Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add extension runtime security article #7920

Merged
merged 7 commits into from
Jan 26, 2025
Merged

Add extension runtime security article #7920

merged 7 commits into from
Jan 26, 2025
+93 −16

Conversation

ntrogh
Copy link
Contributor

@ntrogh ntrogh commented Jan 7, 2025
edited
Loading

Fixes #7874

@ntrogh
Copy link
Contributor Author

ntrogh commented Jan 7, 2025

@seaniyer Here's the first draft of the dedicated article that discusses extension runtime security. I've reused most of the content that was previously in the FAQ section of the Extension Marketplace article. Can you review and provide feedback if there are other Marketplace measures we need to include? Thanks!

@ntrogh ntrogh self-assigned this Jan 7, 2025
@ntrogh ntrogh marked this pull request as ready for review January 8, 2025 07:26
@ntrogh ntrogh requested a review from isidorn January 8, 2025 07:26
@vs-code-engineering vs-code-engineering bot added this to the January 2025 milestone Jan 8, 2025
@ntrogh
Copy link
Contributor Author

ntrogh commented Jan 8, 2025

@isidorn First version of this new doc available for your review.

TO DO:

isidorn
isidorn requested changes Jan 9, 2025
View reviewed changes
Copy link
Contributor

@isidorn isidorn left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is a great first stab at this document.

I will share it with folk on the MP side and @sandy081 could also give it a read

fyi @joaomoreno

docs/editor/extension-runtime-security.md Outdated Show resolved Hide resolved
docs/editor/extension-runtime-security.md Show resolved Hide resolved
docs/editor/extension-runtime-security.md Show resolved Hide resolved
docs/editor/extension-runtime-security.md Show resolved Hide resolved
docs/editor/extension-runtime-security.md Show resolved Hide resolved
@isidorn
Copy link
Contributor

isidorn commented Jan 9, 2025
edited
Loading

The goal of this doc is to:

  1. Give transparency about extensions running un-sandboxes
  2. Show signals how users can decide if an extension is malicious
  3. Provide some transparency about what we are doing to fight malicious extensions, and the investments we are making

@ntrogh ntrogh added the doc-enhancement suggested addition or improvement label Jan 10, 2025
@ntrogh ntrogh requested a review from sandy081 January 24, 2025 10:00
@ntrogh
Copy link
Contributor Author

ntrogh commented Jan 24, 2025

@isidorn @sandy081 I added verbiage for the publisher trust dialog. Can you do a final review?

sandy081
sandy081 previously approved these changes Jan 24, 2025
View reviewed changes
@sandy081
Copy link
Member

Thanks. LGTM

isidorn
isidorn reviewed Jan 24, 2025
View reviewed changes
docs/editor/extension-runtime-security.md

* **Issues, Repository, and License**: Check if the publisher provided these and if they have the support you expect.

* **Verified Publisher**: Use the blue check mark next to the publisher's name and domain name as an extra signal of trust. The check mark indicates that the publisher has proven domain-name ownership to the Marketplace. It also shows that the Marketplace has verified both the existence of the domain name and the good standing of the publisher on the Marketplace for at least six months.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Let's add a bullet point about "long-standing presence"
The goal is that publishers that have been publishing extensions for a long time should be more trust-worthy

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We don't have clear information about publisher's long-standing presence, apart from going through the history of a specific extension's releases. Am I missing a specific signal?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good point
Marketplace should update this page https://marketplace.visualstudio.com/publishers/vadimcn to contain more publisher information. I will discuss with @seaniyer @mariaghiondea
The dialog points to that page.

Copy link
Contributor

@isidorn isidorn Jan 24, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Though I still think we can add that point, and users can investigate when was the extension first published.
@ntrogh I leave that decision up to you Nick

isidorn
isidorn previously approved these changes Jan 24, 2025
View reviewed changes
Copy link
Contributor

@isidorn isidorn left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good. Proposed two minor changes

@isidorn
Copy link
Contributor

isidorn commented Jan 24, 2025
edited
Loading

Also @joaomoreno sketched this image

Not sure if we should include it, or some form of it - to make this document easier to parse.
@ntrogh what do you think?

image

@ntrogh
Copy link
Contributor Author

ntrogh commented Jan 24, 2025

@isidorn The comparison image is definitely nice. However, because we're dealing with a sensitive topic, it might result in people oversimplifying the decision process for trusting an extension. Unless it's 100% exact and approved, I'd refrain from putting such guidance in the docs.

@ntrogh ntrogh dismissed stale reviews from isidorn and sandy081 via c2dcca9 January 24, 2025 11:58
@ntrogh ntrogh merged commit b8d4869 into main Jan 26, 2025
2 checks passed
@ntrogh ntrogh deleted the extension-security branch January 26, 2025 15:09
awxiaoxian2020 pushed a commit to awxiaoxian2020/vscode-docs that referenced this pull request Jan 27, 2025
@ntrogh @awxiaoxian2020
Add extension runtime security article (microsoft#7920)
d80a65b
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mariaghiondea mariaghiondea mariaghiondea approved these changes

@isidorn isidorn isidorn approved these changes

@sandy081 sandy081 sandy081 left review comments

Assignees

@ntrogh ntrogh

Labels
doc-enhancement suggested addition or improvement
Projects
None yet
Milestone
January 2025
Development

Successfully merging this pull request may close these issues.

Document extension runtime security
4 participants
@ntrogh @isidorn @sandy081 @mariaghiondea