Indeed, here’s an example - my climate-system model web-app, written in scala running (mainly) in wasm
(note: that was compiled with scala-js 1.17, they say latest 1.19 does wasm faster, I didn’t yet compare).
[ Edit: note wasm variant only works with most recent browsers, maybe with experimental options set - if not try without ?wasm ]
OK, nice promises, but seems to me overpowered for phone functions, so what’s their plan for battery lifetime (bearing in mind that a desktop os is less optimised for efficiency)?
In principle I’d like to see specific permissions - so for example playing with gui enhancements should be a lower trust barrier than adjusting and running code, but afaik (correct me if wrong) neither js nor rust have a built-in security architecture that could implement this. Maybe certain types of extensions could just be custom script language without filesystem access, but that’s harder to do.
About source code linking, last time I heard (maybe they fixed it?) it seemed that trick vscode extensions can link to arbitrary (safe-looking) source repos, which didn’t actually produce the extension.
I’m less convinced about slowly accumulating publisher trust, as this could be a barrier to honest new contributors, while big actors with a longterm profit or geopolitical motive could game such a system anyway (as they do for social media).
I do trust the scala tools (build Mill, lang-server Metals, compiler) which adjust my code, having seen them evolve over many years.
and like the separation of functions (lang-server / editor), so we are less dependent on any one big-tech solution.
So I suppose a fundamental issue is what to trust less - big corps with a reputation but lock-in power, or an ecosystem of small contributors which might include tricksters. No perfect balance.
It seems so far Zed is cautious, providing api only for specific extensions - i.e. language servers and gui themes.
add a line … right before you run it
I run stuff from the command line using a trusted build tool (Mill, in scala), or via a local server (where js is sandboxed).
But indeed, a tricky language server or AI tool (I don’t use yet) might inject code where I don’t inspect before running it.
That’s a risk even with java-based IDEs - java has security permissions, not in js (vscode) or rust (zed), but are they applied…?
As for audits, a problem with vscode is the marketplace got too big, so many extensions, many lookalikes, nobody can check them all…
Such tricks were was predictable, as VSCode extensions, letting arbitrary JS run on your system, are an obvious security risk.
Recently I used Zed editor instead, it’s smooth, but this also has extensions, only these are fewer and in rust ( maybe a higher barrier, targeting less users, so far… ). What’s the solution here - is there some intrinsically safer sandboxed system ?
Oh, it’s designed for a big desktop screen, although it just happens to work on mobile devices too - their compute power is enough, but to understand the interactions of complex systems, we need space.