VSCode is NOT Open Source - feat. Problematic Implications
On https://02002.compute.dtu.dk/vscode/navigate.html:
VSCode is an IDE, which stands for Integrated Development Environment. The other popular IDE for python is Pycharm. You can in principle use either if you choose, however, we recommend VSCode because it is open source.
This is incorrect. VSCode (https://code.visualstudio.com/) is a proprietary, branded binary, which is "built on (the MIT-licensed) open source" project of a similar name, vscode (https://github.com/Microsoft/vscode/). No, I'm not kidding. This is done explicitly on purpose. Users are expected to understand this distinction.
- EULA: https://code.visualstudio.com/License/
- Privacy: https://go.microsoft.com/fwlink/?LinkId=521839
This may seem like a pointless detail. It is not. To make a very strong statement, which I will support with the rest of this Issue: The licensing and distribution of the VSCode product (and ex. promoted plugins) leads me to wonder whether it is at all appropriate to promote VSCode to DTU students.
Strong statements require strong evidence; so, I have done my best to briefly rationalize it. Note, for all of this, I am not a lawyer and this is not legal advice. Please consult a lawyer for legal advice on this topic.
Personal Data Collection Without Opt-Out
By using the official VSCode product, users seem to have to agree to relinquish control of the ability to opt out of all telemetry. This telemetry seems to also include personal data, as covered by the GDPR.
Here's the relevant section:
Data Collection. The software may collect information about you and your use of the software, and send that to Microsoft...
You may opt-out of many of these scenarios, but not all,
as described in the product documentation located at
https://code.visualstudio.com/docs/supporting/faq#_how-to-disable-telemetry-reporting...
There may also be some features in the software that may
enable you and Microsoft to collect data from users of your
applications. If you use these features, you must comply with
applicable law, including providing appropriate notices to
users of your applications together with Microsoft’s privacy statement.Also:
Processing of Personal Data. To the extent Microsoft is a
processor or subprocessor of personal data in connection with the software,
Microsoft makes the commitments in the European Union General Data
Protection Regulation Terms of the Online Services Terms to all customers
effective May 25, 2018, at https://docs.microsoft.com/legal/gdpr. Explicit Revocation of Critical Rights
Microsoft seems to explicitly revoke user's rights to:
- Audit the provided VSCode binary, or ask a friend / colleage to audit the VSCode binrary, for ex. security purposes.
- Do anything to remove or block "notices of Microsoft or its suppliers". Does this include ex. advertising?
- Distribute the binary to colleagues, altered or otherwise, in any capacity.
- Run a web-based VSCode used in any non-personal manner, ex. for pair programming.
This seems to be contrary to every "definition of open source" - not even meeting the standard of "source available".
The terms:
SCOPE OF LICENSE. This license applies to the Visual Studio Code product.
Source code for Visual Studio Code is available at https://github.com/Microsoft/vscode
under the MIT license agreement. The software is licensed, not sold.
This agreement only gives you some rights to use the software.
Microsoft reserves all other rights.
Unless applicable law gives you more rights despite this limitation,
you may use the software only as expressly permitted in this agreement.
In doing so, you must comply with any technical limitations in the software that only
allow you to use it in certain ways. You may not
- Reverse engineer, decompile or disassemble the software, or otherwise
attempt to derive the source code for the software except and solely to
the extent required by third party licensing terms governing use of certain
open source components that may be included in the software;
- Remove, minimize, block or modify any notices of Microsoft or its suppliers
in the software;
- Use the software in any way that is against the law;
- Share, publish, rent or lease the software, or provide the software as a
stand-alone offering for others to use.Update Control
The license seems to enforce, that users must agree to:
- Let their software be updated at Microsoft's whim, even if it breaks the installation.
- Prohibit themselves from getting updates anywhere but Microsoft (and co).
- Allow Microsoft to update your system to update your VSCode.
UPDATES. The software may periodically check for updates and download and
install them for you. You may obtain updates only from Microsoft or authorized sources.
Microsoft may need to update your system to provide you with updates.
You agree to receive these automatic updates without any additional notice.
Updates may not include or support all existing software features, services,
or peripheral devices. If you do not want automatic updates, you may turn them off
by following the instructions in the documentation at https://go.microsoft.com/fwlink/?LinkID=616397. Deeply Proprietary Plugins Promoted + Installed with Minimal Consent
Promoted plugins critical to real-world workflows (ex. the official Python plugin's non-optional dependencies) are deeply proprietary: https://privacy.microsoft.com/en-US/privacystatement.
For example, the official Python plugin not only itself promises to collect data for use in advertising
Microsoft uses the data we collect to provide you with rich, interactive experiences.
In particular, we use data to:
- Provide our products, which includes updating, securing, and troubleshooting,
as well as providing support. It also includes sharing data,
when it is required to provide the service or carry out the transactions you request.
- Improve and develop our products.
- Personalize our products and make recommendations.
- Advertise and market to you, which includes sending promotional communications, targeting advertising, and presenting you with relevant offers.but, it automatically installs the strictly proprietary pylance extension which has the following license: https://marketplace.visualstudio.com/items/ms-python.vscode-pylance/license. The pylance license also includes tidbits like You may opt-out of many of these [data collection] scenarios, but not all, as described in the product documentation.
Conclusion
It is understandable that this course is built around VSCode - for good reason; it is a great text editor, and extremely amenable to beginners and experts alike. There is no getting around, however, that this product is truly problematic - in my opinion, dishonestly so.
I truly believe it is wrong to ask new students to agree to all of this to take a mandatory class. Sure, they can ignore official resources and hope TAs will support their non-standard install - but will they? Especially while experiencing such a uniquely suggestible phase of life, as starting a BSc degree?
Solutions
Luckily, VSCode is built on vscode (remember, they are explicitly not the same project), which has MIT-licensed source code.
All (with the technical ability to do so) are free to compile this for themselves.
Of course, this () makes this ability useless in practice.
BUT, double-luckily, this "make it easy" work has been done. The VSCodium project (https://vscodium.com/) is a well-maintained "soft-fork", which manages to:
- Provide easy-to-install free-software binaries with all telemetry removed (including the hard-coded "can't opt out" telemetry).
- Maintain compatibility with VSCode in all ways possible.
- Promote a 100% libre-software plugin repository, https://open-vsx.org/, which by virtue of itself simply packaging existing open source plugins, inherits most to all of the VSCode ecosystem, without the mess of strange licensing.
VSCodium is a drop-in replacement. Therefore, I would strongly suggest promoting and supporting it officially.
Thanks for your Time!
Thank you for your time, and I hope you will consider this issue.
Kind Regards, Sofus