On the other hand...this feels like a situation where possibly you should not have said anything at all? The fact that you're on HN responding feels ill-advised to me.
So far this is what I've gleaned:
- Microsoft has PMs vibe coding against VSCode (by itself not necessarily a big deal)
- Microsoft PMs can vibe code against VSCode and get stuff shipped to production with only a single approval
That second one is a huge deal in my book. What I've learned now is that VSCode, a product with an enormous deployment base, is trivially compromised if the calls are coming from inside the house. Apparently all that has to happen for all users to be affected is a PM requesting you to "please approve my PR real quick, trying to get it in." And now there's a massive change in the wild, visible to many users.
Being familiar with big corp dynamics, this really worries me. This does feel like a not-well-thought-out mistake but I can easily imagine many other scenarios that would be far worse.
How can I trust VSCode going forward? How can I reassure my employer and fellow colleagues that it's safe to use? This is really a terrible look for Microsoft and very damaging to the reputation.
I feel bad for you the engineer and PM here because with the web being what it is, folks are casting blame onto you. That's missing the point since the issue is that MSFT even let this happen in the first place. Engineering processes need to be halted and re-evaluated basically yesterday. If something like this happens again it may not be possible to rebuild the trust at all.
I hate to say it but for myself this issue makes me strongly consider switching away from VSCode permanently, something I had not seriously considered before yesterday. Best of luck to everyone on the VSCode team.
On the other hand...this feels like a situation where possibly you should not have said anything at all? The fact that you're on HN responding feels ill-advised to me.
So far this is what I've gleaned:
- Microsoft has PMs vibe coding against VSCode (by itself not necessarily a big deal)
- Microsoft PMs can vibe code against VSCode and get stuff shipped to production with only a single approval
That second one is a huge deal in my book. What I've learned now is that VSCode, a product with an enormous deployment base, is trivially compromised if the calls are coming from inside the house. Apparently all that has to happen for all users to be affected is a PM requesting you to "please approve my PR real quick, trying to get it in." And now there's a massive change in the wild, visible to many users.
Being familiar with big corp dynamics, this really worries me. This does feel like a not-well-thought-out mistake but I can easily imagine many other scenarios that would be far worse.
How can I trust VSCode going forward? How can I reassure my employer and fellow colleagues that it's safe to use? This is really a terrible look for Microsoft and very damaging to the reputation.
I feel bad for you the engineer and PM here because with the web being what it is, folks are casting blame onto you. That's missing the point since the issue is that MSFT even let this happen in the first place. Engineering processes need to be halted and re-evaluated basically yesterday. If something like this happens again it may not be possible to rebuild the trust at all.
I hate to say it but for myself this issue makes me strongly consider switching away from VSCode permanently, something I had not seriously considered before yesterday. Best of luck to everyone on the VSCode team.