If you're reading this Kite. I now have a negative view of your product. We cannot allow corporations to take over open source tools. Donating is perfectly fine and encouraged, but the above example is a downright take over. If you want another tool then create one, don't take over an existing one and use the communities trust of that tool to promote your product.
I fell for this. I enabled it because I was curious about trying new development tools, only to find out later it uploaded all of the source code on my computer to their service. What the hell.
It took me months to get through to a human to get them to delete my code, including two emails to the CEO.
I like the idea, but there is no way I would use it after this experience.
WTF, this could get people fired. Many companies do not descriminate whether an employee has uploaded code to a third party server intentionally or not. If corprate software monitors catch this happening, its pink slip in many places. I just can't believe anyone would play with developers this way. What a cruel company.
> it uploaded all of the source code on my computer to their service.
That sounds crazy, so I reviewed their privacy policy[0]. It looks like Kite now requires users to whitelist the directories it indexes and automatically purges files you remove from the local index.
The Privacy Policy says that:
> When you use our services, we may collect [...] Any source code files on your computer's hard drive that you have explicitly allowed our services to access. To learn how to control access to your source code files, please visit our FAQ.
The FAQ[1] says
> Kite only uploads files that:
>> 1. Have a .py file extension,
> 2. Are children of a whitelisted directory,
> 3. And are not ignored by a .kiteignore file.
That doesn't seem like "any source code file on your computer" to me - unless it whitelists root by default, which would be a hella dark pattern.
Also, removing a file from the local index should remove it from the server as well [2]
I have zero faith this page actually works though. A few months ago I deleted all of my data and I checked back today and it has reappeared. (I uninstalled the client and deleted my login token back then too, so as far as I can see it's their issue.)
I have sent them a stern email to delete my data. If you want your data deleted too, I would recommend doing the same rather than trusting their web interface. None of the emails on their website seem to work, though. Emailing the CEO does work eventually, but I don't want to start a witch hunt. My email is in my profile if you want his email.
I've almost been bitten by them in the same way. I vaguely remember that it was through HN that I found out about Kite and installed their plugin(s). It definitely felt 'dirty'.
>only to find out later it uploaded all of the source code on my computer
It didn't ask? Sounds like malware, and meets the definition of theft. Inviting someone into your house does not give them permission to steal things in your home, and leave with them.
It clearly states in the diagram that the code you run Kite on will be analyzed in the cloud. If it truly uploaded "all of the source code on [your] computer" then obviously that is radically different but from my experience with the product, it did not upload my code besides what was directly related to what I was working on and understood would be analyzed in the cloud, just like Code Climate or any other code analysis service.
Iff they had foreknowledge that the changes were going to happen, which is unlikely. Id be surprised if Kite bought/acquihired/etc the product by disclosing a list of shady changes beforehand.
It's interesting watching HN get indignant when a company treats them the same way their idol companies treat everyone else. A lot of grab all data, track everything, and hide the creepiness in fine print type companies.
A system of permissions for plugins would be welcome in my mind for Atom, similar to browser plugins or mobile apps. Then a new "feature" would require the "transmit your code to a third party" permission.
> We cannot allow corporations to take over open source tools.
I don’t know how much I agree with that statement in general. There are several major open source projects with corporate “control” – Mozilla, Google and Apple control/heavily influence Firefox, Angular and Swift respectively and there are probably a dozen others. The idea that corporations are “bad” is a tired trope. Some corporations are bad, some are good, some are in the middle.
But I agree with your actual actual sentiment though – corporate involvement in open source should be as benevolent as possible.
Mozilla made firefox. Google made angular. Apple made Swift. That's not "taking over". While I am not a fan of this phenomenon either, that has nothing to do with the current situation. They simply built something and open sourced it, nothing was "taken over".
I'm going to take a contrarian stance on this one: I believe there is no story here — adding an ad for an opt-in cloud-based tool to dev tools is not spyware. It's opt-in! It's clearly stated. Would people raise a fuss to find out their CI service like CircleCI or linter service like Code Climate had access to their code (it's sufficiently obvious)? I don't really see why this tool is any different other than they are one of the first to make a code analysis service that runs in realtime.
I beta tested the Kite product when it first launched maybe two years ago. I don't use it today but I would try it again. Since then they've only tightened down on permissions and made things clearer.
Kite was also not the first to run ads in an IDE plugin (Wes Bos has sponsored several), at least not in Sublime. Personally it's not my preference to have ads either but ultimately this is up to the maintainer of each repo. The tool is still free to use. It clearly states that using the cloud engine will upload your code to do analysis in the cloud. It's 2-3 sentences, not like it's buried in some long EULA.
Shame on the article for labeling inserting an ad as "taking over" and labeling an ad as "spyware"… pure clickbait targeting non-devs.
The new Kite engine also clearly states it is a cloud-based service and they build integrations for their service. The whole industy works the same way. You don't have to use their engine to use autocomplete-python and its opt-in too.
Well, who benefits from having the ads there? Wouldn't it be better for most users without the ads? What value is Kite adding?
It's a slippery slope, similar to the controversies over using BitKeeper for the Linux kernel or adding DRM to HTML5 (both justified, I think). The openness in open source needs to be defended.
Hi Ruben, founder of Kite here. I think this issue deserves a more thorough response because there are a lot of misrepresentations in the article.
One misrepresentation that I wanted to quickly highlight is that the autocomplete-python install flow has three steps, not just the one linked in to in the screenshot above. The other two are:
Small technicality: these screenshots say that Kite is installing but it's actually only downloading the installer binary to memory; the actual install doesn't happen unless the user goes through all three steps.
It's also worth noting that if the user clicks "Add Later" no code is sent to the Kite servers for analysis until they whitelist a directory.
You are trying to blame the user, but the design of this flow is to blame. It does not explain clearly what is going on.
It's funny seeing this now to see where I tripped up. When you say "enable access in /Users/ben", I guess 6-months-ago-me assumed it meant "enable access to code in /Users/ben when I am working on it". It felt a bit like an iOS permissions dialog, where I was giving you access to my filesystem. Parsing it now, I realise that the text above the button says "where enabled, your code is sent to our cloud".
You could argue I should have read that more carefully, but that copy doesn't scream to me "I'm about to upload all of the source code on your computer including proprietary stuff and secrets". Because that button was the default highlighted button, I assumed it wasn't going to do anything drastic like that. (It's like Ryanair having a big red "YES I WOULD LIKE INSURANCE" button, hiding the "no I don't want to spend $100" button somewhere in the small print.)
Above all, you certainly shouldn't have included that as a shady update to some Atom extension I was using.
> I think this issue deserves a more thorough response because there are a lot of misrepresentations in the article.
From the article:
> Smith also said that most of the negative reaction was due to confusion around what the tools actually do. (Connor pointed out that it’s not possible to review what Kite does, since it itself is not open source.) Then he blew this reporter off. “I apologize in advance that I can't answer any further questions,” he wrote. “I need to focus on other parts of the business, including continuing to improve the product for our users, and conflict like this is always doubly distracting.”
The above sounds like you were given the opportunity to explain things but shrugged it off as a distraction.
If it deserves a more thorough response, why hasn't that been given? Even in this reply you only "quickly highlight" one point.
Even with the additional steps and even with explicit whitelisting of directories (from screenshots it looks like it defaults to the user directory, which is just bad) before code's uploaded, the point is that Kite took over a useful, popular open source package, clearly hitching on to the popularity of the package to promote Kite, which is distasteful when it comes to OSS.
Why not fork the original autocomplete-python with one that has Kite enabled instead? Then users who want Kite or use Kite are able to do so, without screwing over everyone else who have no idea what Kite is and dont want anything to do with it.
Reminds me of software downloaded in the past that comes with some random search toolbar that gets installed in browsers. Annoying. Shady. Not cool.
This situation seems to have the best and worst of open-source. Best, in that the license of the projects allowed them to be forked without too much effort. Worst, in that it shows how easy it is for a project to be subverted once the maintainers are bought (in this case, given a job). It also remains to be seen if the average Atom user will see the difference between the Kite-branded (and, currently, more popular) and the forked versions of these plugins.
Besides the open source issues, this tactic seems to reveal a massive desperation by the Kite folks. There is no way they couldn't have seen how negative this was going to look once people found out. Their ability to attract new users through word-of-mouth and organic advertising must have plateaued. Sneaking their service into a well-used plugin would have given them a boost in users, maybe enough to attract a new round of funding, but they must have known it would cause this kind of bad blood. Especially based on their past reception on HN, which was highly upvoted but in which they never convincingly answered the concerns about uploading users' source code to the cloud:
> this tactic seems to reveal a massive desperation by the Kite folks
That's the weirdest part to me. Who, exactly, thought this was going to go well? It is hard to be sneaky with open source. And even harder to win back goodwill after being caught out.
For instance, now that I know, it would take a change of management and business model before I'd even consider running any of their code, and I'll be writing a Kite-detector for our code scanning tool this week.
Kudos to @mehcode for the fork [1]! And the author @abe33 for the apology [2]! I'm thinking, that @abe33 might not be responsible for this, but was "asked" by his employer (Kite) to do that.
Then, there are alternatives such as sublimetext/vscode, which have the minimap builtin...
Disclaimer: Not affiliated, I prefer n/vim anyways. This is a copy from my comment in the issue. Please read @abe33's comment [2] in the issue. This might explain a thing or two.
That's a pretty sorry excuse for an apology, in my opinion.
First, he focuses heavily on how much stress the backlash has caused him. Then he tries to paint it as a "misunderstanding" on behalf of the users. None of this strikes me as the behavior of someone taking full responsibility for their actions.
Further, I keep seeing people trying to justify his actions with the pathetic excuse that he was probably just doing as told by his employer. Sorry folks, that's not how being an adult works. There's a reason virtually every formal code of ethics stresses personal responsibility. Take, for instance, 8-b from https://www.nspe.org/resources/ethics/code-ethics
Engineers shall not use association with a nonengineer, a corporation, or partnership as a "cloak" for unethical acts.
Software engineers shall act consistently with the public interest. In particular, software engineers shall, as appropriate:
1.01. Accept full responsibility for their own work.
Just because we're in the comparatively-"lower stakes" profession of web development, that doesn't mean we can use the sorry-ass excuse of "my boss told me to do it." Unless they held a gun to his head, he had a choice, and his choice should stick with his reputation for better or worse. Now his name is going to be attached this dumpster fire of a PR mess because he didn't have the will or integrity to say no, and smart people within the community will have a very good reason to no longer trust his judgement, much less his future contributions.
Thanks for posting abe33's apology, hadn't seen it when I read about this issue last week. One of the more unnerving things about it was how he made this change without explanation months ago nor did he did he explain it now. It must have been frustrating for him, as the plugin's original developer, to be dragged through this crap. He ultimately is responsible for his actions, but I wonder if he knew that subverting his own plugin would be a job requirement?
I can't imagine he would sabotage his own project for no reason, so most likely he got the job or some compensation in exchange for his cooperation and access to his repository, probably how they got python-autocomplete too.
Otherwise, if they offered the job with no conditions attached he'd be under no obligation to change his own personal projects for them.
> It must have been frustrating for him, as the plugin's
> original developer, to be dragged through this crap.
Completely agree.
Then, this sets a precedent. It reminded me of Google injecting some binary code into Chromium [https://news.ycombinator.com/item?id=9724409]. However, we have a single person here. I can wholeheartedly imagine, that this can cause quite some stress. Also, it could have happened to many, I think...
Edit: I'm happy about the discussion here. At least, this won't happen again, anytime too soon.
I've tried Kite twice now. Once when it first launched, and once again when I installed autocomplete-python and it persuaded me to give it another go.
So far I have found it utterly unconvincing to the point of near uselessness. It rarely finds anything intelligent to say about my code, and gives a significantly worse view of documentation than Dash (for which I have a hotkey bound for near-instant lookup).
On top of that, I found Kite to use significant resources, there's no way to inspect what it's uploading so now way to ensure you aren't uploading things you don't want to, and the second time I tried it the UI was filled with dark patterns and I found it quite difficult to uninstall (I reverted to just trashing all the files I could find relating to it).
I paid I think $79 for a year of Kite-pro and frankly, so far it is pretty useless. That said, it has permissions and settings to whitelist which folders on your computer can be indexed. Then, the settings page states that if you remove the directory from whitelisting then "any directories removed here will also be removed from Kite servers." Of course, that doesn't mean they will actually remove previously indexed data. Overall, probably this is a product that I would not want my dev team to install.
I'd ask for your money back. Installing Kite left me with a really bad after-taste, but at least I assumed that if I'd bought into it, it would do as advertised.
It is a featured[1] Atom package, which may point to whom is GitHub endorsing in this issue, though we could see a more direct response from them regarding both minimap and autocomplete-python.
After reading sadovnychyi's reaction[2] to the autocomplete engine selection screenshot, I think forking is also the only remaining step for autocomplete-python.
> “Most users who install autocomplete-python close the engine selection prompt, which results in not getting Kite or its benefits”
This type of entrepre-narcissism has to be shutdown hard. How deluded does somebody have to be to imagine that putting a confirm-shaming dialogue in an opensource tool is not Advertising?
Every interaction I have with these kind of guys proves to me that they deep down believe their own BS and that they are actually blind only to their own actions. I consider a delusion much more dangerous than a malign stratagem.
It's a real shame as the service was good, but nothing is good enough to justify advertisements in my work-space. The fight against distraction is hard enough as it is without having to think carefully about where I'm clicking due to dark-pattern UI.
He didn't mention using it under a company. I was tempted to use this for personal projects as I don't care where my code gets uploaded, it's all on github anyways.
PSA: I removed the whitelisted directory from my local install of Kite and then uninstalled the application. Logging into https://kite.com/settings/files still shows my machine and all of the synced files.
I still had to manually purge my machine and files from that page.
If you think your files were removed, check again.
Hi, Kite founder here. If you uninstall right after removing the whitelist directory then the removed files may have not have been synced to the server before the uninstall, particularly if you have a lot of files on your machine. We will address this by adding a "remove all whitelisted directories and log out" link to the local settings.
Something different was likely happening in bfirsh's case (sibling comment). If you delete the files from the kite.com/settings/files page but Kite is still installed then they will get synced up again. The most fail proof way is to uninstall and then wipe files from kite.com/settings/files. We will make the wipe files link log Kite out on that machine.
Sorry about the edge cases. We've been working on it, and will continue to do so!
It's nice this is getting more response today - my submission yesterday got no comments.
I almost spit my coffee out when I learned about this (as I'm a minimap user who had no idea this was going on). Not a fan of these shady practices - completely breaks the trust between package maintainer and users.
I think we need a swift and damning response to this. I'd rather have an even worse walled garden than the Apple 'App Store' than deal with having to worry about my source code getting stolen to be used by some stupid cloud service. I don't even want data collection in my text editor; maybe from the vendor its acceptable but not N times for each plugin. I now feel compelled to vet the network usage of any plugin I install.
Thanks, Kite. I'll make sure to remember this in case anyone ever considers your service.
I wish our world worked like that, but unfortunately blackballing requires that the median participants of a group have some sort of moral compass.
I gave up hope for such things after seeing staff, investors, and speculators tripping over their own dicks to invest in Brendan Eich's latest venture (Brave) and its ICO, with full knowledge of his revolting and public bigotry against gay people.
The problem is not that they built some product and monetized with ads. The problem is they injected themselves into a product they didn't build. Worse yet, they're open source projects.
If you can't see the distinction between this and the examples you mention, you really don't qualify to make sarcastic comments.
Exactly. And don't forget about the proliferation of the internet-of-shit devices, which are blasting everything they can learn about your home network to every company involved.
HN is specifically geared towards people who make a living coding things in the new "surveillance economy." This particular example (to go along with the dotnet command line issue) is just a difference in degree, not kind. They're mad that someone else is abusing their trust and privacy.
That is a narrow way to look at things and is not the full picture. Plenty of people protested and still protest Google's unethical business practices.
Brand power! I get totally nauseated every time tools/frameworks/programming languages get adopted just because they have the Google brand on it, when there are perfectly better alternatives.
Holy shit that 'apology' is a steaming pile of crap. This guy is actively subverting not one but multiple open-source projects and he responds with some pathetic crisis-management sob story and an 'oops, sorry'?
Open source is very vulnerable to manipulation. Some years ago, I spent some time trying to understand the PAM module LDAP module on Linux (PAM is used to enable external authentication so its critical code). I found it to be completely impenetrable. We take such components for granted but if someone could inject malware into such code, it could be catastrophic.
Not to mention it must be trivial for a large and determined adversary to subvert Debian, Arch or other distributions' packaging process, for example by getting a "sleeper" rogue developer in there. As someone into security and using open-source systems exclusively, it would be somewhat embarrassing to become a security problem yourself that way.
I don't distrust Linux distributions' respective security guidelines; but it can't be that hard to find a loophole in community-driven system/software development and the damage would be substantial if a popular Debian package would have been subverted and have gone out with updates.
The same statement could be made about any organization. If you get a sleeper agent into Apple, Google, Microsoft, whatever... There is a certain amount of goodwill we rely on in this world.
I'm pretty sure this is somewhat unique to the history of pam_ldap and its stewardship by PADL Software compared to other PAM modules; its dense nature encourages commercial engagement for those who care enough to know how it works or want to use it for their own purposes. They're not motivated to make it easier to understand (i.e., for outsiders to contribute to or maintain).
pam_sss is easier to understand and its functionality expands upon it, but it was a redesign.
Honestly, I feel that at the very least the core team behind Kite should be held accountable for what they're doing. I'm not arguing in favor of an all-out witch hunt, but in the context of developers doing their development thing this kind of behavior should have consequences that potentially might include 'black-listing' at least the higher-level people behind it that thought this was a good idea.
In short: A startup is taking control of open source editor plugins relevant to their product.
I admire their cleverness.
If it were me: I'd create an extension interface for completion libraries to accept third party plugins. I'd stop at putting in a third party stuff in by default. A sufficiently good plugin API for python-autocomplete shouldn't require it even to know about Kite.
That said, I don't think Kite should be disallowed. If they have a secret sauce that they think can empower completion plugins, give them an API to plugin to.
It's not in the spirit of open source to shut the door on proprietary solutions (IMO). Transparency should be paramount. Normally most Linux users opt-in to using proprietary/blob software/drivers one way or another anyway. Open source projects routinely maintain relationships with vendors (NVIDIA, Intel). It doesn't necessarily mean evil is at work.
Though, as someone who's struggled with the performance and reliability of completion tools, I don't know if I'd personally opt to outsource that functionality. I'd wait and see if our current tools get better.
So, what prevents any Atom package from being silently taken over and turned into a private code Hoover? Is there anything in Atom's packaging APIs that ensures plugins that can read source cannot also access the network without permission?
This is why we can't have nice things. As you say, such limits weren't necessary - because people in the community weren't assholes. Now, thanks to Kite's abuse, somebody will have to implement a permission system to editor plugins...
Total biased takeaway [Please read all the github complete thread.]:
@jlozano:
> Hi, folks -- Juan from Kite here, thank you for the feedback, we appreciate it.
[...]
> We have decided to leave the feature as opt-out since many users have found it useful. [...]
@abe33
> [...] I've been an employee at Kite for over half a year now and this plugin is now officially maintained by Kite. [...]
I think that the BDFL system work in open source because it's too easy to fork the project. The old BDFL just transferred the power to a new BDFL, but it was not so clear for the community. There is a fork now, so if the situation doesn't improve and the users are unhappy, the Kite team will be the BDFL of an empty project without users.
This is one of the things that makes me think software development, like most other professions, should really have a formal code of ethics. If a lawyer or a construction engineer tried to do something equally dodgy, they would very soon find themselves hauled before a professional authority.
It should be made clear to the employees, management and investors of Kite that this is the sort of thing that marks you as someone willing to engage in unethical and underhanded behaviour. I wouldn't hire any such person into any team I manage, and I suspect quite a few other people wouldn't either. Actions have consequences. Especially unethical actions.
An argument that explicitly talks about the consequences of unethical behaviour when it happens is not painting anyone as ethical paragons. You are missing the point, I think.
"Subjective" how exactly? There are surely some variations, but if this is about "my wallet has feelings too" morality, that would be all the more reason we'd need an (enforceable) code of ethics.
Things like this are bound to happen, as long as people have to pay their bills and they don't get as much retribution as they would like for their work. If the original authors of the plugins that Kite took over had got a dollar from each user, maybe they would have thought it twice before handing over their creations to a company with dubious purposes.
I have been saying it for a long time: we need better and more flexible software markets, and as developers, we should appreciate the work and time of fellow developers and as a matter of principle try to compensate them.
> “I apologize in advance that I can't answer any further questions,” he wrote. “I need to focus on other parts of the business, including continuing to improve the product for our users, and conflict like this is always doubly distracting.”
If you don't have time to deal with controversy, maybe don't take actions that will inevitably lead to it, eh?
What Kite supposedly does is crowd-source code by uploading users' code to its server and then aggregating that data to train their ML algorithm. Then they can apply said algorithm on a specific client's code to recommend autocompletion suggestions as you type.
There are plenty of great use-cases for ML in building coding tools, but the shady manner in which Kite imposes itself on Atom users who have these plug-ins installed (which is a large portion of the user-base), leaves a seriously bad taste in your mouth.
The thing is I don't trust this explanation for a second especially as it applies to non-paying customers; they could have just as easily trained a generic ML algorithm on a publicly available data set, like I don't know, the public stuff on github.
Moreover, they could have trained their suggestions to actually be useful before throwing this out there as a feature set they thought people would want to use.
Plus then it'd make sense for people to open up their code, as a "local dictionary" of sorts that could be prioritized over generic suggestions. But at least then it would have had demonstrated value.
How much content are they auto-completing? Seems like this could easily end up with some other organization's proprietary code auto-filling inside your project. This is very dangerous; it's either only auto-completing single standard-library function names in which case it doesn't need cloud connectvitiy, or it's auto-completing actual code which opens up users to IP issues.
They use machine learning to see which code patterns follow other code patterns and then make suggests based on that. "Oh, I see you've written X. Most people who write X follow it with Y."
However, this requires reading people code that they upload to their servers. See their privacy policy here: https://kite.com/privacy.
We, the open source community, need to respond to this pollution firmly and decisively. Apart from removing the sneaky code put in for these types of purpose, we may need to consider adjusting the licensing to forbid such doing ... the entire open source world need to unite against this ... it is threatening the future of open source.
Is Facebook part of the "open source community?" I would expect that most people here would say yes, for reasons I will assume are obvious to most readers here. Yet they've built, arguably, the world's second largest (non-governmental) data mining operation on the back of open source software, designed for nothing more than slurping up user data to sell to advertisers. How is that fundamentally any different than what's described here? Because the product is "more" useful to end users? Because it's true nature is "more" visible? It's a difference in degree, not kind. If you hate what's been done here, by extension, you should hate the business model of Facebook and Twitter, et. al. (I do, and I refuse to participate.) There seems to be a bit of hypocrisy having this sort of outrage on this particular site.
While this Kite company seems rather scummy, I think it's a bit disingenuous to frame it as an attack on open source. Actually it's the one thing open source can handle better than anything else: just fork the repo and carry on.
Maybe I'm reading too much into the article but it feels like a weakness in open source is exposed when in fact the real problem would be if those applications were closed and you were stuck with crappy software if you didn't want to switch to a brand new tool. How's Skype doing lately?
Open source is vindicated by these scummy tactics, not undermined.
This is actually the most ridiculous part of the entire story.
It would be one thing if a corporation was stealing your code and taking over open source projects as part of a detailed plan to make money. That would still be objectionable, but at least there would be a clear motive for these voyeuristic activities.
Apparently, there is no master plan. They're just doing this because they want to be voyeurs and then maybe figure out how to make money off of that somehow later.
Not sure how the Atom plug-in store works: if this were yum / CPAN / pip, I would think there'd be some way to kick these plugins out of the stores and force anyone who really wants it to install manually. I think that's the best way to tackle this kind of deception: fork it, kick it out of the app stores, and make it difficult as possible for someone to inadvertently download the adware-written version.
A maintainer for amp (atom package manager I guess?) explicitly said they're sitting this one out. The mini-map plugin has been forked and rolled back to the version before the ads popped up.
That's a pity. It is incumbent upon the package manager vendors/curators to watch for this kind of stuff and bring the hammer down when it happens. Apple does it. Google does it. Mozilla does it.
I can guarantee that there are other commercial companies watching how this plays out. If the changes are simply rolled back without any real repercussions, what other malevolent entities will take away from this incident is, "You can inject adware into your acquired FOSS applications, but do so discretely."
It is somewhat ironic that the community affected is the Atom one, which was supposed to be built by (and for) next-gen cloud-first types who live in the browser. If all data has to live in the cloud, your source code will inevitably get there too - because source code itself is data. Sure, Kite went about it with an anti-pattern, but that makes little difference. Live by the cloud, die by the cloud.
Let's be honest, the real problem here is that Kite's offer is still not good enough. The service they provide at the moment is not worth handing out all your code, unlike with services like GitHub; and their leadership is not seen as smart (or honest) enough to tolerate them taking stewardship of this or that established project - something that happens every day in the OSS world (loads of companies de-facto own this or that OSS project, from RedHat to Google to Ubuntu to IBM, steering as they see fit).
As soon as Kite (or anyone else) can provide a compelling service, people will go to great lengths to use their stuff and give them their code, without any dark pattern being required - ethics be damned.
In many small project the owner (o small set of owners) just commit the changes without approval. In same case on person writes more than the 50% of the commits, and it's not practical to get someone to review the code.
In this case abe33 has the 75% of the commits, someone else 15% and the rest is a bunch of people with 1% or less.
Once your project gets to a certain level of users or activity, you should still be submitting PRs or MRs for comment before merger.
With our server toolkit in a project I work on, we have 2 devs and 5 active users, with the devs being 2 of those, but we still manage to at least put every change in a PR, with a minimum review and comment time of 24 hours unless it's a security issue or major bug fix.
It's not hard, and it makes you actually justify your change and have talented second eyes point out minor bugs or edge cases to you.
Direct commits are only used for version bumps for the auto build/release thingy.
Please use your skills and spirit to fork both of the projects in question and put one of your known good actors in charge of each.
Either new project leaders are available and will immediately come forward to claim these projects as their own, or we need to change the subject to FLOSS sustainability.
There is a fork[1] that reverted the changes made by Kite.
This is not a question about sustainability as the project was well supported, feature-complete and saw regular releases.
Rather, this questions the consequences of giving companies permission to acquire community efforts. Doing so erodes trust in the Atom ecosystem. If the Atom team is OK with what Kite is doing, then I can expect other companies to follow along, and I'll have to be more cautious when installing plugins in general. It also destroys the incentive of contributing code to Atom plugins, because I don't want to contribute to giving companies control over basic features like a minimap. Why stop at the minimap? StackOverflow might as well hijack CTRL+F, or Heroku might subvert a git plugin.
If we let this become a trend, it will suck for everyone.
The consequence of forks is that their desired userbase is now seeing double, and whenever a potential user asks about it someone from the community tells them, "Don't use the one with ads and/or other junk, use this one instead."
If other companies follow along then Atom's ecosystem-- and therefore, Atom-- will suffer as a result.
Regardless, there probably should be more caution when installing plugins.
It's not clear to me from the article or the comments what it was actually doing.
Looking briefly at kite.com, it looks like they provide a potentially useful tool/service that is kind of an alternative to searching the web for documentation.
What I can't tell is whether what they did was make minimap incorporate results from Kite, so that you were essentially getting the Kite service (or a light version of it) bundled with minimap, or if they were putting ads for the Kite service in minimap, or if they were putting ads for other things in there.
I'm curious to what the ads looked like? I installed it but can't see them and the article only includes it's own ads for razors not pictures of the ads it's talking about.
I'd never heard Kite until today and following a one of the links ended up at Adam Smith's blog a couple of hours ago.
I did no more than to read a blog post.
Just now I went to checkout from my local tortoisesvn repostitory and instead of the usual local address this was present as the repository url:
I remember the day Kite was launched. I took a brief look, realized it would be uploading entire codebases of mine to their servers, and said no.
The fact that they have since slipped their stupid product into popular open source tools (probably because it isn't as well received as they thought it would be) is very similar to how some douchebags buy up popular browser extensions, then inject ads or do more nefarious things with them. Utterly distasteful.
This is evil. We need a way to deter activities like this. The public shaming on HN is a good first step but this would be forgotten too quickly. Any ideas?
Honest question: if someone starts a hobby project, open sources it, and later decides to monetize it in some way, is that considered bad form? I can think of many open-sourced projects that are being monetized - eg Reddit/GitLab.
I was under the impression that open-sourcing something literally means just making the code publicly available, and doesn't restrict what the owner chooses to do with the project in future.
This is a bit hyperbolic. If the original maintainers of a project are making changes you don't like, just fork it.
That said, if I was already unlikely to trust Kite, I don't want to work with them at all given this behaviour. Betraying the trust of a significant portion of your potential customers is a sure way to be exed from an industry you never capitalized on. Congratulations, Kite.
Smith also said that most of the negative reaction
was due to confusion around what the tools actually
do. (Connor pointed out that it’s not possible to
review what Kite does, since it itself is not open
source.) Then he blew this reporter off. “I apologize
in advance that I can't answer any further questions,”
he wrote. “I need to focus on other parts of the
business, including continuing to improve the product
for our users, and conflict like this is always doubly
distracting.”
Love and avoiding negativity have become the bywords of unaccountability. To foment conflict and then not comment...
As distasteful as ads are, I'm always concerned about an update that introduces malicious behavior in the background. Something like NPM hyrdra for example, or those Chrome extensions that have been bought out
Sounds like a replay of uBlock / uBlock origin. The same solution (forking and rebranding) can apply here. If the original authors sell out to Kite and the license permits it, fork it and fuck them.
I personally want to know why Kite decided to show up uninvited in Atom. I don't want this shit, I don't care about it, if I wanted documentation i'd use Sphinx or Doxygen.
Sandbox that keeps them from your filesystem - maybe. But not from the editor or network (most of the plugins need or rather based on the idea of using them).
The answer to this should be a resounding "fuck off and don't come back".
Open source is great because it is generally free of this pushy and disingenuously non sense. Defection over cooperation leads to the detriment of the commons.
No idea. This new title seems vaguer to me. They changed it from 'How kite is undermining the open-source community' to 'How a VC-funded company is undermining the open-source community'. The title is clearer with the name of the company in it.
Edit: In case there is any confusion. The company is Kite. The VC-funded company is Kite. Kite. They are the ones this article is about. Kite.
> If the original title begins with a number or number + gratuitous adjective, we'd appreciate it if you'd crop it. E.g. translate "10 Ways To Do X" to "How To Do X," and "14 Amazing Ys" to "Ys." Exception: when the number is meaningful, e.g. "The 5 Platonic Solids."
> Otherwise please use the original title, unless it is misleading or linkbait.
In small obscure threads the mods sometimes don't notice and you can get away with small changes, like replacing "Photos of Encedalus" with "Photos of Encedalus, moon of Saturn". (But don't try "Amazing photos of Ecedalus will blow your mind!!!")
In big popular controversial thread almost always the title is reverted to the original title of the article, or the first sentence of the article when the tittle is too bad.
Psychopaths sometimes have trouble recognizing stuff that is supposed to make them ashamed, i.e. stuff that would reveal their character were it exposed publicly.
Maybe that seems like an over the top comment, and on any individual case, who knows? But I think it explains a good number of these sorts of scandals. Sometimes, the people who get on top are not "ambitious"... sometimes they are actual monsters.
Please don't do the internet psychiatric diagnosis trope on HN. Casually invoking a category like 'psychopath' significantly lowers the signal/noise ratio in a thread, and even if you don't direct it at a specific person, someone else will. Moreover the frame of this article means your comment is insinuating something about someone whether you mean it to or not, and that's beyond gross and into hideous.
Internet threads are like tag-team wrestling: the first guy drags a metal chair into the ring and then the second guy bashes a third guy over the head with it. Keep the chair out of the ring.
So by daring to say that this behavior might be caused by someone who is characterized by the worst kind of lack of ethics, I'm in the wrong?
This is a phenomenon that studies show occurs at something like 2-3% in the population at large... but more common among CEO's. https://news.ycombinator.com/item?id=7841742 I'll just, you know, stop using it and monitor the potential security hole for the rest of my life.
I really don't think it takes being a psychopath at all. All it takes is convincing yourself that the company's mission is inherently noble, instead of just a way to generate profit. I've seen this many times, where nice, reasonable people convince themselves of the morality of some business decision, without really questioning that all these "moral" decisions also just happen to be the ones that make the most profit.
Studies have shown that psychopaths are, on average, more successful as CEOs than non-psychopaths. This certainly seems like a good example of that (his reaction and behavior with the reporter were perfect!).
In my experience they have meteoric careers that then suddenly crash and burn spectacularly. Unfortunately after a big crash they're usually able to find more fools and repeat the pattern. You'll often see someone whose career looks like a sawtooth wave.
That is a very underrated comment. There is clearly a direct link between psychotic thinking and actions among those who are at the top. The system totally and utterly incentivizes psychotic behavior even just because there are never serious consequences for anything and only rewards. Just take Amazon or Facebook for example; not only are their CEO's becoming insanely wealthy by consolidating the whole economy and becoming what is essentially a tech-talitarian regime that controls our governments at all levels even at this point, but between Amazon sending its tentacles into everything and Zuckerberg saying he wants to and is totally replacing the internet with Facebook we are seeing the emerging of psychopaths that should have been stopped a long time ago.
Here's your chance at "killing Hitler", yet we sit by and cheer Facebook, Google, Amazon, Uber, Tesla, etc destroying and consolidating the economy under what is a de facto emerging totalitarian regim. They're even controlling speech and propagandizing society with control over what you see and when you see it.
Except Lennart was working on systemd long before he worked at Red Hat and Red Hat has very little control over what he does in systemd. The reason Red Hat has "foisted" systemd is that it solved problems that other init systems hadn't solved (which is why other distributions also adopted it). That doesn't mean it's the best solution by any stretch (I don't like systemd personally) but pretending that it was the same as putting adware into a text editor is quite disgusting. It solved a real problem, and if you have a better alternative you're free to contribute it as another member of the community (in fact, please do).
I work for SUSE, not Red Hat, but I find it incredibly gross that being employed to work on free software is seen as a negative thing by the wider community. I spend every day working and thinking as a community member first, but because I was lucky enough to get a paycheck from a company to do that clearly I must be the enemy.
I toy with Linux but I mostly use OpenBSD. So I'm thankfully not that affected by systemd.
I can completely understand what the OpenBSD init system does. It's a lot harder to fully understand systemd. Plus, as a benefit of systemd, you get headlines like "Don't panic, but Linux's Systemd can be pwned via an evil DNS query"[1].
Red Hat doesn't care if Poettering is a brilliant genius or just a useful idiot. Instead, Red Hat loves systemd for a very different reason: lockin. Most Linux distributions are now utterly dependent on systemd, and by extension dependent on Red Hat.
systemd gives Red Hat far too much control over Linux. They were already the 800 pound gorilla, now they're almost invincible overlords. But go ahead, keep drinking the Kool-Aid.
I see nothing wrong with this. This is why open source is beautiful. If you don't like what some contributor is doing, fork it. Kite can even pull in updates from the main fork. I think this kind of thing happens all the time just not publicly.
Why not use this to fund open source? Have a checkbox to disable ads if you really want to give people freedom. I just can't see how open source can compete without enough funds.
After 12 years working at Red Hat, I can assure you that Open Source not only competes, it is actually winning everywhere. And business models exist that are fair to all sides, allowing us to employ a lot of developers and participating in upstream.
Ads are not a solution IMHO, they are a big part of the problem.
> I can assure you that Open Source not only competes, it is actually winning everywhere. And business models exist that are fair to all sides, allowing us to employ a lot of developers and participating in upstream.
It would be great to see not only an assertion but an article that spells this out in some detail.
I think it's fair to say that open source has made inroads everywhere. If I were to tell my 30-year younger self what the future looks like, I don't think I would have believed myself. Having said that, there are lots of places where open source is having a hard time. In telecom and medical software for instance. I mean, I can set up a SIP server and inspect the Android source code, but there is a long way to go (like actually being able to build and deploy on a piece of commodity hardware in the case of Android). For medical software, just try to get access to source code for any medical device. You get the thing installed in your body and you can't even look at it.
Like I said, in every place open source has won important battles. The future looks good, but let's not understate the challenges either.
To me, it looks like Kite miscommunicated but didn't propagate spyware. From what I understand after reading the related issue on Github, it did not do any requests to its servers without explicit user permission.
And I think the bigger problem is that 3rd party plugins are becoming a thing. Now, it's all about plugins, installing dozens of plugins that are difficult to audit before hand. It's like blindly installing software from torrenting sites, but shinier because it has the Github stamp on it.
Could you please elaborate ? I read the whole thing when I posted this comment: it seems like Kite did not automatically request its servers and I do think that plugin-mania is the bigger problem here. Installing plugins with no way to audit or restrict their access to the system capabilities is the problem. They should run in a sandbox. This has even been suggested before [1] but it seems like it has not yet been implemented.
Look at this clear dark pattern: https://outline-prod.imgix.net/20170721-QVaxMDgDwdZ1TBufCdq4.... (Image taken from the article.) Want to use our service, then only lists positives. Or these other services, then only list negatives.
If you're reading this Kite. I now have a negative view of your product. We cannot allow corporations to take over open source tools. Donating is perfectly fine and encouraged, but the above example is a downright take over. If you want another tool then create one, don't take over an existing one and use the communities trust of that tool to promote your product.
I fell for this. I enabled it because I was curious about trying new development tools, only to find out later it uploaded all of the source code on my computer to their service. What the hell.
It took me months to get through to a human to get them to delete my code, including two emails to the CEO.
I like the idea, but there is no way I would use it after this experience.
WTF, this could get people fired. Many companies do not descriminate whether an employee has uploaded code to a third party server intentionally or not. If corprate software monitors catch this happening, its pink slip in many places. I just can't believe anyone would play with developers this way. What a cruel company.
5 replies →
> it uploaded all of the source code on my computer to their service.
That sounds crazy, so I reviewed their privacy policy[0]. It looks like Kite now requires users to whitelist the directories it indexes and automatically purges files you remove from the local index.
The Privacy Policy says that:
> When you use our services, we may collect [...] Any source code files on your computer's hard drive that you have explicitly allowed our services to access. To learn how to control access to your source code files, please visit our FAQ.
The FAQ[1] says
> Kite only uploads files that:
>> 1. Have a .py file extension,
> 2. Are children of a whitelisted directory,
> 3. And are not ignored by a .kiteignore file.
That doesn't seem like "any source code file on your computer" to me - unless it whitelists root by default, which would be a hella dark pattern.
Also, removing a file from the local index should remove it from the server as well [2]
[0] https://kite.com/privacy [1] http://help.kite.com/category/30-security-privacy [2] http://help.kite.com/article/10-how-do-i-delete-files-from-k...
7 replies →
If you want to see if they have any of your data, check: https://kite.com/settings/files
I have zero faith this page actually works though. A few months ago I deleted all of my data and I checked back today and it has reappeared. (I uninstalled the client and deleted my login token back then too, so as far as I can see it's their issue.)
I have sent them a stern email to delete my data. If you want your data deleted too, I would recommend doing the same rather than trusting their web interface. None of the emails on their website seem to work, though. Emailing the CEO does work eventually, but I don't want to start a witch hunt. My email is in my profile if you want his email.
wtf are those guys doing, uploading source code without consent feels criminal, source code with app configs/secrets has ultra sensitive information.
anybody has a list of infected packages so others can quickly remove with `apm uninstall ...`?
33 replies →
I've almost been bitten by them in the same way. I vaguely remember that it was through HN that I found out about Kite and installed their plugin(s). It definitely felt 'dirty'.
>only to find out later it uploaded all of the source code on my computer
It didn't ask? Sounds like malware, and meets the definition of theft. Inviting someone into your house does not give them permission to steal things in your home, and leave with them.
Kite has been mentioned few times in hn, latest here: https://news.ycombinator.com/item?id=13977982
It clearly states in the diagram that the code you run Kite on will be analyzed in the cloud. If it truly uploaded "all of the source code on [your] computer" then obviously that is radically different but from my experience with the product, it did not upload my code besides what was directly related to what I was working on and understood would be analyzed in the cloud, just like Code Climate or any other code analysis service.
That could be enough to get your fired and or sued depending on the status of the code on your computer.
That is theft of the highest order!!!
1 reply →
I would not forget to mention the owners of these projects who handed the projects over to Kite. I think they are in the wrong as much as Kite.
Iff they had foreknowledge that the changes were going to happen, which is unlikely. Id be surprised if Kite bought/acquihired/etc the product by disclosing a list of shady changes beforehand.
5 replies →
Isn't that a bit too witch-huntery? It is Kite who is actively doing the shady stuff.
3 replies →
It's interesting watching HN get indignant when a company treats them the same way their idol companies treat everyone else. A lot of grab all data, track everything, and hide the creepiness in fine print type companies.
A system of permissions for plugins would be welcome in my mind for Atom, similar to browser plugins or mobile apps. Then a new "feature" would require the "transmit your code to a third party" permission.
How would you enforce that?
Please share the link for writing the negative review. It will make it easier for others as well to leave one.
> We cannot allow corporations to take over open source tools.
I don’t know how much I agree with that statement in general. There are several major open source projects with corporate “control” – Mozilla, Google and Apple control/heavily influence Firefox, Angular and Swift respectively and there are probably a dozen others. The idea that corporations are “bad” is a tired trope. Some corporations are bad, some are good, some are in the middle.
But I agree with your actual actual sentiment though – corporate involvement in open source should be as benevolent as possible.
"Some corporations are bad, some are good, some are in the middle."
I don't think we need to bring morality to the discussion and complicate the issue.
Corporations are organized around profit, open-source is not. With only that in mind you can predict what will happen in most of the cases.
To put Mozilla, a not-profit, in this context, in the same set that Google and Apple is not fair, by the way.
32 replies →
Mozilla made firefox. Google made angular. Apple made Swift. That's not "taking over". While I am not a fan of this phenomenon either, that has nothing to do with the current situation. They simply built something and open sourced it, nothing was "taken over".
I'm going to take a contrarian stance on this one: I believe there is no story here — adding an ad for an opt-in cloud-based tool to dev tools is not spyware. It's opt-in! It's clearly stated. Would people raise a fuss to find out their CI service like CircleCI or linter service like Code Climate had access to their code (it's sufficiently obvious)? I don't really see why this tool is any different other than they are one of the first to make a code analysis service that runs in realtime.
I beta tested the Kite product when it first launched maybe two years ago. I don't use it today but I would try it again. Since then they've only tightened down on permissions and made things clearer.
Kite was also not the first to run ads in an IDE plugin (Wes Bos has sponsored several), at least not in Sublime. Personally it's not my preference to have ads either but ultimately this is up to the maintainer of each repo. The tool is still free to use. It clearly states that using the cloud engine will upload your code to do analysis in the cloud. It's 2-3 sentences, not like it's buried in some long EULA.
Shame on the article for labeling inserting an ad as "taking over" and labeling an ad as "spyware"… pure clickbait targeting non-devs.
The new Kite engine also clearly states it is a cloud-based service and they build integrations for their service. The whole industy works the same way. You don't have to use their engine to use autocomplete-python and its opt-in too.
It is opt out. You can read the comments from the Kite developer yourself.
https://github.com/atom-minimap/minimap/issues/588#issuecomm...
Your comments are such a poor defense of a dubious feature I wonder if you have a connection to Kite.
1 reply →
Well, who benefits from having the ads there? Wouldn't it be better for most users without the ads? What value is Kite adding?
It's a slippery slope, similar to the controversies over using BitKeeper for the Linux kernel or adding DRM to HTML5 (both justified, I think). The openness in open source needs to be defended.
3 replies →
Hi Ruben, founder of Kite here. I think this issue deserves a more thorough response because there are a lot of misrepresentations in the article.
One misrepresentation that I wanted to quickly highlight is that the autocomplete-python install flow has three steps, not just the one linked in to in the screenshot above. The other two are:
Enter their email address - https://user-images.githubusercontent.com/87728/28395016-dc7...
Read a warning, decide if they want to whitelist any files - https://user-images.githubusercontent.com/87728/28395021-e04...
Small technicality: these screenshots say that Kite is installing but it's actually only downloading the installer binary to memory; the actual install doesn't happen unless the user goes through all three steps.
It's also worth noting that if the user clicks "Add Later" no code is sent to the Kite servers for analysis until they whitelist a directory.
You are trying to blame the user, but the design of this flow is to blame. It does not explain clearly what is going on.
It's funny seeing this now to see where I tripped up. When you say "enable access in /Users/ben", I guess 6-months-ago-me assumed it meant "enable access to code in /Users/ben when I am working on it". It felt a bit like an iOS permissions dialog, where I was giving you access to my filesystem. Parsing it now, I realise that the text above the button says "where enabled, your code is sent to our cloud".
You could argue I should have read that more carefully, but that copy doesn't scream to me "I'm about to upload all of the source code on your computer including proprietary stuff and secrets". Because that button was the default highlighted button, I assumed it wasn't going to do anything drastic like that. (It's like Ryanair having a big red "YES I WOULD LIKE INSURANCE" button, hiding the "no I don't want to spend $100" button somewhere in the small print.)
Above all, you certainly shouldn't have included that as a shady update to some Atom extension I was using.
> I think this issue deserves a more thorough response because there are a lot of misrepresentations in the article.
From the article:
> Smith also said that most of the negative reaction was due to confusion around what the tools actually do. (Connor pointed out that it’s not possible to review what Kite does, since it itself is not open source.) Then he blew this reporter off. “I apologize in advance that I can't answer any further questions,” he wrote. “I need to focus on other parts of the business, including continuing to improve the product for our users, and conflict like this is always doubly distracting.”
The above sounds like you were given the opportunity to explain things but shrugged it off as a distraction.
If it deserves a more thorough response, why hasn't that been given? Even in this reply you only "quickly highlight" one point.
1 reply →
Even with the additional steps and even with explicit whitelisting of directories (from screenshots it looks like it defaults to the user directory, which is just bad) before code's uploaded, the point is that Kite took over a useful, popular open source package, clearly hitching on to the popularity of the package to promote Kite, which is distasteful when it comes to OSS.
Why not fork the original autocomplete-python with one that has Kite enabled instead? Then users who want Kite or use Kite are able to do so, without screwing over everyone else who have no idea what Kite is and dont want anything to do with it.
Reminds me of software downloaded in the past that comes with some random search toolbar that gets installed in browsers. Annoying. Shady. Not cool.
1 reply →
Then how do you explain this? https://user-images.githubusercontent.com/4001044/28342719-3...
Don't weasel your way out of this Ruben.
4 replies →
This situation seems to have the best and worst of open-source. Best, in that the license of the projects allowed them to be forked without too much effort. Worst, in that it shows how easy it is for a project to be subverted once the maintainers are bought (in this case, given a job). It also remains to be seen if the average Atom user will see the difference between the Kite-branded (and, currently, more popular) and the forked versions of these plugins.
Besides the open source issues, this tactic seems to reveal a massive desperation by the Kite folks. There is no way they couldn't have seen how negative this was going to look once people found out. Their ability to attract new users through word-of-mouth and organic advertising must have plateaued. Sneaking their service into a well-used plugin would have given them a boost in users, maybe enough to attract a new round of funding, but they must have known it would cause this kind of bad blood. Especially based on their past reception on HN, which was highly upvoted but in which they never convincingly answered the concerns about uploading users' source code to the cloud:
https://www.reddit.com/r/programming/comments/4erqgq/kite_pr...
> this tactic seems to reveal a massive desperation by the Kite folks
That's the weirdest part to me. Who, exactly, thought this was going to go well? It is hard to be sneaky with open source. And even harder to win back goodwill after being caught out.
For instance, now that I know, it would take a change of management and business model before I'd even consider running any of their code, and I'll be writing a Kite-detector for our code scanning tool this week.
There's a great quote from Kite founder 'alexflint in one of those earlier threads:
"our plan is to earn trust the hard (i.e. only) way: transparency, published policies, and a track record of good decision making."
Easier said than done, apparently.
Kudos to @mehcode for the fork [1]! And the author @abe33 for the apology [2]! I'm thinking, that @abe33 might not be responsible for this, but was "asked" by his employer (Kite) to do that.
Then, there are alternatives such as sublimetext/vscode, which have the minimap builtin...
Disclaimer: Not affiliated, I prefer n/vim anyways. This is a copy from my comment in the issue. Please read @abe33's comment [2] in the issue. This might explain a thing or two.
--
[1]: https://github.com/mehcode/atom-minimap-plus
[2]: https://github.com/atom-minimap/minimap/issues/588#issuecomm...
That's a pretty sorry excuse for an apology, in my opinion.
First, he focuses heavily on how much stress the backlash has caused him. Then he tries to paint it as a "misunderstanding" on behalf of the users. None of this strikes me as the behavior of someone taking full responsibility for their actions.
Further, I keep seeing people trying to justify his actions with the pathetic excuse that he was probably just doing as told by his employer. Sorry folks, that's not how being an adult works. There's a reason virtually every formal code of ethics stresses personal responsibility. Take, for instance, 8-b from https://www.nspe.org/resources/ethics/code-ethics
Or the very first point from http://www.acm.org/about/se-code
Just because we're in the comparatively-"lower stakes" profession of web development, that doesn't mean we can use the sorry-ass excuse of "my boss told me to do it." Unless they held a gun to his head, he had a choice, and his choice should stick with his reputation for better or worse. Now his name is going to be attached this dumpster fire of a PR mess because he didn't have the will or integrity to say no, and smart people within the community will have a very good reason to no longer trust his judgement, much less his future contributions.
Thanks for posting abe33's apology, hadn't seen it when I read about this issue last week. One of the more unnerving things about it was how he made this change without explanation months ago nor did he did he explain it now. It must have been frustrating for him, as the plugin's original developer, to be dragged through this crap. He ultimately is responsible for his actions, but I wonder if he knew that subverting his own plugin would be a job requirement?
I can't imagine he would sabotage his own project for no reason, so most likely he got the job or some compensation in exchange for his cooperation and access to his repository, probably how they got python-autocomplete too.
Otherwise, if they offered the job with no conditions attached he'd be under no obligation to change his own personal projects for them.
6 replies →
Completely agree.
Then, this sets a precedent. It reminded me of Google injecting some binary code into Chromium [https://news.ycombinator.com/item?id=9724409]. However, we have a single person here. I can wholeheartedly imagine, that this can cause quite some stress. Also, it could have happened to many, I think...
Edit: I'm happy about the discussion here. At least, this won't happen again, anytime too soon.
I've tried Kite twice now. Once when it first launched, and once again when I installed autocomplete-python and it persuaded me to give it another go.
So far I have found it utterly unconvincing to the point of near uselessness. It rarely finds anything intelligent to say about my code, and gives a significantly worse view of documentation than Dash (for which I have a hotkey bound for near-instant lookup).
On top of that, I found Kite to use significant resources, there's no way to inspect what it's uploading so now way to ensure you aren't uploading things you don't want to, and the second time I tried it the UI was filled with dark patterns and I found it quite difficult to uninstall (I reverted to just trashing all the files I could find relating to it).
I paid I think $79 for a year of Kite-pro and frankly, so far it is pretty useless. That said, it has permissions and settings to whitelist which folders on your computer can be indexed. Then, the settings page states that if you remove the directory from whitelisting then "any directories removed here will also be removed from Kite servers." Of course, that doesn't mean they will actually remove previously indexed data. Overall, probably this is a product that I would not want my dev team to install.
I'd ask for your money back. Installing Kite left me with a really bad after-taste, but at least I assumed that if I'd bought into it, it would do as advertised.
This is the minimap fork:
https://atom.io/packages/minimap-plus
https://github.com/mehcode/atom-minimap-plus
It is a featured[1] Atom package, which may point to whom is GitHub endorsing in this issue, though we could see a more direct response from them regarding both minimap and autocomplete-python.
After reading sadovnychyi's reaction[2] to the autocomplete engine selection screenshot, I think forking is also the only remaining step for autocomplete-python.
[1] https://atom.io/packages
[2] https://github.com/autocomplete-python/autocomplete-python/i...
> “Most users who install autocomplete-python close the engine selection prompt, which results in not getting Kite or its benefits”
This type of entrepre-narcissism has to be shutdown hard. How deluded does somebody have to be to imagine that putting a confirm-shaming dialogue in an opensource tool is not Advertising?
They're not deluded at all, it's just damage control. If they didn't believe it was advertising, it wouldn't be in the tool in the first place.
Every interaction I have with these kind of guys proves to me that they deep down believe their own BS and that they are actually blind only to their own actions. I consider a delusion much more dangerous than a malign stratagem.
Yea, it really confirms this as a corporate strategy.
I just uninstalled Kite.
It's a real shame as the service was good, but nothing is good enough to justify advertisements in my work-space. The fight against distraction is hard enough as it is without having to think carefully about where I'm clicking due to dark-pattern UI.
So how was your company okay with you uploading the company code to Kite's servers?
He didn't mention using it under a company. I was tempted to use this for personal projects as I don't care where my code gets uploaded, it's all on github anyways.
The reviews above made me reconsider.
L'état, c'est moi
I'm a freelancer, and my code is open-source anyway.
PSA: I removed the whitelisted directory from my local install of Kite and then uninstalled the application. Logging into https://kite.com/settings/files still shows my machine and all of the synced files.
I still had to manually purge my machine and files from that page.
If you think your files were removed, check again.
Extra PSA: I deleted my files from that page a few months ago and they have now reappaeared. (See my other comment.)
I would recommend emailing them to delete your account and data, including backups and so on.
Hi, Kite founder here. If you uninstall right after removing the whitelist directory then the removed files may have not have been synced to the server before the uninstall, particularly if you have a lot of files on your machine. We will address this by adding a "remove all whitelisted directories and log out" link to the local settings.
Something different was likely happening in bfirsh's case (sibling comment). If you delete the files from the kite.com/settings/files page but Kite is still installed then they will get synced up again. The most fail proof way is to uninstall and then wipe files from kite.com/settings/files. We will make the wipe files link log Kite out on that machine.
Sorry about the edge cases. We've been working on it, and will continue to do so!
It's nice this is getting more response today - my submission yesterday got no comments.
I almost spit my coffee out when I learned about this (as I'm a minimap user who had no idea this was going on). Not a fan of these shady practices - completely breaks the trust between package maintainer and users.
here, have an upvote -- on me
I think we need a swift and damning response to this. I'd rather have an even worse walled garden than the Apple 'App Store' than deal with having to worry about my source code getting stolen to be used by some stupid cloud service. I don't even want data collection in my text editor; maybe from the vendor its acceptable but not N times for each plugin. I now feel compelled to vet the network usage of any plugin I install.
Thanks, Kite. I'll make sure to remember this in case anyone ever considers your service.
Agreed. Also this should be the kind of stuff that gets the founders and employees blackballed in the industry as well.
Completely morally bankrupt. All of them.
Just like installmonetizer and all those associated with them, right?
Silicon Valley/the broader tech scene is going to look pretty empty if we do that to every employee of every company that has done shady stuff.
1 reply →
Their names should be on wikipedia along with the details of this story.
17 replies →
I wish our world worked like that, but unfortunately blackballing requires that the median participants of a group have some sort of moral compass.
I gave up hope for such things after seeing staff, investors, and speculators tripping over their own dicks to invest in Brendan Eich's latest venture (Brave) and its ICO, with full knowledge of his revolting and public bigotry against gay people.
Money trumps morals, it seems.
32 replies →
Google introduced and normalized the spyware/adware business model. Nothing but fawning adoration from programmers.
Microsoft copied the model for operating systems. Token resistance from programmers.
Kite copies the model for programming tools. Too late, programmers.
The problem is not that they built some product and monetized with ads. The problem is they injected themselves into a product they didn't build. Worse yet, they're open source projects.
If you can't see the distinction between this and the examples you mention, you really don't qualify to make sarcastic comments.
Exactly. And don't forget about the proliferation of the internet-of-shit devices, which are blasting everything they can learn about your home network to every company involved.
HN is specifically geared towards people who make a living coding things in the new "surveillance economy." This particular example (to go along with the dotnet command line issue) is just a difference in degree, not kind. They're mad that someone else is abusing their trust and privacy.
Welcome to the party, pal!
Let's not forget the "exploit open source/free labor" component of a key demographic of HN's audience.
I'm pretty sure that the only OS that don't have adware/spyware in them at this point are some Linux distros (maybe) and Unix.
Or....[maybe not?](https://www.youtube.com/watch?v=7gRsgkdfYJ8)
1 reply →
"Unix" isn't really a specific OS. So yeah, there's probably no spyware in it.
1 reply →
> Nothing but fawning adoration from programmers.
That is a narrow way to look at things and is not the full picture. Plenty of people protested and still protest Google's unethical business practices.
Brand power! I get totally nauseated every time tools/frameworks/programming languages get adopted just because they have the Google brand on it, when there are perfectly better alternatives.
Holy shit that 'apology' is a steaming pile of crap. This guy is actively subverting not one but multiple open-source projects and he responds with some pathetic crisis-management sob story and an 'oops, sorry'?
He did revert the minimap changes. That's more than just saying "sorry".
But I'm waiting for autocomplete-python to be changed, too...
It may really be a sorry, but also some damage control too.
And they are sorry they got caught, not sorry they did it. As is tradition.
Open source is very vulnerable to manipulation. Some years ago, I spent some time trying to understand the PAM module LDAP module on Linux (PAM is used to enable external authentication so its critical code). I found it to be completely impenetrable. We take such components for granted but if someone could inject malware into such code, it could be catastrophic.
Not to mention it must be trivial for a large and determined adversary to subvert Debian, Arch or other distributions' packaging process, for example by getting a "sleeper" rogue developer in there. As someone into security and using open-source systems exclusively, it would be somewhat embarrassing to become a security problem yourself that way.
I don't distrust Linux distributions' respective security guidelines; but it can't be that hard to find a loophole in community-driven system/software development and the damage would be substantial if a popular Debian package would have been subverted and have gone out with updates.
The same statement could be made about any organization. If you get a sleeper agent into Apple, Google, Microsoft, whatever... There is a certain amount of goodwill we rely on in this world.
7 replies →
I'm pretty sure this is somewhat unique to the history of pam_ldap and its stewardship by PADL Software compared to other PAM modules; its dense nature encourages commercial engagement for those who care enough to know how it works or want to use it for their own purposes. They're not motivated to make it easier to understand (i.e., for outsiders to contribute to or maintain).
pam_sss is easier to understand and its functionality expands upon it, but it was a redesign.
This is really fascinating - I agree that PAM LDAP appears to be especially obscure compared to other modules.
I think that is an unavoidable consequence of the openness.
Honestly, I feel that at the very least the core team behind Kite should be held accountable for what they're doing. I'm not arguing in favor of an all-out witch hunt, but in the context of developers doing their development thing this kind of behavior should have consequences that potentially might include 'black-listing' at least the higher-level people behind it that thought this was a good idea.
In short: A startup is taking control of open source editor plugins relevant to their product.
I admire their cleverness.
If it were me: I'd create an extension interface for completion libraries to accept third party plugins. I'd stop at putting in a third party stuff in by default. A sufficiently good plugin API for python-autocomplete shouldn't require it even to know about Kite.
That said, I don't think Kite should be disallowed. If they have a secret sauce that they think can empower completion plugins, give them an API to plugin to.
It's not in the spirit of open source to shut the door on proprietary solutions (IMO). Transparency should be paramount. Normally most Linux users opt-in to using proprietary/blob software/drivers one way or another anyway. Open source projects routinely maintain relationships with vendors (NVIDIA, Intel). It doesn't necessarily mean evil is at work.
Though, as someone who's struggled with the performance and reliability of completion tools, I don't know if I'd personally opt to outsource that functionality. I'd wait and see if our current tools get better.
So, what prevents any Atom package from being silently taken over and turned into a private code Hoover? Is there anything in Atom's packaging APIs that ensures plugins that can read source cannot also access the network without permission?
As far as I know: nothing yet. It hasn't been necessary. I don't think people even thought about it. But I think now it's going to become an ordeal...
This is why we can't have nice things. As you say, such limits weren't necessary - because people in the community weren't assholes. Now, thanks to Kite's abuse, somebody will have to implement a permission system to editor plugins...
4 replies →
If you are looking for the github thread – https://github.com/atom-minimap/minimap/issues/588.
Total biased takeaway [Please read all the github complete thread.]:
@jlozano:
> Hi, folks -- Juan from Kite here, thank you for the feedback, we appreciate it.
[...]
> We have decided to leave the feature as opt-out since many users have found it useful. [...]
@abe33
> [...] I've been an employee at Kite for over half a year now and this plugin is now officially maintained by Kite. [...]
I think that the BDFL system work in open source because it's too easy to fork the project. The old BDFL just transferred the power to a new BDFL, but it was not so clear for the community. There is a fork now, so if the situation doesn't improve and the users are unhappy, the Kite team will be the BDFL of an empty project without users.
Benevolent Dictator for Life for anyone else who was wondering.
https://en.wikipedia.org/wiki/Benevolent_dictator_for_life
This is one of the things that makes me think software development, like most other professions, should really have a formal code of ethics. If a lawyer or a construction engineer tried to do something equally dodgy, they would very soon find themselves hauled before a professional authority.
It should be made clear to the employees, management and investors of Kite that this is the sort of thing that marks you as someone willing to engage in unethical and underhanded behaviour. I wouldn't hire any such person into any team I manage, and I suspect quite a few other people wouldn't either. Actions have consequences. Especially unethical actions.
Lawyers do dodgy and unethical things as well, I wouldn't use them as a paragon of ethics.
An argument that explicitly talks about the consequences of unethical behaviour when it happens is not painting anyone as ethical paragons. You are missing the point, I think.
Heh, you know something is seriously f*cked up in industry when lawyers are taken for an ethics compass.
This is called a 'fiduciary duty' and is common in many professions (law, medicine, finance, real estate, clergy, etc)
Here's a great explanation and strategy for applying to software development: https://www.theatlantic.com/technology/archive/2016/10/infor...
I believe that is a self-conflicting proposition, since I believe morality is a subjective "property"
"Subjective" how exactly? There are surely some variations, but if this is about "my wallet has feelings too" morality, that would be all the more reason we'd need an (enforceable) code of ethics.
2 replies →
Things like this are bound to happen, as long as people have to pay their bills and they don't get as much retribution as they would like for their work. If the original authors of the plugins that Kite took over had got a dollar from each user, maybe they would have thought it twice before handing over their creations to a company with dubious purposes.
I have been saying it for a long time: we need better and more flexible software markets, and as developers, we should appreciate the work and time of fellow developers and as a matter of principle try to compensate them.
Excellent point and related to Nadia Eghbal's post on the lack of support for open source infrastructure being the internet's biggest blind spot. https://medium.com/@nayafia/how-i-stumbled-upon-the-internet...
> “I apologize in advance that I can't answer any further questions,” he wrote. “I need to focus on other parts of the business, including continuing to improve the product for our users, and conflict like this is always doubly distracting.”
If you don't have time to deal with controversy, maybe don't take actions that will inevitably lead to it, eh?
Can't wait till someone hacks Kite and exposes some major company's source code. Will be very interesting to watch the legal response to that.
> It is unclear what Kite’s business model is, but it says it uses machine-learning techniques to make coding tools. Its tools are not open source.
I've never heard of such a thing before. Could someone explain how would they use machine learning for building coding tools ?
What Kite supposedly does is crowd-source code by uploading users' code to its server and then aggregating that data to train their ML algorithm. Then they can apply said algorithm on a specific client's code to recommend autocompletion suggestions as you type.
There are plenty of great use-cases for ML in building coding tools, but the shady manner in which Kite imposes itself on Atom users who have these plug-ins installed (which is a large portion of the user-base), leaves a seriously bad taste in your mouth.
The thing is I don't trust this explanation for a second especially as it applies to non-paying customers; they could have just as easily trained a generic ML algorithm on a publicly available data set, like I don't know, the public stuff on github.
Moreover, they could have trained their suggestions to actually be useful before throwing this out there as a feature set they thought people would want to use.
Plus then it'd make sense for people to open up their code, as a "local dictionary" of sorts that could be prioritized over generic suggestions. But at least then it would have had demonstrated value.
How much content are they auto-completing? Seems like this could easily end up with some other organization's proprietary code auto-filling inside your project. This is very dangerous; it's either only auto-completing single standard-library function names in which case it doesn't need cloud connectvitiy, or it's auto-completing actual code which opens up users to IP issues.
They use machine learning to see which code patterns follow other code patterns and then make suggests based on that. "Oh, I see you've written X. Most people who write X follow it with Y."
However, this requires reading people code that they upload to their servers. See their privacy policy here: https://kite.com/privacy.
Yes, that's the scary bit that not a single developer will/should agree with. Auto-complete suggestions for `password = ` anybody?
I wonder if it'd be possible to use their service to inject a backdoor in to someone else's code.
1 reply →
We, the open source community, need to respond to this pollution firmly and decisively. Apart from removing the sneaky code put in for these types of purpose, we may need to consider adjusting the licensing to forbid such doing ... the entire open source world need to unite against this ... it is threatening the future of open source.
Is Facebook part of the "open source community?" I would expect that most people here would say yes, for reasons I will assume are obvious to most readers here. Yet they've built, arguably, the world's second largest (non-governmental) data mining operation on the back of open source software, designed for nothing more than slurping up user data to sell to advertisers. How is that fundamentally any different than what's described here? Because the product is "more" useful to end users? Because it's true nature is "more" visible? It's a difference in degree, not kind. If you hate what's been done here, by extension, you should hate the business model of Facebook and Twitter, et. al. (I do, and I refuse to participate.) There seems to be a bit of hypocrisy having this sort of outrage on this particular site.
Does React or any of Facebook's OSS libraries have pop-up/modal ads for joining Facebook? Do they contain analytics code?
6 replies →
I agree totally, the license should prevent companies or individuals to add promotional content band code
The "Kite Effect": when a company implements a marketing strategy that does more to deter potential customers than attract them.
Blows them away in the wrong direction
Whenever I see a screen like this, I just use the "local engine" and make sure I never use the suggested product, ever.
Have fun finding customers Kite...
Aaand into the /etc/hosts kite.com goes. Can anyone paying for their product post their other (AWS?) hosts?
I wonder how the HN ranking algorithm works - even with so much discussion and upvotes/hr this thread has already slipped to #24. I find that awkward!
There's a flamewar detector that demotes threads with more comments than points. More discussion is not an unambiguous positive signal.
It's at #17, a couple hours later, as the number of points is now 700+ and comments is in the 300s.
I was wondering the same thing. Thought the thread got deleted or something.
Time to write Adblock for code editors.
Or just fork the project before ads were added. Or not install the plugin.
Sure. But Electron is basically a browser and given our experience with browsers there's a long list of problems coming for Atom users.
Kite is (was?) apparently expanding to more plugins, and also doing it to existing plugins.
That's not a battle you can win with manual diligence.
5 replies →
For all of you that accidentally sent your BigCorp source to the cloud, are you going to report it to your legal departments?
Autocomplete-python has also been forked because maintainers have stopped responding.
https://atom.io/packages/autocomplete-python-jedi
https://github.com/brennv/autocomplete-python-jedi
https://github.com/autocomplete-python/autocomplete-python/i...
> It is unclear what Kite’s business model is
Their business model is to sell subscriptions to a premium version: https://kite.com/pro#business
While this Kite company seems rather scummy, I think it's a bit disingenuous to frame it as an attack on open source. Actually it's the one thing open source can handle better than anything else: just fork the repo and carry on.
Maybe I'm reading too much into the article but it feels like a weakness in open source is exposed when in fact the real problem would be if those applications were closed and you were stuck with crappy software if you didn't want to switch to a brand new tool. How's Skype doing lately?
Open source is vindicated by these scummy tactics, not undermined.
Those animated squiggly lines under the headlines are some of the most annoying things I've recently seen.
> Although Kite has no business model yet,
This is actually the most ridiculous part of the entire story.
It would be one thing if a corporation was stealing your code and taking over open source projects as part of a detailed plan to make money. That would still be objectionable, but at least there would be a clear motive for these voyeuristic activities.
Apparently, there is no master plan. They're just doing this because they want to be voyeurs and then maybe figure out how to make money off of that somehow later.
Not sure how the Atom plug-in store works: if this were yum / CPAN / pip, I would think there'd be some way to kick these plugins out of the stores and force anyone who really wants it to install manually. I think that's the best way to tackle this kind of deception: fork it, kick it out of the app stores, and make it difficult as possible for someone to inadvertently download the adware-written version.
A maintainer for amp (atom package manager I guess?) explicitly said they're sitting this one out. The mini-map plugin has been forked and rolled back to the version before the ads popped up.
That's a pity. It is incumbent upon the package manager vendors/curators to watch for this kind of stuff and bring the hammer down when it happens. Apple does it. Google does it. Mozilla does it.
I can guarantee that there are other commercial companies watching how this plays out. If the changes are simply rolled back without any real repercussions, what other malevolent entities will take away from this incident is, "You can inject adware into your acquired FOSS applications, but do so discretely."
It is somewhat ironic that the community affected is the Atom one, which was supposed to be built by (and for) next-gen cloud-first types who live in the browser. If all data has to live in the cloud, your source code will inevitably get there too - because source code itself is data. Sure, Kite went about it with an anti-pattern, but that makes little difference. Live by the cloud, die by the cloud.
Let's be honest, the real problem here is that Kite's offer is still not good enough. The service they provide at the moment is not worth handing out all your code, unlike with services like GitHub; and their leadership is not seen as smart (or honest) enough to tolerate them taking stewardship of this or that established project - something that happens every day in the OSS world (loads of companies de-facto own this or that OSS project, from RedHat to Google to Ubuntu to IBM, steering as they see fit).
As soon as Kite (or anyone else) can provide a compelling service, people will go to great lengths to use their stuff and give them their code, without any dark pattern being required - ethics be damned.
If someone approved their own PR in our team they would have some explaining to do, approving your own PR in an Open Source project - SMH
In many small project the owner (o small set of owners) just commit the changes without approval. In same case on person writes more than the 50% of the commits, and it's not practical to get someone to review the code.
In this case abe33 has the 75% of the commits, someone else 15% and the rest is a bunch of people with 1% or less.
Once your project gets to a certain level of users or activity, you should still be submitting PRs or MRs for comment before merger.
With our server toolkit in a project I work on, we have 2 devs and 5 active users, with the devs being 2 of those, but we still manage to at least put every change in a PR, with a minimum review and comment time of 24 hours unless it's a security issue or major bug fix.
It's not hard, and it makes you actually justify your change and have talented second eyes point out minor bugs or edge cases to you.
Direct commits are only used for version bumps for the auto build/release thingy.
2 replies →
Dear free software and/or open source zealots:
Please use your skills and spirit to fork both of the projects in question and put one of your known good actors in charge of each.
Either new project leaders are available and will immediately come forward to claim these projects as their own, or we need to change the subject to FLOSS sustainability.
There is a fork[1] that reverted the changes made by Kite.
This is not a question about sustainability as the project was well supported, feature-complete and saw regular releases.
Rather, this questions the consequences of giving companies permission to acquire community efforts. Doing so erodes trust in the Atom ecosystem. If the Atom team is OK with what Kite is doing, then I can expect other companies to follow along, and I'll have to be more cautious when installing plugins in general. It also destroys the incentive of contributing code to Atom plugins, because I don't want to contribute to giving companies control over basic features like a minimap. Why stop at the minimap? StackOverflow might as well hijack CTRL+F, or Heroku might subvert a git plugin.
If we let this become a trend, it will suck for everyone.
[1] https://atom.io/packages/minimap-plus
The consequence of forks is that their desired userbase is now seeing double, and whenever a potential user asks about it someone from the community tells them, "Don't use the one with ads and/or other junk, use this one instead."
If other companies follow along then Atom's ecosystem-- and therefore, Atom-- will suffer as a result.
Regardless, there probably should be more caution when installing plugins.
1 reply →
This is why Open Governance is just as if not more important than the actual OSS License. Foundations such as the ASF can protect from these situations https://www.apache.org/foundation/how-it-works.html
It's not clear to me from the article or the comments what it was actually doing.
Looking briefly at kite.com, it looks like they provide a potentially useful tool/service that is kind of an alternative to searching the web for documentation.
What I can't tell is whether what they did was make minimap incorporate results from Kite, so that you were essentially getting the Kite service (or a light version of it) bundled with minimap, or if they were putting ads for the Kite service in minimap, or if they were putting ads for other things in there.
I'm curious to what the ads looked like? I installed it but can't see them and the article only includes it's own ads for razors not pictures of the ads it's talking about.
I'd never heard Kite until today and following a one of the links ended up at Adam Smith's blog a couple of hours ago. I did no more than to read a blog post. Just now I went to checkout from my local tortoisesvn repostitory and instead of the usual local address this was present as the repository url:
>"http://adamsmith.cc/"
I have no idea how that could have happened.
You probably copied the url, I think tortoisesvn puts the content of the clipboard as repository url if it's a valid url.
Yes you're right! That's a relief, thanks. I feel stupid now for going into complete paranoia mode.
I remember the day Kite was launched. I took a brief look, realized it would be uploading entire codebases of mine to their servers, and said no.
The fact that they have since slipped their stupid product into popular open source tools (probably because it isn't as well received as they thought it would be) is very similar to how some douchebags buy up popular browser extensions, then inject ads or do more nefarious things with them. Utterly distasteful.
This is evil. We need a way to deter activities like this. The public shaming on HN is a good first step but this would be forgotten too quickly. Any ideas?
Honest question: if someone starts a hobby project, open sources it, and later decides to monetize it in some way, is that considered bad form? I can think of many open-sourced projects that are being monetized - eg Reddit/GitLab.
I was under the impression that open-sourcing something literally means just making the code publicly available, and doesn't restrict what the owner chooses to do with the project in future.
This is a bit hyperbolic. If the original maintainers of a project are making changes you don't like, just fork it.
That said, if I was already unlikely to trust Kite, I don't want to work with them at all given this behaviour. Betraying the trust of a significant portion of your potential customers is a sure way to be exed from an industry you never capitalized on. Congratulations, Kite.
I think what Kite is doing isn't very smart, their audience are developers who will usually not put up with stuff like this so easily.
Can't we have laws against software that combines ads with spyware (or user tracking for that matter)?
Not as long as ads/tracking make companies money
In America, anyway. I still don't understand the lobbying system.
Bottom of the Kite web site I find this tell: "Made with [love emoji] in San Francisco"
Love and avoiding negativity have become the bywords of unaccountability. To foment conflict and then not comment...
For some reason that animated underline makes me feel like I can only read one word per minute.
Merge request to remove Kite in minimap was closed: https://github.com/atom-minimap/minimap/pull/596
As distasteful as ads are, I'm always concerned about an update that introduces malicious behavior in the background. Something like NPM hyrdra for example, or those Chrome extensions that have been bought out
Sounds like a replay of uBlock / uBlock origin. The same solution (forking and rebranding) can apply here. If the original authors sell out to Kite and the license permits it, fork it and fuck them.
I personally want to know why Kite decided to show up uninvited in Atom. I don't want this shit, I don't care about it, if I wanted documentation i'd use Sphinx or Doxygen.
I think the real dark pattern here is the stupid animated scribbles under the section headers.
WTF?! Is this 1997? Why don't you bring back the blink tag while you're at it!
Sigh.
Is there a comprehensive list of Atom extensions that are maintained or used by Kite? Or should I just write off Atom altogether?
We can just fork these tools, and re-release them without the malware Kite is injecting. The licenses are MIT AFAIK.
I wouldn't be surprised if this leads to click-wrap terms of use prior to installing Atom packages..
Two years ago, this would have been called "growth-hacking". What changed?
That sounds Atom plugin specific. Do Atom plugins not run in some sort of Sandbox?
Vim, Emacs, and Sublime would all be similarly vulnerable.
To sandbox them away from the editor contents? I can't think of many of my (Vim) plugins that would work without access to the editor itself.
To sandbox them from network and or disk access.
1 reply →
Sandbox that keeps them from your filesystem - maybe. But not from the editor or network (most of the plugins need or rather based on the idea of using them).
Oh my, just fork it and avoid all the drama.
FFS, "Fork this on Github'
Kite is malware. Plain and simple.
so we'll need to have ad-blockers in our editors now? /s
The answer to this should be a resounding "fuck off and don't come back".
Open source is great because it is generally free of this pushy and disingenuously non sense. Defection over cooperation leads to the detriment of the commons.
We marked this flamewar subthread off topic.
Agreed, these Kite fuckers need to be purged.
Telling them their strategy is unacceptable should be enough.
Do you want to fire up the ovens too? Oh nevermind, I see you're a self declared "commie feminist", wrong end of the horse shoe, my bad.
21 replies →
Seeing as it was once open source, can't you fork it from that time and get someone to maintain it?
Another endorsement of Open source community: We can see when you try to fool us.
Why is the submission title different than the original one?
No idea. This new title seems vaguer to me. They changed it from 'How kite is undermining the open-source community' to 'How a VC-funded company is undermining the open-source community'. The title is clearer with the name of the company in it.
Edit: In case there is any confusion. The company is Kite. The VC-funded company is Kite. Kite. They are the ones this article is about. Kite.
HN has a policy of using the original title: https://news.ycombinator.com/newsguidelines.html
> In Submissions
[...]
> If the original title begins with a number or number + gratuitous adjective, we'd appreciate it if you'd crop it. E.g. translate "10 Ways To Do X" to "How To Do X," and "14 Amazing Ys" to "Ys." Exception: when the number is meaningful, e.g. "The 5 Platonic Solids."
> Otherwise please use the original title, unless it is misleading or linkbait.
In small obscure threads the mods sometimes don't notice and you can get away with small changes, like replacing "Photos of Encedalus" with "Photos of Encedalus, moon of Saturn". (But don't try "Amazing photos of Ecedalus will blow your mind!!!")
In big popular controversial thread almost always the title is reverted to the original title of the article, or the first sentence of the article when the tittle is too bad.
Psychopaths sometimes have trouble recognizing stuff that is supposed to make them ashamed, i.e. stuff that would reveal their character were it exposed publicly.
Maybe that seems like an over the top comment, and on any individual case, who knows? But I think it explains a good number of these sorts of scandals. Sometimes, the people who get on top are not "ambitious"... sometimes they are actual monsters.
Please don't do the internet psychiatric diagnosis trope on HN. Casually invoking a category like 'psychopath' significantly lowers the signal/noise ratio in a thread, and even if you don't direct it at a specific person, someone else will. Moreover the frame of this article means your comment is insinuating something about someone whether you mean it to or not, and that's beyond gross and into hideous.
Internet threads are like tag-team wrestling: the first guy drags a metal chair into the ring and then the second guy bashes a third guy over the head with it. Keep the chair out of the ring.
We detached this subthread from https://news.ycombinator.com/item?id=14837253 and marked it off-topic.
So by daring to say that this behavior might be caused by someone who is characterized by the worst kind of lack of ethics, I'm in the wrong?
This is a phenomenon that studies show occurs at something like 2-3% in the population at large... but more common among CEO's. https://news.ycombinator.com/item?id=7841742 I'll just, you know, stop using it and monitor the potential security hole for the rest of my life.
I really don't think it takes being a psychopath at all. All it takes is convincing yourself that the company's mission is inherently noble, instead of just a way to generate profit. I've seen this many times, where nice, reasonable people convince themselves of the morality of some business decision, without really questioning that all these "moral" decisions also just happen to be the ones that make the most profit.
Studies have shown that psychopaths are, on average, more successful as CEOs than non-psychopaths. This certainly seems like a good example of that (his reaction and behavior with the reporter were perfect!).
In my experience they have meteoric careers that then suddenly crash and burn spectacularly. Unfortunately after a big crash they're usually able to find more fools and repeat the pattern. You'll often see someone whose career looks like a sawtooth wave.
1 reply →
That is a very underrated comment. There is clearly a direct link between psychotic thinking and actions among those who are at the top. The system totally and utterly incentivizes psychotic behavior even just because there are never serious consequences for anything and only rewards. Just take Amazon or Facebook for example; not only are their CEO's becoming insanely wealthy by consolidating the whole economy and becoming what is essentially a tech-talitarian regime that controls our governments at all levels even at this point, but between Amazon sending its tentacles into everything and Zuckerberg saying he wants to and is totally replacing the internet with Facebook we are seeing the emerging of psychopaths that should have been stopped a long time ago.
Here's your chance at "killing Hitler", yet we sit by and cheer Facebook, Google, Amazon, Uber, Tesla, etc destroying and consolidating the economy under what is a de facto emerging totalitarian regim. They're even controlling speech and propagandizing society with control over what you see and when you see it.
There are those who would argue that foisting systemd onto the Linux community is the quintessential example of "behaving badly".
We detached this subthread from https://news.ycombinator.com/item?id=14837643 and marked it off-topic.
Except Lennart was working on systemd long before he worked at Red Hat and Red Hat has very little control over what he does in systemd. The reason Red Hat has "foisted" systemd is that it solved problems that other init systems hadn't solved (which is why other distributions also adopted it). That doesn't mean it's the best solution by any stretch (I don't like systemd personally) but pretending that it was the same as putting adware into a text editor is quite disgusting. It solved a real problem, and if you have a better alternative you're free to contribute it as another member of the community (in fact, please do).
I work for SUSE, not Red Hat, but I find it incredibly gross that being employed to work on free software is seen as a negative thing by the wider community. I spend every day working and thinking as a community member first, but because I was lucky enough to get a paycheck from a company to do that clearly I must be the enemy.
I toy with Linux but I mostly use OpenBSD. So I'm thankfully not that affected by systemd.
I can completely understand what the OpenBSD init system does. It's a lot harder to fully understand systemd. Plus, as a benefit of systemd, you get headlines like "Don't panic, but Linux's Systemd can be pwned via an evil DNS query"[1].
Red Hat doesn't care if Poettering is a brilliant genius or just a useful idiot. Instead, Red Hat loves systemd for a very different reason: lockin. Most Linux distributions are now utterly dependent on systemd, and by extension dependent on Red Hat.
systemd gives Red Hat far too much control over Linux. They were already the 800 pound gorilla, now they're almost invincible overlords. But go ahead, keep drinking the Kool-Aid.
[1] https://www.theregister.co.uk/2017/06/29/systemd_pwned_by_dn...
8 replies →
There are other distributions
I see nothing wrong with this. This is why open source is beautiful. If you don't like what some contributor is doing, fork it. Kite can even pull in updates from the main fork. I think this kind of thing happens all the time just not publicly.
They did not pull in the wrong pull request. They bought the project from the developer, either directly, or indirectly through employment.
Why not use this to fund open source? Have a checkbox to disable ads if you really want to give people freedom. I just can't see how open source can compete without enough funds.
After 12 years working at Red Hat, I can assure you that Open Source not only competes, it is actually winning everywhere. And business models exist that are fair to all sides, allowing us to employ a lot of developers and participating in upstream.
Ads are not a solution IMHO, they are a big part of the problem.
> winning everywhere
I like open source as much as the next guy, but I'm pretty sure you have a peculiar definition of "everywhere".
(Or, perhaps "winning".)
6 replies →
> I can assure you that Open Source not only competes, it is actually winning everywhere. And business models exist that are fair to all sides, allowing us to employ a lot of developers and participating in upstream.
It would be great to see not only an assertion but an article that spells this out in some detail.
3 replies →
I think it's fair to say that open source has made inroads everywhere. If I were to tell my 30-year younger self what the future looks like, I don't think I would have believed myself. Having said that, there are lots of places where open source is having a hard time. In telecom and medical software for instance. I mean, I can set up a SIP server and inspect the Android source code, but there is a long way to go (like actually being able to build and deploy on a piece of commodity hardware in the case of Android). For medical software, just try to get access to source code for any medical device. You get the thing installed in your body and you can't even look at it.
Like I said, in every place open source has won important battles. The future looks good, but let's not understate the challenges either.
2 replies →
Really? From what I gather from projects like RethinkDB or this:
https://www.influxdata.com/the-open-source-database-business...
open source is a forever struggling business model.
> it is actually winning everywhere
nice try, trump
To me, it looks like Kite miscommunicated but didn't propagate spyware. From what I understand after reading the related issue on Github, it did not do any requests to its servers without explicit user permission.
And I think the bigger problem is that 3rd party plugins are becoming a thing. Now, it's all about plugins, installing dozens of plugins that are difficult to audit before hand. It's like blindly installing software from torrenting sites, but shinier because it has the Github stamp on it.
You should really read the github thread AGAIN.
Could you please elaborate ? I read the whole thing when I posted this comment: it seems like Kite did not automatically request its servers and I do think that plugin-mania is the bigger problem here. Installing plugins with no way to audit or restrict their access to the system capabilities is the problem. They should run in a sandbox. This has even been suggested before [1] but it seems like it has not yet been implemented.
https://github.com/atom/atom/issues/1763