PhatLe
July 17, 2024, 6:03pm
1
I remember seeing something about openSUSE has Zed editor, but not yet on public or did I remember wrong?
If I remember correctly is it already available or on stage phase still waiting?
I used there install scriythat is now gone and it wasn’t so good so package would be nice especially container setups. I also saw they have now direct downloads have to see what they offer later as direct download options
hui
July 17, 2024, 6:10pm
2
Due to some upstream security issues, the request for incorporation into the official openSUSE repos got revoked until the upstream issues are fixed. (Experienced users can find the devel project. I won’t post the link due to the issues described next.)
The app downloaded binarys and other broken stuff without user consent or knowledge. Until this problem is not fixed, zed won’t get introduced into the official openSUSE distribution.
zed-industries:main
← zed-industries:disable-binary-downloads
opened 10:41PM - 09 Jul 24 UTC
fixes https://github.com/zed-industries/zed/issues/12589 https://github.com/zed-… industries/zed/issues/12354
follow up to https://github.com/zed-industries/zed/pull/12703
TODO:
- [ ] Implement a setting for globally enabling / disabling binary downloads
- [ ] Node
- [ ] Supermaven & Copilot
- [ ] Built in and extension LSP binaries
- [ ] Report appropriate errors to the user when downloads are blocked this way
- [ ] Add this setting to the welcome page, so users have a chance to disable it before continuing.
Release Notes:
- TODO
opened 05:01PM - 02 Jun 24 UTC
defect
network
security & privacy
### Check for existing issues
- [X] Completed
### Describe the bug / provi… de steps to reproduce it
I noticed that Zed automatically downloads the NodeJS binary from https://nodejs.org without asking or even informing the user about it. Right after starting it and opening a file, without doing anything else. And there’s no option to disable it.
This is completely unacceptable!
Not just for security reasons but also from a usability point of view. I’m currently connected via metered LTE, and Zed has just eaten up 14 MiB of my plan. Moreover, I already have node installed and on PATH. Also, the downloaded binary is somehow corrupted and it wouldn’t work on my system anyway because it’s built against glibc (that’s how I noticed it in the first place).
And to make matters worse, if it did work, it would start installing arbitrary packages from npmjs.com via npm and running their scripts. This represents a huge attack vector.
This approach is completely unacceptable for anyone who’s concerned about cybersecurity and for virtually all companies, at least in the EU, because of cybersecurity laws, related certifications and audits.
EDIT: Now I found that it downloads ([here](https://github.com/zed-industries/zed/blob/de8ef081436317689333b29324b3a64343745914/crates/supermaven_api/src/supermaven_api.rs#L189)) even some _proprietary_ binary from https://supermaven.com, i.e. unaudited and unauditable code, without any verification (except TLS)! At least this is not downloaded by default… I hope…
EDIT2: Zed also automatically downloads and executes prebuilt language servers for C#, Clojure, Deno, Elixir, Gleam, GLSL, Lua, Terraform, Toml and Zig. It automatically resolves the latest version available on GitHub and downloads it, again, without any verification.
### Environment
N/A
### If applicable, add mockups / screenshots to help explain present your vision of the feature
_No response_
### If applicable, attach your `~/Library/Logs/Zed/Zed.log` file to this issue.
_No response_
### Somehow related issues
- #12358
- #12354
- #12703
1 Like
PhatLe
July 18, 2024, 1:34am
3
Thank you so just wait game for now and reasonable reasons not to release it yet
system
Closed
August 17, 2024, 1:34am
4
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.