In the latest release of VS Code, 1.68, Microsoft enabled support for “deprecated” and “malicious” extensions, which reflect in its UI. The source of truth for these extensions is a URL specified in the product.json in the controlUrl field.
It would be a good idea to adopt it in Gitpod’s VS Code Browser as well, but it would not be the best idea to use Microsoft’s configuration (we have many different extensions on OpenVSX, and a lot of extensions which are for example deprecated and that we simply don’t have).
The goal is to have a open-vsx.org-wide configuration file for extensions, which is open-source, owned by Eclipse but easily editable by us.
open-vsx.org wide means it would be used by not just us and the web interface, but also other big players in the space like https://github.com/VSCodium/vscodium, https://github.com/coder/code-server or https://github.com/eclipse-theia/theia and encourage these projects to contribute to update both deprecated but also malicious extensions.
I propose that we use https://github.com/EclipseFdn/open-vsx.orgto house the extensions.json file and that we try it out in both Gitpod’s VS Code Browser and https://github.com/gitpod-io/openvscode-server.
I believe this file does not have to be hosted anywhere besides GitHub, so that we would just use the raw file URL in GitHub to fetch the latest one from main.
More context on the outcome when RFC is "accepted" or "rejected" with any next steps
[x] Optional: prepare a draft of our own extensions.json file (@Filip Troníček)
[x] Reach out to Eclipse with this RFC
[x] Use the file in Gitpod VS Code Browser Insiders and OpenVSCode Server Insiders
[x] Introduce it in stable versions of our VS Code distributions