VSCode doesn't seem like a "on trusting trust" attack vector since we can easily observe the git outputs of the C/C++ source and these parts often reviewed by peers. Unlike object code -- we can always take a look at the disassembly but in practice it's not scrutinized.
It's probably frustrating to those who work on Firefox to suggest that it somehow depends on Chrome. I get that. But it wasn't where I was going.
There is some kinda-out-there reality though -- with something like WASM or v8 you can theoretically run real toolchains like gcc and clang "in the browser". ;)
VSCode doesn't seem like a "on trusting trust" attack vector since we can easily observe the git outputs of the C/C++ source and these parts often reviewed by peers. Unlike object code -- we can always take a look at the disassembly but in practice it's not scrutinized.
It's probably frustrating to those who work on Firefox to suggest that it somehow depends on Chrome. I get that. But it wasn't where I was going.
There is some kinda-out-there reality though -- with something like WASM or v8 you can theoretically run real toolchains like gcc and clang "in the browser". ;)