From 5fdb6184e5dfaca08bea52d01ff30b2f85339e27 Mon Sep 17 00:00:00 2001 From: Sean Iyer Date: Fri, 25 Oct 2024 15:44:22 -0700 Subject: [PATCH 1/2] docs: clarify safety measures for Marketplace extensions --- docs/editor/extension-marketplace.md | 8 +++++--- docs/editor/images/extension-marketplace/bluecheck.png | 3 +++ 2 files changed, 8 insertions(+), 3 deletions(-) create mode 100644 docs/editor/images/extension-marketplace/bluecheck.png diff --git a/docs/editor/extension-marketplace.md b/docs/editor/extension-marketplace.md index 8ed34ace1a..b25ae34c6e 100644 --- a/docs/editor/extension-marketplace.md +++ b/docs/editor/extension-marketplace.md @@ -350,10 +350,9 @@ Yes, if you would prefer to not have VS Code display extension recommendations i The **Show Recommended Extensions** command is always available if you want to see recommendations. ### Can I trust extensions from the Marketplace? +The Marketplace runs a malware scan on each extension package that's published to ensure its safety. The scan, which uses several anti-virus engines, is run for each new extension and for each extension update. Until the scan is all clear, the extension won't be published in the Marketplace for public usage. -The Marketplace runs a virus scan on each extension package that's published to ensure its safety. The virus scan is run for each new extension and for each extension update. Until the scan is all clear, the extension won't be published in the Marketplace for public usage. - -The Marketplace also prevents extension authors from name-squatting on official publishers such as Microsoft and RedHat. +The Marketplace also prevents extension authors from name-squatting on official publishers such as Microsoft and RedHat as well as popular extension names such as GitHub Copilot. If a malicious extension is reported and verified, or a vulnerability is found in an extension dependency: @@ -365,6 +364,9 @@ The Marketplace also provides you with resources to make an informed decision ab * **Ratings & Review** - Read what others think about the extension. * **Q & A** - Review existing questions and the level of the publisher's responsiveness. You can also engage with the extension's publisher(s) if you have concerns. * **Issues, Repository, and License** - Check if the publisher has provided these and if they have the support you expect. +* **Verified Publisher** - Use the blue check mark next to the publisher name and domain as an additional signal of trust. It indicates that the publisher has proven domain ownership to Marketplace. It also shows that the Marketplace has verified both the existence of the domain and the good standing of the publisher on the Marketplace for at least six months. + +![Verified publisher](images/extension-marketplace/bluecheck.png) If you do see an extension that looks suspicious, you can report the extension to the Marketplace with the **Report Abuse** link at the bottom of the extension **More Info** section. diff --git a/docs/editor/images/extension-marketplace/bluecheck.png b/docs/editor/images/extension-marketplace/bluecheck.png new file mode 100644 index 0000000000..61666974da --- /dev/null +++ b/docs/editor/images/extension-marketplace/bluecheck.png @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:4a6ec33f20939d692e1915b6c61be535b38c63ebba8ad89fce27f8ed8a7c2c7c +size 29068 From 6b4e7391bc55be2bc2b80464e6490e4eae1e0ed3 Mon Sep 17 00:00:00 2001 From: Isidor Nikolic Date: Mon, 28 Oct 2024 10:36:09 +0100 Subject: [PATCH 2/2] Update docs/editor/extension-marketplace.md Co-authored-by: Nick Trogh <1908215+ntrogh@users.noreply.github.com> --- docs/editor/extension-marketplace.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/editor/extension-marketplace.md b/docs/editor/extension-marketplace.md index b25ae34c6e..5640449f8c 100644 --- a/docs/editor/extension-marketplace.md +++ b/docs/editor/extension-marketplace.md @@ -364,7 +364,7 @@ The Marketplace also provides you with resources to make an informed decision ab * **Ratings & Review** - Read what others think about the extension. * **Q & A** - Review existing questions and the level of the publisher's responsiveness. You can also engage with the extension's publisher(s) if you have concerns. * **Issues, Repository, and License** - Check if the publisher has provided these and if they have the support you expect. -* **Verified Publisher** - Use the blue check mark next to the publisher name and domain as an additional signal of trust. It indicates that the publisher has proven domain ownership to Marketplace. It also shows that the Marketplace has verified both the existence of the domain and the good standing of the publisher on the Marketplace for at least six months. +* **Verified Publisher** - Use the blue check mark next to the publisher name and domain as an additional signal of trust. It indicates that the publisher has proven domain ownership to the Marketplace. It also shows that the Marketplace has verified both the existence of the domain and the good standing of the publisher on the Marketplace for at least six months. ![Verified publisher](images/extension-marketplace/bluecheck.png)