Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Context : Cursor, despite raising $900M, is a vscode fork that uses the open-vsx extension registry. It is maintained by european volunteers at a non-profit, and does not have the resources to check for supply-chain attacks like this.

Freeloading on (and blaming) volunteer infrastructure is irresponsible, especially when you have so much funding.



> Freeloading on (and blaming) volunteer infrastructure is irresponsible, especially when you have so much funding.

I agree. If you're going to fork vscode, it's not that much harder to add a sandbox. Even a docker container would be better than nothing.


Cursor, Microsoft, and all the major players in this space should invest heavily in a managed dependency / plugin service, also for the huge amount of nodeJS package. They need a review, scan, certification and warranty program.

Apple did it 15 years ago, time for the rest to catch up. They can turn it into a business by offering enterprise subscriptions for higher guarantees or a warranty.


Microsoft claims their team banned the extension in "2 seconds" https://x.com/code/status/1943720372307665033?s=46

Concerning Apple, their review process is so hard and unjust, I've seen startups give up apps after months of work just because of that.

Maybe sandboxing and runtime-level permissions are a better compromise?


the entire AI industry is based on mass parasitism of art, music, articles, newspapers, books and open source code

why would they start investing now when they can just continue to plunder the commons uninterrupted?


That's the more general issue, isn't it? Users demand software, guarantees, ... and refuse to pay for it.

That goes for the AI industry itself, but equally for everyone using it.

Microsoft won when it found a way to extract software fees as a tax from hardware manufacturers.

FANG won when it found a way to extract software writing and hosting fees from advertisers, effectively making it a tax on everything you buy.

Both of these (Operating systems and basic cloud services like email hosting) can be done for a lot cheaper if they were paid for by end users, but those just won't pay. In fact, for a while they were paid by end users (microsoft did that, gmx.net, infomaniak, ...). Then everyone switched to "free" and here we are.

And we all know there's no way back, so what's the point discussing it? We all know most people will just not have email or web search if they had to pay even 5$ per year to get it, and I seem to recall an article stating Google effectively earns over $100 per year per account.

Reality is: give it another 2 years and the "art, music, articles, newspapers, books and open source code" industries will reach absolutely nobody except through AI providers. That could be avoided if every creator paid $1 per year to have free infrastructure for their services, but there's no way in hell they will do that ... so here we are. In 2 years instead they'll pay $1000 every time they want someone to actually look at their art.

And yet, the situation with banking services is far worse, imho. So bad, in fact, that even charging $0.01 per year for internet services would be a nonstarter.


Microsoft (claims) does that already. Their pitch is for people to use the main VSCode marketplace.


Which you are only allowed to do if you use Microsoft's build of VSCode. The ecosystem of that is deliberately closed off.


This event kind of makes that seem justified, no?


As far as their bottom line and market control while openwashing, sure. As far as improving the security of the ecosystem as a whole, no.

See https://ghuntley.com/fracture/, for a criticism of this strategy


Not really, no.


How different is Cursor to VSCodium?

Nonetheless, I think this is more a vulnerability in the Open VSIX registry side, than Cursor AI. If anything, the forks and VS Code should block/sandbox extensions by default, or have a granular permission system to allow users to consciously choose whether to allow an extension to use network resources or not.


Cursor is a paid product and a company, VSCodium is an open-source project running on volunteers.


So the $900M product runs on volunteer-ran infrastructure, without giving anything back to the Open VSX registry?

Seems like software development industry in a nutshell: multi-millionaire companies freeloading on volunteer work :)


Open VSX is actually ran by the Eclipse Foundation, but yeah, apparently Cursor doesn’t support them. :’)


They also were freeloading on Microsoft infrastructure and when they got booted they also blamed everyone else.

Thanks to Cursor you can no longer directly download extensions from vs code marketplace.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: