Vscodium: VSCodium 1.43.0 still sends telemetry on launch

Created on 17 Mar 2020  路  7Comments  路  Source: VSCodium/vscodium

Describe the bug

Upon launch, VSCodium attempts twice to connect to vscodium.now.sh which, due to the unencrypted nature of SNI, leaks the fact that I am launching my editor to my ISP, my national military, the Zeit/Now operators, their hosting provider/upstreams, and the VSCodium devs.

I believe this is an autoupdate check, but it is still leaking an "editor launched" telemetry event inadvertently. It should perform autoupdate checks only once per week or, ideally, month, at a randomized time after launch that is at least 1 hour. (Ideally, it'd launch a consent dialog for autoupdate checks at all.)

To Reproduce

  1. Open VSCodium
  2. Outbound connection is made

Expected behavior

No telemetry is sent.

Screenshots

Screen Shot 2020-03-16 at 17 12 00

Desktop (please complete the following information):

  • OS: macOS
  • Architecture x64
  • Version 1.43.0

Most helpful comment

I think that disabling autoupdate is preferable. If a user installs via brew/caskroom or a distro package manager (which is probable in most cases), then updating is handled automatically by their package manager.

The marketplace and other stuff absolutely require network requests for functionality to work; that's a horse of a different color. The editor works perfectly fine forever if the autoupdate check is disabled, users will suffer no ill effects from it being disabled.

All 7 comments

This is a fair observation. Since we don't have any control over "when" the auto-update check is made, perhaps the best step forward is to disable auto-updates by default and let users know in the README that they can change that setting to their preference if they would like VSCodium to autoupdate.

What do you think about this approach @sneak ?

Another idea is to leave in the feature but include a note in https://github.com/VSCodium/vscodium/blob/master/DOCS.md#getting-all-the-telemetry-out where other "information leaks" are mentioned.

I think that disabling autoupdate is preferable. If a user installs via brew/caskroom or a distro package manager (which is probable in most cases), then updating is handled automatically by their package manager.

The marketplace and other stuff absolutely require network requests for functionality to work; that's a horse of a different color. The editor works perfectly fine forever if the autoupdate check is disabled, users will suffer no ill effects from it being disabled.

Another option would be to remind the user after a period of time (weeks, months) to trigger a manual update check.

Hi @sneak !
We're still losers in that game, but still need trying.
My testbed is a separate computer, running Manjaro, with VSCodium built from source.
Settings(search for "update"):

  • Update Mode - none[see above]
  • Update Show Release Notes - [ ]
  • Extensions Auto Check Updates - [ ]
  • Extensions Auto Update - [ ]

And tcpdump -i any running.
So, I see no noise at startup, but still need more tries.

I still insist on an idea to get some totally silent settings defaults...
@sneak , please keep monitoring with tcpdump, wireshark, or whatever you've got.

@sneak
Noway. An empty VSCodium looks silent, but as I add a directory - it just spams networking with: bc.googleusercontent.com. Probably necrosoft really needs to know everything we're doing in VSCodium.

@sneak , please check this config.json if it helps you: https://github.com/VSCodium/vscodium/issues/407#issuecomment-678683617
Applications restarts and new folder additions are pretty silent.

Was this page helpful?
0 / 5 - 0 ratings

Related issues

sdaitzman picture sdaitzman  路  40Comments

tyu1996 picture tyu1996  路  29Comments

apollolux picture apollolux  路  35Comments

JL2210 picture JL2210  路  55Comments

linsui picture linsui  路  20Comments