> There was no ill intent by evil corporation, but rather a desire to support functionality that some customers expect of VS Code w.r.t. AI-generated code.
What metric did Microsoft use to assess that VS Code users "expect" their commits to have unsolicited messages added to them?
> Obviously, it should not be on when disableAIFeatures is on and it should not be reporting changes that were not done by AI.
Did you discuss adding these messages with your legal department?
What is Microsoft's position on adding such authorship statements to the code Microsoft did not author?
Or is Microsoft stating that using LLM assistants makes Microsoft a co-author of the code?
Does Microsoft have copyright claims on the code if LLM assistants are used at any time during its creation?
Of course one can and should read the script before running it, but the instructions promote just the opposite.
Even if we skip a step ahead and consider that this script then installs a binary blob... the situation doesn't get any better, does it?
If you find any of this as something normal and acceptable, I can only strongly disagree. Such bad practices should be discouraged.
On the other hand, using a distro's package manager and a set of community approved packages is a far better choice when installing software, security vise. I really don't see how you could compare the two without plainly seeing the difference, from a security perspective.
As an alternative, if the software is not available through a distro's package manager, one should inspect and compile the code. This project provides the instructions to do so, they are just not promoted as a first choice.
I can't help coming to a conclusion, that you've largely made my point about bad practices and having a wrong mindset when it comes to software security.