Notify users when installing an extension from a publisher for the first time #215527

isidorn · 2024-06-14T09:58:11Z

To start I propose we do a similar solution like Intelli-J. On extension install we show a dialog with the following text

"EXTENSION NAME is coming from EXTENSION_AUTHOR. Installing extensions is similar to installing and running applications. Extensions get the same permissions as PRODUCT_NAME itself. Only proceed if you trust EXTENSION_AUTHOR."

Always trust extensions from EXTENSION_AUTHOR

"Cancel" "Learn More" "Install"

Always trust extensions from EXTENSION_AUTHOR would go to machine storage. By default Microsoft and GitHub would be trusted - since the user already placed their trust in VS Code.

Learn More would take users to doc (@isidorn to author - tracked microsoft/vscode-docs#7874)

We also need command to manage the preserved state.

I think this will be a better fit than workspace trust, since we actually show the dialog at the right moment (when user is installing an extension). Unlike on startup with workspace trust.

Step 2 (out of scope of this issue) is to show additional information in this dialog. For example:

Name / publisher name (verified)
Ratings
Repository (with some metadata if it actually belongs to publisher)
Install Count
Last published

isidorn · 2024-06-18T16:54:06Z

Putting to July, just because I do not want already to create the August milestone. As soon as it gets created will move this issue to that milestone.

isidorn · 2024-07-19T09:15:49Z

@ulugbekna made a good point that intelli-j shows a dialog on install for 3rd parties "proceed with caution". Here's how it looks

Full text used

"The following plugins aren't coming from JetBrains:

AWS Toolkit (Amazon Web Services)

Installing plugins is similar to installing and running applications. Plugins get the same permissions as the IDE process itself. Only proceed if you trust the plugins.

You are also advised to check the plugin vendor’s documentation for details on how the vendor can process your personal data. JetBrains is not responsible for any behavior of any third-party plugins and their vendors, including processing of your personal data."

fyi @sandy081 @alexdima @joaomoreno

…r the first time

…st time (#238540) * #215527 Notify users when installing an extension from a publisher for the first time * feedback * polish * trust publishers post installing * add verify publisher link * tweak wording * tweak wording * add quotes * add telelemtry

…st time (microsoft#238540) * microsoft#215527 Notify users when installing an extension from a publisher for the first time * feedback * polish * trust publishers post installing * add verify publisher link * tweak wording * tweak wording * add quotes * add telelemtry

isidorn added extensions Issues concerning extensions feature-request Request for new features or functionality labels Jun 14, 2024

isidorn added this to the Backlog milestone Jun 14, 2024

isidorn assigned isidorn and daviddossett Jun 14, 2024

isidorn modified the milestones: Backlog, July 2024 Jun 18, 2024

isidorn modified the milestones: July 2024, August 2024 Jul 19, 2024

isidorn mentioned this issue Jul 19, 2024

Investigate different extension update mechanisms #215555

Closed

isidorn modified the milestones: August 2024, September 2024 Aug 29, 2024

isidorn modified the milestones: September 2024, Backlog Sep 23, 2024

isidorn assigned sandy081 and unassigned daviddossett Nov 22, 2024

isidorn mentioned this issue Dec 10, 2024

Security Enhancement: Pop-up Confirmation for Extension Installation #224297

Closed

isidorn changed the title ~~Transparently show extension metadata on install~~ Notify users of extension runtime model on extension install Dec 17, 2024

isidorn mentioned this issue Jan 6, 2025

Document extension runtime security microsoft/vscode-docs#7874

Closed

ntrogh mentioned this issue Jan 8, 2025

Add extension runtime security article microsoft/vscode-docs#7920

Merged

kieferrm mentioned this issue Jan 13, 2025

Iteration Plan for January 2025 #237297

Open

62 tasks

sandy081 modified the milestones: Backlog, January 2025 Jan 16, 2025

sandy081 changed the title ~~Notify users of extension runtime model on extension install~~ Notify users when installing an extension from a publisher for the first time Jan 21, 2025

sandy081 added a commit that referenced this issue Jan 21, 2025

#215527 Notify users when installing an extension from a publisher fo…

4aaa884

…r the first time

sandy081 mentioned this issue Jan 23, 2025

Show dialog when installing an extension from a publisher for the first time #238540

Merged

sandy081 closed this as completed in #238540 Jan 23, 2025

vs-code-engineering bot added the unreleased Patch has not yet been released in VS Code Insiders label Jan 23, 2025

sandy081 added on-testplan and removed unreleased Patch has not yet been released in VS Code Insiders labels Jan 23, 2025

sandy081 mentioned this issue Jan 27, 2025

Test trusting publisher while installing an extension #238847

Closed

3 tasks

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Notify users when installing an extension from a publisher for the first time #215527

Notify users when installing an extension from a publisher for the first time #215527

isidorn commented Jun 14, 2024 •

edited

Loading

isidorn commented Jun 18, 2024

isidorn commented Jul 19, 2024 •

edited

Loading

Notify users when installing an extension from a publisher for the first time #215527

Notify users when installing an extension from a publisher for the first time #215527

Comments

isidorn commented Jun 14, 2024 • edited Loading

isidorn commented Jun 18, 2024

isidorn commented Jul 19, 2024 • edited Loading

isidorn commented Jun 14, 2024 •

edited

Loading

isidorn commented Jul 19, 2024 •

edited

Loading