10

From VS Code setup docs, both Arch Linux and NixOS installation guide says below as package description:

There is a community-maintained ... (package)

I have known that as for Arch Linux, VSCode is in their AUR repository (unofficially supported by Arch and any use of them is at your own risk.) Maybe NixOS officially support VSCode? I'm not sure.

Question

  • So what does community-maintained mean? Are they maintained by official VS Code team members or by unofficial distribution-specific community maintainers?
  • Is there any way to ensure packages maintainer are from official software team?

I am newbie in VSCode.

Improve this question
4
  • 1
    I’m voting to close this question because it's about the specific policies of two Linux distributions rather than open source software per se. Commented Feb 19 at 10:28
  • 1
    Remember that most distribution packages, whether in main distribution or in community repositories, are maintained by hobbyists. Any Linux distribution is pretty much "at your own risk". Only difference really is that maintainers in main package repositories have longer relationships with the distribution, which increases trust. Commented Feb 20 at 8:39
  • You might be interested in VSCodium, a community fork of VSCode without all the Microsoft junk. Commented Feb 20 at 19:19
  • Do you want to use VSCode because of an existing project which forces you into using it? Otherwise, there are plenty of other good code editors (Geany, Eclipse, Code::Blocks, NetBeans, ...). Don't mess around with Microsoft products in a non-Microsoft system. Commented Feb 21 at 11:23

2 Answers 2

Reset to default
11

TLDR

So what does community-maintained mean? Are they maintained by official VS Code team members or by unofficial distrbution-specific commnuity maintainers?

by unofficial / official distribution specific community maintainers (see further). Almost never is a package maintained by the people who make the software itself

Specifically this version https://archlinux.org/packages/extra/x86_64/code/ is Arch Official. Though it isn't MS Official.

This version https://aur.archlinux.org/packages/visual-studio-code-bin is NOT Arch Official. It is however MS recommended https://code.visualstudio.com/docs/setup/linux#_aur-package-for-arch-linux. Note that even though the AUR page says it's "official", it says it's an official binary version. Which means that the package claims it contains the official version (if you are to believe the word of the maintainer), but it is still on based on trust of the community maintainer.

Is there anyway to ensure packages maintainer are from official software team?

Yes. Look up https://aur.archlinux.org/packages/visual-studio-code-bin, look at the maintainer and check if this person is someone from the official team of the software. (I believe it isn't. Although since the package is endorsed by both Microsoft and Arch wiki, I would consider it safe)

Context

Packaging on Linux is a bit of a mess with many different people with different responsibilities. And you chose a specifically complicated example.

There are two jobs, roughly. Make the software and adapt the software to the distro (Arch Linux). These jobs are done by different people (often). E. g. vscode is made by contributors on https://github.com/microsoft/vscode. Arch's VS code package is made by "dcelasun". What does it mean to "make the package"? It means to write this file https://aur.archlinux.org/cgit/aur.git/tree/PKGBUILD?h=visual-studio-code-bin which is used to adapt the software to distro specific needs.

Now however there are usually two groups of packages on any distro. Official and unofficial ones. On Arch Linux official are packages in core/extra repository. On Debian-based distros official packages are the ones you can install with apt (WITHOUT adding any PPAs)

Now however what about the unofficial ones? Distros usually provide a way for users to distribute any package. These packages are by nature not official or checked by the official distro team. On Debian they are called PPA, on Arch they are called AUR.

You can probably infer the security implications yourself. Anything in official repositories is with high degree of probability safe. Anything in user/unofficial repository you need to check yourself.

vs code

Vs code is a bit of a mess because there are at least 3 versions of the software with different licensing and in different repos. See https://wiki.archlinux.org/title/Visual_Studio_Code

Basically the "Microsoft official" version of VS Code cannot be in the "Arch official" repositories, because of license. However the Open Source variant of VS Code can be and is in official Arch repositories.

There is furthermore one last "un-microsofted" variant of vs code, in AUR. That one is officially not supported by neither MS or Arch, but it is told to be more telemetry free.

Improve this answer
3
  • …and yet, the AUR file you linked says "(official binary version)" in its package description :-/ Commented Feb 21 at 10:00
  • @Bergi oof yeah you're right. I will add it to the answer Commented Feb 21 at 13:36
  • 1
    Thank @Richard for your detailed description. Actually, what I am most concerned about is the security and authority of the package. Your explanation covers these parts. Commented Feb 21 at 16:21
7

So what does community-maintained means? Are they maintained by official VS Code team members or by unofficial distrbution-specific commnuity maintainers?

Those packages are not maintained by the VS Code team.

I am not familiar enough with the distributions to tell if those packages are maintained by official maintainers of respectively Arch Linux or NixOS or just random users of those distributions.

Is there anyway to ensure packages maintainer are from official software team?

If by "official software team" you mean the team that maintains a particular software application, and not the team that maintains a particular Linux distribution, then you should look at the website of the software in question to see if they mention providing packages that are maintained by them.

For software packages that are officially maintained by a particular distribution, you should check the distribution's documentation for how to determine which software is officially supported.

Improve this answer

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.