.

Companies aren't interested in hypotheticals, nobody is paid to care, and most code isn't that valuable anyway.

Contracts.

> Why do these companies put so much effort into fighting right to repair to avoid IP leak

Only if you believe they are truthful about the reason for fighting right to repair. I think the reason for fighting right to repair is to reduce the time before a replacement purchase is required.

> but on the other hand encourage their employees to vibe all company secrets into the cloud?

Lots of companies do ban or restrict usage of LLMs etc.

Most large companies have their CI/CD behind a proxy with an allow list and require internal approval for tools and extensions. So there is that.

Yes, exactly. The lack of any sort of permission controls for extensions in VS Code gives me the creeps

The situation is absolutely insane, but it's also productive, but real security would slow everything down a lot. The moment you ask some corporate bureaucrat to put their signature down on a piece of paper saying that such and such dev tool is approved for use, they're going to block everything to avoid the responsibility implied by their approval. I can't really come up with a system that both works and is secure. The only exception is signing up for an integrated environment where Microsoft or Apple provides the OS, compiler, and editor. Oops - Apple doesn't sell servers, so only Microsoft offers this. Hope you like C#.

In theory you can mix and match, but in practice most bureaucrats will insist on single-sourcing.

As an VSCode extension author, I am always terrified by the amount of power I have.

It is a shame that the team never prioritized extension permission issues [0] despite their big boss said security is the top priority [1]. All they have is "workspace trust" and various other marginally useful security measures.

I don't install a VSCode extension unless it is either official or well known and audited and I have to use it. I keep most of disabled by default unless I need to use them for a project. (Even if you don't care about security, it's good for VSCode performance. I'll save that story for another day.)

[0] https://github.com/microsoft/vscode/issues/52116

[1] https://blogs.microsoft.com/blog/2024/05/03/prioritizing-sec...

Same thing for browser extensions: a simple browser extension (e.g. web dark mode), can read all your password fields. It's crazy that there are no proper permission scopes in any major browsers ! It would have been so easy to make password / email fields exempt from browser extensions unless they ask for the permission.