You don't know what they're doing and can't know updates are and will stay benign. Anyone signing an NDA that uses it is irresponsible/negligent, unless it is a controlled security exception (or firewalled in some way - but if it can't connect out half the point of the editor is gone).
Are we talking about the same Telemetry that can be turned off? If you work in such an environment, I imagine you can only use approved, audited software - so you don't have an option.
Exactly. And it's not like switching to a third-party product is anymore secure. Imagine justifying to your security and IT teams that instead of using a Microsoft product, you'd rather use a product forked from it that's developed by random people.
I actually think the opposite is security theater. I think the security question is a bit of a wash in general, but I think that in this case, yes, the Microsoft product is likely more secure. How many full time employees are working on VS Code versus VSCodium? FOSS software is not this paragon of security. And the existence of VSCodium is due to telemetry that basically reports nothing, can be inspected, and can be turned off. I don’t see where the security threat is.
This is nonsense, because it patently is security theater. Earlier I was addressing the fact that to look good to a judge or lawyer, you need to do things that are dumb but very strict. That has nothing to do with reality and we shouldn't start pretending it does: The OSS is likely better in every way than what you'll buy (even if it's just because it does the same thing but is much cheaper).
> telemetry that [...] can be inspected
The telemetry cannot be meaningfully inspected, because it may change at any time. You know what it has sent just now, not what it'll send 5 minutes from now.
> telemetry that [...] can be turned off
You cannot know that it was turned off. Historically, MS doesn't respect your choice to turn it off once and will just turn it back on later for whatever reason. Aside from that, you cannot inspect the binary in a meaningful way so you don't know what it will do 5 minutes from now.
This is a terrible take. Why on earth would you trust a closed source, corporate solution more than FOSS sostare? The FOSS solution can be audited and the closed source solution can not. Your opinion is incorrect.
You don't know what they're doing and can't know updates are and will stay benign. Anyone signing an NDA that uses it is irresponsible/negligent, unless it is a controlled security exception (or firewalled in some way - but if it can't connect out half the point of the editor is gone).