En formation, j'ai un peu mieux découvert le monde merveilleux créé par Microsoft pour le #devops etc.
Par exemple, cette extension VS Code officielle qui permet de faire un ssh + une sorte de sshfs sur toutes les machines déclarées dans notre ~/.ssh/config… et qui y dépose le code d'un serveur VS Code de 230 Mo (508 répertoires, 1585 fichiers) sans doute pour assurer cette fonctionnalité !
Je suis retourné aussi sec sous #emacs et sshfs.
The more I think about it, the more it seems to me that in this day and age with all the modern threats having a text editor that is capable to not only connect to the Internet, but also install some code packages from repositories (and probably do dependency resolving) is a recipe to catastrophe. Sooner or later.
It's probably one thing when you use a curated list of half a dozen addons that you can even personally peruse (or even contribute to). It's a whole other thing when you use some huge "distro" with probably hundreds of packages that also receive constant updates you cannot possibly control.
It's mostly about #Emacs, of course, but #vim is fully capable of it too. I won't even mention the likes of #VSCode.
We had a fair share of supply chain attacks in the recent years (npm, pip, even xz in some way). No reason to think no one's gonna use this channel of attack.
Maybe it's just my fibs. But there is some uneasy feeling about the fact that you edit, perhaps, extremely private, personal or sensitive texts while your editor runs some background code doing who knows what. It's one thing to trust people who wrote vim or Emacs and a whole other thing to trust a hundred other unknown parties at the same time.