Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Feature Request: Support for private marketplace/gallery #21839

Open
levonmamikonyan opened this issue Mar 2, 2017 · 155 comments
Open

Feature Request: Support for private marketplace/gallery #21839

levonmamikonyan opened this issue Mar 2, 2017 · 155 comments
Assignees
Labels
feature-request Request for new features or functionality marketplace Microsoft VS Code Marketplace issues upstream Issue identified as 'upstream' component related (exists outside of VS Code) upstream-issue-linked This is an upstream issue that has been reported upstream
Milestone

Comments

@levonmamikonyan
Copy link

We have created several VSIX extension that have no use to anybody else except our company. We would like to host our own private extension gallery and have an ability to specify alternative extension gallery paths (like "Additional Extension Galleries" in Visual Studio 2015).

  • VSCode Version: 1.10.1
  • OS Version: Windows 10
@chrisdias chrisdias assigned waderyan and unassigned chrisdias Mar 3, 2017
@seanmcbreen seanmcbreen added the feature-request Request for new features or functionality label Mar 7, 2017
@seanmcbreen
Copy link

Hi,

Currently we don't have a way to do this but it's not the first time we have heard this request so adding the correct label. We don't have this in our current backlog but this will help us keep track of it.

Thanks
Sean

@hilleer
Copy link

hilleer commented Jun 13, 2017

This is a feature that we would welcome very, very much as well, as it's kind of time consuming and annoying to have to build and forward the vsix file every time you make changes :-)

@hilleer
Copy link

hilleer commented Nov 16, 2017

Anyone got updates on this?

@ibigpapa
Copy link

ibigpapa commented Nov 28, 2017

So viewing the code don't think i'll have time anytime soon to submit pull request.

https://github.com/Microsoft/vscode/blob/67cd9258fd0ed429ddc626d488d48bd65c2f2283/build/lib/extensions.js#L48

https://github.com/Microsoft/vscode/blob/67cd9258fd0ed429ddc626d488d48bd65c2f2283/build/lib/extensions.js#L67

https://github.com/Microsoft/vscode/blob/67cd9258fd0ed429ddc626d488d48bd65c2f2283/build/lib/extensions.js#L75

These appear to be the main lines used for getting extensions from the market place. I guess you could replace the url with a call to the config to pull the URL and insert a local cached proxy so it would pull from the local proxy if package is there if not pull from marketplace. Then just provide the functions for the query and the upload that mimic the calls from vscode.

Cons to this would be https issues.

Ideally you would modify the Extensions: Market Place UI to provide a filter to a custom repository and market place filter. Something like Show Marketplace Only, Show {Custom name} Only, Show All.

Then modify the original code to query both places and merge the content. You'll probably want to add an indicator that would show what repository it is from. Maybe a dot with a color that indicates this. Something like blue for Marketplace and red for non market place with a tooltip that would spell out the repository name when moused over.

@Luraktinus
Copy link

any news there?

@hilleer
Copy link

hilleer commented Dec 27, 2017

@Luraktinus I haven't read any news regarding this, unfortunately.

@llgcode
Copy link

llgcode commented Jan 15, 2018

Also interested in having this feature.

@Luraktinus
Copy link

yeah, understandable

@gvanbeck
Copy link

+1

@bjoernbusch
Copy link

This would be really nice.

@notlaforge
Copy link

Is it possible to publish extensions on the marketplace and have them not appear in search?

I'm thinking for cases where the extension is not really secret, just not generally useful outside a company.

@sijakret
Copy link
Contributor

+1
i believe this is an important feature for all sorts of custom toolings

@Luraktinus
Copy link

i am fine with the ability to just copy/paste the addon in the extension folder....
the community could develop an own gallery already

@hilleer
Copy link

hilleer commented Mar 21, 2018

@Luraktinus so if you have a private extension that many employees are using, flow could be as following;

  1. Distribute it to employees.
  2. Employees all have to install it manually.

This, to me at least, includes a lot of time wasted, compared to just distributing it to something like the marketplace.

@Luraktinus
Copy link

@hilleer

I mean that the community could do a plug-in to replace the functionality of the gallery.

@levonmamikonyan
Copy link
Author

As a stop gap we've setup an in-house webserver and hosted all extensions there.
It also exposed an API endpoint to return latest number version for a given extension.
Then for every extension we had a timer to ping service every minute, check the version and compare with the one installed.
So if a new version was detected it would prompt to upgrade and then from the it was just a bunch of chained promises (show a prompt, on OK download an extension, show a prompt to restart, restart).
Then the last step was to automate a build pipeline, so every extension release was properly deployed to webserver (really package the extension and copy to appropriate folder).
The only drawback is that the extensions must be installed manually for the first time, from there on it's all automated.

@jan-dolejsi
Copy link

jan-dolejsi commented Mar 22, 2018 via email

@darkvertex
Copy link

Also interested in this. Would be super nice to have.

@itzik-h
Copy link

itzik-h commented Jun 10, 2018

@seanmcbreen would you consider external help for that one?

@roysudi
Copy link

roysudi commented Jun 27, 2018

+1

2 similar comments
@jkasun
Copy link

jkasun commented Jul 9, 2018

+1

@Ubeek
Copy link

Ubeek commented Aug 14, 2018

+1

@omerd-cyera
Copy link

+1

@gjsjohnmurray
Copy link
Contributor

Se also #179919

@zentby
Copy link

zentby commented Dec 25, 2023

Try integrate this Auto Updater plugin into your extension.

With this extension, your extension can be hosted in your private website(e.g. behind a VPN).

@seaniyer
Copy link

seaniyer commented Jan 10, 2024

FYI @JacquelineWiddis

@GitMensch
Copy link
Contributor

Need this af

posting here obviously don't help... either you build vscode yourself, applying the related PR to run a private instance for example of openvsx (that PR was closed because "the marketplace team has come up with a plan" nearly 3 years ago - we all see how well and timely that worked out...), or use vscodium, which did accept a similar patch, or use something like https://marketplace.visualstudio.com/items?itemName=zokugun.vsix-manager which allows to install extensions from any workplace or locally (but needs manual setup of the extensions).

@omerd-cyera
Copy link

I ended up creating releases in github that have the vsix file, and created a component inside the extension that checks for updates periodically, and updates itself.

Not perfect, but its simpler than you think to implement, and it doesn't require extension consumers anything apart for installing the extension from vsix once.

@fone-almosca
Copy link

fone-almosca commented Feb 9, 2024

@omerd-cyera That's exactly what i'm trying to do for the past 2 days, but when I arrive to the point of uploading the .vsix file into release asset, i get the error:

"Resource not accessible by integration"

I'm pretty sure the token has the correct rights, as the upload works for every file except .vsix.
So I'm wondering, if you had the same issue, how did you solve it ?

@omerd-cyera
Copy link

@fone-almosca I think vsix is not supported in gh. Just zip or tar it.

@gaby
Copy link

gaby commented Mar 18, 2024

7 years later and this issue still open? @isidorn Any updates on this?

@haudan
Copy link

haudan commented May 15, 2024

@omerd-cyera

I ended up creating releases in github that have the vsix file, and created a component inside the extension that checks for updates periodically, and updates itself.

How did you accomplish the automatic updating? Do you just invoke the workbench.extensions.action.installVSIX command?

@omerd-cyera
Copy link

I have other tools installed on all relevant machines that are responsible for first install and updates. In my case it was easier to just trigger them via the cli.
I think that in most cases workbench.extensions.action.installVSIX is the way to go.

@harbingerofcode
Copy link

In light of the following article, wouldn't you say that the need for this feature becomes more pressing?

https://www.bleepingcomputer.com/news/security/malicious-vscode-extensions-with-millions-of-installs-discovered/amp/

"Microsoft's lack of stringent controls and code reviewing mechanisms on the VSCode Marketplace allows threat actors to perform rampant abuse of the platform, with it getting worse as the platform is increasingly used."

I work for an org that hosts private NPM, NUGET and Visual Studio extension gallery where we curate the packages we host. It feels like a natural progression to allow this for VS code, especially with with integration through ADO Artefacts.

@GitMensch
Copy link
Contributor

GitMensch commented Jun 10, 2024

As already noted: you can use and curate your own extension marketplace by setting up a "local" entry point target, for example an OpenVSX instance and adjusting package.json to point to that.
In a corporate environment I guess you use a central installation of vscode so that's no big issue, You may drop the marketplace entry points completely as well.

For "local" or "project" scope you can add the curation to the .vscode folder since recently (which together with disabling the other entry points or moving them to a controlled instance).

@harbingerofcode
Copy link

#84756 (comment)

image

@swythan
Copy link

swythan commented Sep 17, 2024

As already noted: you can use and curate your own extension marketplace by setting up a "local" entry point target, for example an OpenVSX instance and adjusting package.json to point to that.

I guess this was in response to the preceding comment. Just to be clear though, this wouldn't solve the problem in the OP (which I share): to have an internal marketplace in addition to the main public marketplace.

@danielboucek
Copy link

For those of you who use Gitlab. I recently created an extension that uses Gitlab's Package Registry API. Allowing you to browse, install, and auto-update private extensions.
You can check it out if you like. It works surprisingly well.
Private Extension Manager - GitLab

@macserv
Copy link

macserv commented Oct 7, 2024

As already noted: you can use and curate your own extension marketplace by … adjusting package.json to point to that.

This is problematic on macOS, as the package.json file resides inside the signed app bundle, and modifying it invalidates the application's signature. This causes the system to present the user with additional verification requests before the "damaged" application can be opened.

More seriously, starting in macOS 15.0 Sequoia, this verification step requires the user to be an Administrator, which isn't commonly the case in a corporate environment.

This is easier to work around with VSCodium, which includes a patch for observing the contents of a product.json file in the user-data path as well as the one inside the app bundle.

@GitMensch
Copy link
Contributor

Well said @macserv and not to forget - that also includes the option to override endpoints using environment variables, so you don't even need a file... and of course, that patch from VSCodium is quite similar to the one suggested upstream which was denied in 2021 as a "temporary workaround" because "the market team discusses that". As that's more than 3 years ago friendly ping @sandy081 is there a solution "in sight" and you can give details about this? If not: please reconsider applying this patch temporarily for the next 2-5 years (could have been 5+, you know).

@sameemqureshi
Copy link

We are setting up our private Extension on JFrog Artifactory , For the First time the Users would be getting the Extension from the Artifactory itslef.
there are going to be updates for this extension , we want to implement a seamless update flow for the users , where there extension would be pinging too check for any updates and If found , notify and update the extension,
How can this Update flow be seamless , where user just needs o click the update , and latest version is taken?
how can it be automated??

#21839 (comment)

@seaniyer
Copy link

seaniyer commented Nov 20, 2024

Hi all,

Please take this Private Marketplace Survey

VS Marketplace team is conducting a quick survey to gather the latest customer input on Private Marketplace asks. We are scoping and planning a solution, so your response will be timely in helping shape any Private Marketplace offering from Microsoft. 

Thank you on behalf of VS Marketplace team!
cc: @isidorn @svermamsft

@deadmeu
Copy link

deadmeu commented Nov 20, 2024

Hi all,

Please take this Private Marketplace Survey

VS Marketplace team is conducting a quick survey to gather the latest customer input on Private Marketplace asks. We are scoping and planning a solution, so your response will be timely in helping shape any Private Marketplace offering from Microsoft.

Thank you on behalf of VS Marketplace team! cc: @isidorn

Hi, before I open your URL, I can see that you are not a "member" of this project. How can we verify you?

@seaniyer
Copy link

Hi, before I open your URL, I can see that you are not a "member" of this project. How can we verify you?

Sorry to hear that. This may be a localized issue as few others were already able to take the survey. @deadmeu, one suggestion is to try the link from an InPrivate browser window.

@omerd-cyera
Copy link

I fully agree with @deadmeu, I'm also not seeing a "member" tag. Also, opening in a private browser window isn't really reassuring

@deadmeu
Copy link

deadmeu commented Nov 20, 2024

Hi, before I open your URL, I can see that you are not a "member" of this project. How can we verify you?

Sorry to hear that. This may be a localized issue as few others were already able to take the survey. @deadmeu, one suggestion is to try the link from an InPrivate browser window.

Sorry, there may have been a misunderstanding here. I have not yet even tried to access the survey.

All I'm suggesting is that there are often fake profiles commenting in GitHub repos (especially these days). It would be a good practice to make sure you are communicating from a trusted GitHub account, that is clearly identified and verified, especially when you are asking people to navigate offsite to a non-Microsoft domain.

E.g. I don't see you listed here https://github.com/orgs/microsoft/people?query=seaniyer

@isidorn
Copy link
Contributor

isidorn commented Nov 20, 2024

@seaniyer works on our VS Marketplace. I am a PM working on VS Code.
You can trust the link he posted.

@jvilk-stripe
Copy link

I filled out the survey. Feel free to reach out if you want to chat more about our use cases at Stripe.

@isidorn
Copy link
Contributor

isidorn commented Nov 22, 2024

Thank you very much for your replies in the survey.
In the survey, I noticed that some of you would like an allow list of extensions from the public marketplace. Please be aware that we are launching this feature next week in VS Code Insiders. And more details can be found here #84756

Feedback is very much welcome!

@kineticsquid
Copy link

We think the idea of a private marketplace is a great idea. In fact, we have one of these at the Eclipse Foundation Open VSX Registry at open-vsx.org. It's an open, transparent, vendor neutral registry for VS Code extensions comprised of three Eclipse open source projects and governed by the Eclipse Open VSX Working Group.

Easily deployable in house in a tethered or untethered configuration, including in an air-gapped environment. You can try it out quickly locally or with a couple of clicks at Gitpod. We also have a PR coming through to provide the same for Red Hat OpenShift.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
feature-request Request for new features or functionality marketplace Microsoft VS Code Marketplace issues upstream Issue identified as 'upstream' component related (exists outside of VS Code) upstream-issue-linked This is an upstream issue that has been reported upstream
Projects
None yet
Development

Successfully merging a pull request may close this issue.