It's "Find and replace" that makes my blood boil. I won't stand for it.

I know I'm not the target market. I don't want my editor to have AI.

I was really looking forward to trying Zed, but this just means I'll stick to VS/Code with the AI gung disabled.

In general, if any product comes with "AI" I'm turned off by it.

Shame, shows the type of person you are. Keep lapping that kool-aid.

Why not opt-in?

It forces what the foundation wants you to do. It takes away control from you, it's unethical.

Not only that, it opens a can of worms. A compiler should be a compiler.

Not an self updating application, nor an dependency modulator from GitHub. How can I trust it when it does all these things?

Call me old fashioned at 35.

If you want the latest then go download the latest. Is that now to hard for the user?

Just because the latest is out doesn't mean it's any better than the previous version. What happens in a CrowdStrike scenario? What happens when Go gets retired in 50 years?

I don't want to work with the latest. Should I? TCL 9 is getting there but TCL 8.7 is still perfectly operatable. Should I be using 9 because it exists? My work only has 8.6 on production.

So your toolchain updates and they've removed a thing. You've got to hunt down the previous version, let alone needing to discover why it was working yesterday and not today. Unnecessary overhead.

You use a dependency that's not updated for the future version?

What stops someone from crafting a malicious binary? Malware hijacking the download path?

Auto-updating takes away your integrity. Your making blind trust that everything is what it is.

How can I be sure that the updated compiler is the compiler and not a malicious crafted version? If you can't trust the compiler how can you trust your code?

Yes, I could turn it off, but could I turn it on instead.

I shouldn't need to turn it off, I'll update when I want to update tyvm.

>> That seems like a lot of hoops to jump through considering that rust allows arbitrary code execution during compile time anyway.

If you mean build.rs build scripts, yes, those do run, but it is not arbitrary code. You can view and inspect them before building. If you need more security, you can download all the dependencies and build inside an isolated container.

>> Oh sad! Dang I actually really liked the feature, it's super convenient for keeping developer environments in sync. I left a comment in that thread asking for clarification.

Here is a slightly contrived, but realistic example of why it is a bad idea:

   1) Attacker discovers vulnerability in an older version of the Rust toolchain
   2) Attacker creates useful crate and helps it to get widely adopted or becomes trusted contributor to a crate that is already popular
   3) Attacker creates and publishes crate changes with exploit code and rust-toolchain.toml to trigger use of older, vulnerable Rust toolchain
   4) Unsuspecting developers build the trapped crate or something that depends on it and get owned

Installing toolchains automatically without the user's consent or permission is a supply chain attack in waiting for both Rust and Go.

Perhaps they could make it a configuration setting that developers could opt-in? That would let developers who want automatic toolchain installs to have it and others who do not want it (or whose employers will not allow it) to not have it.