
How a VC-funded company is undermining the open-source community - posnet
https://theoutline.com/post/1953/how-a-vc-funded-company-is-undermining-the-open-source-community
======
RubenSandwich
Look at this clear dark pattern: [https://outline-
prod.imgix.net/20170721-QVaxMDgDwdZ1TBufCdq4...](https://outline-
prod.imgix.net/20170721-QVaxMDgDwdZ1TBufCdq4?auto=format&q=60&w=640&s=6daa6b12a3906d3ae21572e1f63c09c0).
(Image taken from the article.) Want to use our service, then only lists
positives. Or these other services, then only list negatives.

If you're reading this Kite. I now have a negative view of your product. We
cannot allow corporations to take over open source tools. Donating is
perfectly fine and encouraged, but the above example is a downright take over.
If you want another tool then create one, don't take over an existing one and
use the communities trust of that tool to promote your product.

~~~
bfirsh
I fell for this. I enabled it because I was curious about trying new
development tools, only to find out later it uploaded _all of the source code
on my computer_ to their service. What the hell.

It took me months to get through to a human to get them to delete my code,
including two emails to the CEO.

I like the idea, but there is no way I would use it after this experience.

~~~
edraferi
> it uploaded all of the source code on my computer to their service.

That sounds crazy, so I reviewed their privacy policy[0]. It looks like Kite
now requires users to whitelist the directories it indexes and automatically
purges files you remove from the local index.

The Privacy Policy says that:

> When you use our services, we may collect [...] _Any source code files on
> your computer 's hard drive that you have explicitly allowed our services to
> access_. To learn how to control access to your source code files, please
> visit our FAQ.

The FAQ[1] says

> Kite only uploads files that:

>

> 1\. Have a .py file extension,

> 2\. Are children of a whitelisted directory,

> 3\. And are not ignored by a .kiteignore file.

That doesn't seem like "any source code file on your computer" to me - unless
it whitelists root by default, which would be a hella dark pattern.

Also, removing a file from the local index _should_ remove it from the server
as well [2]

[0] [https://kite.com/privacy](https://kite.com/privacy) [1]
[http://help.kite.com/category/30-security-
privacy](http://help.kite.com/category/30-security-privacy) [2]
[http://help.kite.com/article/10-how-do-i-delete-files-
from-k...](http://help.kite.com/article/10-how-do-i-delete-files-from-kite)

~~~
bfirsh
It sounds like they changed something after I signed up. I am not super
paranoid, but I am pretty savvy about privacy and keeping my data safe. There
is no way in hell I would have agreed to upload _all_ of my data to their
service.

I was actually questioning myself when I realised what had happened -- I
thought, "perhaps I just messed up". But after I saw this story about their
other dark patterns, I'm convinced they just deceived me.

~~~
TeMPOraL
Their privacy policy as of 31 of December 2016:

[https://web.archive.org/web/20161231231542/https://kite.com/...](https://web.archive.org/web/20161231231542/https://kite.com/privacy)

Seems similar enough to current version.

------
danso
This situation seems to have the best and worst of open-source. Best, in that
the license of the projects allowed them to be forked without too much effort.
Worst, in that it shows how easy it is for a project to be subverted once the
maintainers are bought (in this case, given a job). It also remains to be seen
if the average Atom user will see the difference between the Kite-branded
(and, currently, more popular) and the forked versions of these plugins.

Besides the open source issues, this tactic seems to reveal a massive
desperation by the Kite folks. There is no way they couldn't have seen how
negative this was going to look once people found out. Their ability to
attract new users through word-of-mouth and organic advertising must have
plateaued. Sneaking their service into a well-used plugin would have given
them a boost in users, maybe enough to attract a new round of funding, but
they must have known it would cause this kind of bad blood. Especially based
on their past reception on HN, which was highly upvoted but in which they
never convincingly answered the concerns about uploading users' source code to
the cloud:

[https://news.ycombinator.com/item?id=11497111](https://news.ycombinator.com/item?id=11497111)

[https://news.ycombinator.com/item?id=13977982](https://news.ycombinator.com/item?id=13977982)

[https://www.reddit.com/r/programming/comments/4erqgq/kite_pr...](https://www.reddit.com/r/programming/comments/4erqgq/kite_programming_copilot/)

~~~
_jal
> this tactic seems to reveal a massive desperation by the Kite folks

That's the weirdest part to me. Who, exactly, thought this was going to go
well? It is hard to be sneaky with open source. And even harder to win back
goodwill after being caught out.

For instance, now that I know, it would take a change of management and
business model before I'd even consider running any of their code, and I'll be
writing a Kite-detector for our code scanning tool this week.

------
rawland
Kudos to @mehcode for the fork [1]! And the author @abe33 for the apology [2]!
I'm thinking, that @abe33 might not be responsible for this, but was "asked"
by his employer (Kite) to do that.

Then, there are alternatives such as sublimetext/vscode, which have the
minimap builtin...

Disclaimer: Not affiliated, I prefer n/vim anyways. This is a copy from my
comment in the issue. Please read @abe33's comment [2] in the issue. This
might explain a thing or two.

\--

[1]: [https://github.com/mehcode/atom-minimap-
plus](https://github.com/mehcode/atom-minimap-plus)

[2]: [https://github.com/atom-
minimap/minimap/issues/588#issuecomm...](https://github.com/atom-
minimap/minimap/issues/588#issuecomment-316523163)

~~~
danso
Thanks for posting abe33's apology, hadn't seen it when I read about this
issue last week. One of the more unnerving things about it was how he made
this change without explanation months ago nor did he did he explain it now.
It must have been frustrating for him, as the plugin's original developer, to
be dragged through this crap. He ultimately is responsible for his actions,
but I wonder if he knew that subverting his own plugin would be a job
requirement?

~~~
laurent123456
I can't imagine he would sabotage his own project for no reason, so most
likely he got the job or some compensation in exchange for his cooperation and
access to his repository, probably how they got python-autocomplete too.

Otherwise, if they offered the job with no conditions attached he'd be under
no obligation to change his own personal projects for them.

~~~
danso
Yeah, I was wondering if Kite had a deliberate strategy to inject themselves
into popular IDE-plugins, and their hiring plan includes reaching out to such
creators. It's not unthinkable that they would slip in such an obligation
after the contract is signed. I mean, we're talking about a company that
conspired to covertly slip in these dark-pattern ads into mainstream open-
source plugins. Ideally, the minimap creator could have taken a moral stand
and quit, but I imagine his work situation and prospects (being from Europe)
is different than if he were a developer in the Bay Area.

~~~
gfodor
This would actually be a smart and ethical strategy, if the changes were made
in a way that they were opt-in and clear about what they were doing.
Unfortunately it looks like they got greedy, and this is what happens when you
dance the line: much easier to cross it.

~~~
mercer
While I could see how it can be done in a way that isn't outright unethical,
it still strikes me as 'wrong' in the sense that it betrays my expectations of
how open source works and relates to for-profit endeavors.

There's no implementation I can think of where I wouldn't feel icky about
this, even if the 'Kite update' did absolutely nothing without turning it on
explicitly through some setting that I actively have to look for (so no 'would
you like to opt-in' screen' at all).

------
danpalmer
I've tried Kite twice now. Once when it first launched, and once again when I
installed autocomplete-python and it persuaded me to give it another go.

So far I have found it utterly unconvincing to the point of near uselessness.
It rarely finds anything intelligent to say about my code, and gives a
significantly worse view of documentation than Dash (for which I have a hotkey
bound for near-instant lookup).

On top of that, I found Kite to use significant resources, there's no way to
inspect what it's uploading so now way to ensure you aren't uploading things
you don't want to, and the second time I tried it the UI was filled with dark
patterns and I found it quite difficult to uninstall (I reverted to just
trashing all the files I could find relating to it).

~~~
bobjordan
I paid I think $79 for a year of Kite-pro and frankly, so far it is pretty
useless. That said, it has permissions and settings to whitelist which folders
on your computer can be indexed. Then, the settings page states that if you
remove the directory from whitelisting then "any directories removed here will
also be removed from Kite servers." Of course, that doesn't mean they will
actually remove previously indexed data. Overall, probably this is a product
that I would not want my dev team to install.

~~~
mercer
I'd ask for your money back. Installing Kite left me with a really bad after-
taste, but at least I assumed that if I'd bought into it, it would do as
advertised.

------
dessant
This is the minimap fork:

[https://atom.io/packages/minimap-plus](https://atom.io/packages/minimap-plus)

[https://github.com/mehcode/atom-minimap-
plus](https://github.com/mehcode/atom-minimap-plus)

It is a featured[1] Atom package, which may point to whom is GitHub endorsing
in this issue, though we could see a more direct response from them regarding
both minimap and autocomplete-python.

After reading sadovnychyi's reaction[2] to the autocomplete engine selection
screenshot, I think forking is also the only remaining step for autocomplete-
python.

[1] [https://atom.io/packages](https://atom.io/packages)

[2] [https://github.com/autocomplete-python/autocomplete-
python/i...](https://github.com/autocomplete-python/autocomplete-
python/issues/308#issuecomment-316361689)

------
scandox
> “Most users who install autocomplete-python close the engine selection
> prompt, which results in not getting Kite or its benefits”

This type of entrepre-narcissism has to be shutdown hard. How deluded does
somebody have to be to imagine that putting a confirm-shaming dialogue in an
opensource tool is not Advertising?

~~~
ivanbakel
They're not deluded at all, it's just damage control. If they didn't believe
it was advertising, it wouldn't be in the tool in the first place.

~~~
scandox
Every interaction I have with these kind of guys proves to me that they deep
down believe their own BS and that they are actually blind only to their own
actions. I consider a delusion much more dangerous than a malign stratagem.

------
omginternets
I just uninstalled Kite.

It's a real shame as the service was good, but nothing is good enough to
justify advertisements in my work-space. The fight against distraction is hard
enough as it is without having to think carefully about where I'm clicking due
to dark-pattern UI.

~~~
mlindner
So how was your company okay with you uploading the company code to Kite's
servers?

~~~
sattoshi
He didn't mention using it under a company. I was tempted to use this for
personal projects as I don't care where my code gets uploaded, it's all on
github anyways.

The reviews above made me reconsider.

------
jtokoph
PSA: I removed the whitelisted directory from my local install of Kite and
then uninstalled the application. Logging into
[https://kite.com/settings/files](https://kite.com/settings/files) still shows
my machine and all of the synced files.

I still had to manually purge my machine and files from that page.

If you think your files were removed, check again.

~~~
bfirsh
Extra PSA: I deleted my files from that page a few months ago and they have
now reappaeared. (See my other comment.)

I would recommend emailing them to delete your account and data, including
backups and so on.

------
billdybas
It's nice this is getting more response today - my submission yesterday got no
comments.

I almost spit my coffee out when I learned about this (as I'm a minimap user
who had no idea this was going on). Not a fan of these shady practices -
completely breaks the trust between package maintainer and users.

~~~
Dowwie
here, have an upvote -- on me

------
jchw
I think we need a swift and damning response to this. I'd rather have an even
worse walled garden than the Apple 'App Store' than deal with having to worry
about my source code getting stolen to be used by some stupid cloud service. I
don't even want data collection in my text editor; maybe from the vendor its
acceptable but not N times for each plugin. I now feel compelled to vet the
network usage of any plugin I install.

Thanks, Kite. I'll make sure to remember this in case anyone ever considers
your service.

~~~
meddlepal
Agreed. Also this should be the kind of stuff that gets the founders and
employees blackballed in the industry as well.

Completely morally bankrupt. All of them.

~~~
sneak
I wish our world worked like that, but unfortunately blackballing requires
that the median participants of a group have some sort of moral compass.

I gave up hope for such things after seeing staff, investors, and speculators
tripping over their own dicks to invest in Brendan Eich's latest venture
(Brave) and its ICO, with full knowledge of his revolting and public bigotry
against gay people.

Money trumps morals, it seems.

~~~
gotchange
It's free speech whether you like it or not and I don't think your tactics of
playing hardball with Eich or any other skeptic of gay rights would win him
over to your cause as it foments feelings of resentment and discontent and
likely lead to counter-productive results.

~~~
matt4077
But that's the exact same situation, right?

Kite's business model is just as legal as Eich's free speech money. But people
still think it's wrong, and so they try to find ways to discourage others to
act similarly.

I'm not completely sure if such punishment works, but I'm pretty sure that if
it works for Each, it will work for Kite, and vice versa.

~~~
mythrwy
It's not the same thing.

Kite's business model is attack against open source, thus pertinent to tech.

Eich's view on marriage is completely unrelated and attacks on his
professional career for this are abhorrent and juvenile and should be
condemned rather than encouraged. Even if you disagree with Eich's stance
(which for the record I do).

------
cronjobber
Google introduced and normalized the spyware/adware business model. Nothing
but fawning adoration from programmers.

Microsoft copied the model for operating systems. Token resistance from
programmers.

Kite copies the model for programming tools. Too late, programmers.

~~~
mercurysmessage
I'm pretty sure that the only OS that don't have adware/spyware in them at
this point are some Linux distros (maybe) and Unix.

~~~
edem
Or....[maybe
not?]([https://www.youtube.com/watch?v=7gRsgkdfYJ8](https://www.youtube.com/watch?v=7gRsgkdfYJ8))

~~~
mercurysmessage
There are tons of attack vectors that spyware can enter linux through :)

------
vultour
Holy shit that 'apology' is a steaming pile of crap. This guy is actively
subverting not _one_ but _multiple_ open-source projects and he responds with
some pathetic crisis-management sob story and an 'oops, sorry'?

~~~
hibbelig
He did revert the minimap changes. That's more than just saying "sorry".

But I'm waiting for autocomplete-python to be changed, too...

~~~
diegoperini
It may really be a sorry, but also some damage control too.

------
2sk21
Open source is very vulnerable to manipulation. Some years ago, I spent some
time trying to understand the PAM module LDAP module on Linux (PAM is used to
enable external authentication so its critical code). I found it to be
completely impenetrable. We take such components for granted but if someone
could inject malware into such code, it could be catastrophic.

~~~
wvh
Not to mention it must be trivial for a large and determined adversary to
subvert Debian, Arch or other distributions' packaging process, for example by
getting a "sleeper" rogue developer in there. As someone into security and
using open-source systems exclusively, it would be somewhat embarrassing to
become a security problem yourself that way.

I don't distrust Linux distributions' respective security guidelines; but it
can't be that hard to find a loophole in community-driven system/software
development and the damage would be substantial if a popular Debian package
would have been subverted and have gone out with updates.

~~~
bluejekyll
The same statement could be made about any organization. If you get a sleeper
agent into Apple, Google, Microsoft, whatever... There is a certain amount of
goodwill we rely on in this world.

~~~
raesene6
It's not quite the same thing as, AFAIK, the debian project doesn't have the
same power as an employer does to do background checks before hiring.

There's a significant level of risk around open source projects changing
hands, something which may be invisible to the users of those projects,
especially as they become more heavily used and therefore more tempting
targets for attackers.

~~~
bluejekyll
Employers only have that power because you grant it to them. Of course you
don't have a lot of choice if you want the job.

In theory, Debian or any organization could do the same background check, but
is that the best use of their limited resources? And would they want to do it
anyway given the ideals of the general OSS community?

~~~
raesene6
Sure, my point was companies _do_ do that checking and Debian _doesn 't_ do
that checking, so from the perspective of this risk, it would be harder for an
attacker to do this to a large corporate like Microsoft than it would to do it
to an open source project like debian.

------
mercer
Honestly, I feel that at the very least the core team behind Kite should be
held accountable for what they're doing. I'm not arguing in favor of an all-
out witch hunt, but in the context of developers doing their development thing
this kind of behavior should have consequences that potentially might include
'black-listing' at least the higher-level people behind it that thought this
was a good idea.

------
git-pull
In short: A startup is taking control of open source editor plugins relevant
to their product.

I admire their cleverness.

If it were me: I'd create an extension interface for _completion libraries_ to
accept third party plugins. I'd stop at putting in a third party stuff in by
default. A sufficiently good plugin API for python-autocomplete shouldn't
require it even to know about Kite.

That said, I don't think Kite should be disallowed. If they have a secret
sauce that they think can empower completion plugins, give them an API to
plugin to.

It's not in the spirit of open source to shut the door on proprietary
solutions (IMO). Transparency should be paramount. Normally most Linux users
opt-in to using proprietary/blob software/drivers one way or another anyway.
Open source projects routinely maintain relationships with vendors (NVIDIA,
Intel). It doesn't necessarily mean evil is at work.

Though, as someone who's struggled with the performance and reliability of
completion tools, I don't know if I'd personally opt to outsource that
functionality. I'd wait and see if our current tools get better.

------
numbsafari
So, what prevents any Atom package from being silently taken over and turned
into a private code Hoover? Is there anything in Atom's packaging APIs that
ensures plugins that can read source cannot also access the network without
permission?

~~~
jchw
As far as I know: nothing yet. It hasn't been necessary. I don't think people
even thought about it. But I think now it's going to become an ordeal...

~~~
TeMPOraL
This is why we can't have nice things. As you say, such limits weren't
necessary - because people in the community weren't assholes. Now, thanks to
Kite's abuse, somebody will have to implement a permission system to editor
plugins...

~~~
toyg
Man, where does this crap end? A permission system to click on a menu or type
a character? A permission system to draw windows...?

I think there has to be some responsibility from projects that pack such
plugins, to police their ecosystem. I can understand browsers having security
layers, because they work exclusively with the biggest cesspool of them all
(the internet), but stuff as basic as _a text editor_ should not need
something like that - if it does, something else has gone deeply wrong with
the project.

~~~
jdbernard
Interesting that you use browsers as the example of the other end of the
spectrum. This particular text editor is built on a browser.

~~~
toyg
That's very true - it's also the reason I stay the hell away from it :)

------
bloomca
If you are looking for the github thread – [https://github.com/atom-
minimap/minimap/issues/588](https://github.com/atom-
minimap/minimap/issues/588).

~~~
gus_massa
Total biased takeaway [Please read all the github complete thread.]:

@jlozano:

> _Hi, folks -- Juan from Kite here, thank you for the feedback, we appreciate
> it._

[...]

> _We have decided to leave the feature as opt-out since many users have found
> it useful._ [...]

@abe33

> [...] _I 've been an employee at Kite for over half a year now and this
> plugin is now officially maintained by Kite._ [...]

I think that the BDFL system work in open source because it's too easy to fork
the project. The old BDFL just transferred the power to a new BDFL, but it was
not so clear for the community. There is a fork now, so if the situation
doesn't improve and the users are unhappy, the Kite team will be the BDFL of
an empty project without users.

~~~
lucb1e
Benevolent Dictator for Life for anyone else who was wondering.

[https://en.wikipedia.org/wiki/Benevolent_dictator_for_life](https://en.wikipedia.org/wiki/Benevolent_dictator_for_life)

------
jlangenauer
This is one of the things that makes me think software development, like most
other professions, should really have a formal code of ethics. If a lawyer or
a construction engineer tried to do something equally dodgy, they would very
soon find themselves hauled before a professional authority.

It should be made clear to the employees, management and investors of Kite
that this is the sort of thing that marks you as someone willing to engage in
unethical and underhanded behaviour. I wouldn't hire any such person into any
team I manage, and I suspect quite a few other people wouldn't either. Actions
have consequences. Especially unethical actions.

~~~
coldcode
Lawyers do dodgy and unethical things as well, I wouldn't use them as a
paragon of ethics.

~~~
JdeBP
An argument that _explicitly talks about the consequences of unethical
behaviour when it happens_ is not painting anyone as ethical paragons. You are
missing the point, I think.

------
dsign
Things like this are bound to happen, as long as people have to pay their
bills and they don't get as much retribution as they would like for their
work. If the original authors of the plugins that Kite took over had got a
dollar from each user, maybe they would have thought it twice before handing
over their creations to a company with dubious purposes.

I have been saying it for a long time: we need better and more flexible
software markets, and as developers, we should appreciate the work and time of
fellow developers and as a matter of principle try to compensate them.

~~~
tkt
Excellent point and related to Nadia Eghbal's post on the lack of support for
open source infrastructure being the internet's biggest blind spot.
[https://medium.com/@nayafia/how-i-stumbled-upon-the-
internet...](https://medium.com/@nayafia/how-i-stumbled-upon-the-internet-s-
biggest-blind-spot-b9aa23618c58)

------
oxguy3
> “I apologize in advance that I can't answer any further questions,” he
> wrote. “I need to focus on other parts of the business, including continuing
> to improve the product for our users, and conflict like this is always
> doubly distracting.”

If you don't have time to deal with controversy, maybe don't take actions that
will inevitably lead to it, eh?

------
nv-vn
Can't wait till someone hacks Kite and exposes some major company's source
code. Will be very interesting to watch the legal response to that.

------
roadbeats
> It is unclear what Kite’s business model is, but it says it uses machine-
> learning techniques to make coding tools. Its tools are not open source.

I've never heard of such a thing before. Could someone explain how would they
use machine learning for building coding tools ?

~~~
matthoward
What Kite supposedly does is crowd-source code by uploading users' code to its
server and then aggregating that data to train their ML algorithm. Then they
can apply said algorithm on a specific client's code to recommend
autocompletion suggestions as you type.

There are plenty of great use-cases for ML in building coding tools, but the
shady manner in which Kite imposes itself on Atom users who have these plug-
ins installed (which is a large portion of the user-base), leaves a seriously
bad taste in your mouth.

~~~
fl0wenol
The thing is I don't trust this explanation for a second especially as it
applies to non-paying customers; they could have just as easily trained a
generic ML algorithm on a publicly available data set, like I don't know, the
public stuff on github.

Moreover, they could have trained their suggestions to actually be useful
before throwing this out there as a feature set they thought people would want
to use.

Plus then it'd make sense for people to open up their code, as a "local
dictionary" of sorts that could be prioritized over generic suggestions. But
at least then it would have had demonstrated value.

------
quantum_state
We, the open source community, need to respond to this pollution firmly and
decisively. Apart from removing the sneaky code put in for these types of
purpose, we may need to consider adjusting the licensing to forbid such doing
... the entire open source world need to unite against this ... it is
threatening the future of open source.

~~~
TheRealDunkirk
Is Facebook part of the "open source community?" I would expect that most
people here would say yes, for reasons I will assume are obvious to most
readers here. Yet they've built, arguably, the world's second largest (non-
governmental) data mining operation on the back of open source software,
designed for nothing more than slurping up user data to sell to advertisers.
How is that _fundamentally_ any different than what's described here? Because
the product is "more" useful to end users? Because it's true nature is "more"
visible? It's a difference in degree, not kind. If you hate what's been done
here, by extension, you should hate the business model of Facebook and
Twitter, et. al. (I do, and I refuse to participate.) There seems to be a bit
of hypocrisy having this sort of outrage on this particular site.

~~~
danso
Does React or any of Facebook's OSS libraries have pop-up/modal ads for
joining Facebook? Do they contain analytics code?

~~~
TheRealDunkirk
So that's the difference, here, that exculpates Facebook? That they don't put
their analytics code in PHP or React? Granted, Facebook doesn't put analytics
code in those products, but almost every web programmer in the world happily
embeds Facebook's JS blob/web bug in almost every single site on the planet to
track every single click, by Facebook users or not, which can be tied back to
at least a shadow profile in the mothership. That's cool? If so: Got it.

I can see the distinction you're making, but, IMO, it's splitting hairs.
Either tracking users activity, by the simple act of their use of your
product, is morally acceptable, or it's not. To me, this seems like this exact
same thing.

As Scott McNealy said, "You have no privacy. Get over it." I wish that wasn't
true, but it would seem that the every government and company is hell bent on
making it so.

~~~
danso
Is it splitting hairs to point out that many developers use React who also
don't "happily embeds Facebook JS blob/web bug" in their pages? That's the
whole point under discussion here, that the spirit and body of open source is
that software can be transparently built and maintained for the greater good,
and that Kite's quiet, self-serving changes seem to violate what most people
consider standard conduct.

How far do you want to take the sins-of-the-creator argument? Does everyone
who writes or executes JS become an abettor to Brenden Eich's beliefs on same-
sex marriage? How many Internet users are linked to U.S. war actions given
DARPA's large role in creating the Internet?

An argument about whether Facebook and Google are evil is out of scope for
this thread, but pretty much argued daily in various other daily threads. I
think it's possible for people to like corporations _and_ open source, yet
find it disturbing when corporations violate community standards of open
source.

~~~
TheRealDunkirk
> How far do you want to take the sins-of-the-creator argument?

Say wha?... I thought I was being clear. Again, Facebook (and Google, et. al.)
have built vast empires on mining people's data in the process of them using
their software. I'm arguing that, if a person is NOT opposed to this, then
they SHOULDN'T be opposed to Kite's or Microsoft's shenanigans with dev tools.
Arguing, "if you don't like what Facebook does, don't use it," is exactly
analogous to, "if you don't like what Kite did, don't use their plugin."

Either we live in the world where trading our privacy and activity is the cost
of using someone else's service or software, or we don't. But, clearly, we do.
Arguing against this particular infraction is trying to unring a bell.

"Sins of the creator?..." I swear, sometimes, it's just not worth chewing
through the straps in the morning.

~~~
danso
OK, it seems like you have a different interpretation of the OP article than I
do. You seem to think that people are bothered because a Kite-plugin uses and
advertises Kite services. However, that is not the main point of contention.
The problem is that a popular plugin that was not previously affiliated with
Kite came under Kite's control. Kite analytics/advertisements were then
surreptitiously added to the plugins.

When Kite's alteration to the plugins came to light, people took umbrage and
stopped using the Kite-controlled version of the plugin. Problem mostly
solved, but that doesn't mean people can't continue to criticize Kite for its
actions.

If Facebook, which is the official maintainer of React, were to add a line of
code that caused all React implementations to add a Facebook button to their
webpages, I would bet good money that everyone criticizing Kite here would be
ripping on Facebook.

------
jdenning
The "Kite Effect": when a company implements a marketing strategy that does
more to deter potential customers than attract them.

~~~
tanepiper
Blows them away in the wrong direction

------
roesel
Whenever I see a screen like this, I just use the "local engine" and make sure
I never use the suggested product, ever.

Have fun finding customers Kite...

------
bauerd
Aaand into the /etc/hosts kite.com goes. Can anyone paying for their product
post their other (AWS?) hosts?

------
deepakkarki
I wonder how the HN ranking algorithm works - even with so much discussion and
upvotes/hr this thread has already slipped to #24. I find that awkward!

~~~
nostrademons
There's a flamewar detector that demotes threads with more comments than
points. More discussion is not an unambiguous positive signal.

It's at #17, a couple hours later, as the number of points is now 700+ and
comments is in the 300s.

------
tangue
Time to write Adblock for code editors.

~~~
Cthulhu_
Or just fork the project before ads were added. Or not install the plugin.

~~~
avaer
Kite is (was?) apparently expanding to more plugins, and also doing it to
existing plugins.

That's not a battle you can win with manual diligence.

~~~
StavrosK
It's a battle you can win with forking and shunning any plugins they take
over. That will show developers that injecting Kite into your popular project
leads to it becoming very unpopular, very quickly.

~~~
camiller
Is there a reliable way to search github for projects that are managed by
Kite? Looks like it is only mentioned in the readme, and it would be simple
for kite to simply not put in references to kite.

~~~
StavrosK
Can't you do a code search for libraries or server names or something like
that?

~~~
camiller
Probably, but it could be an on-going fight as server names or even library
names could change over time. I guess in the long run it will become like any
other virus/malware scanning.

------
softawre
For all of you that accidentally sent your BigCorp source to the cloud, are
you going to report it to your legal departments?

------
dessant
Autocomplete-python has also been forked because maintainers have stopped
responding.

[https://atom.io/packages/autocomplete-python-
jedi](https://atom.io/packages/autocomplete-python-jedi)

[https://github.com/brennv/autocomplete-python-
jedi](https://github.com/brennv/autocomplete-python-jedi)

[https://github.com/autocomplete-python/autocomplete-
python/i...](https://github.com/autocomplete-python/autocomplete-
python/issues/308)

------
sebleon
> It is unclear what Kite’s business model is

Their business model is to sell subscriptions to a premium version:
[https://kite.com/pro#business](https://kite.com/pro#business)

------
simias
While this Kite company seems rather scummy, I think it's a bit disingenuous
to frame it as an attack on open source. Actually it's the one thing open
source can handle better than anything else: just fork the repo and carry on.

Maybe I'm reading too much into the article but it feels like a weakness in
open source is exposed when in fact the real problem would be if those
applications were closed and you were stuck with crappy software if you didn't
want to switch to a brand new tool. How's Skype doing lately?

Open source is vindicated by these scummy tactics, not undermined.

------
aerique
Those animated squiggly lines under the headlines are some of the most
annoying things I've recently seen.

------
thehardsphere
> Although Kite has no business model yet,

This is actually the most ridiculous part of the entire story.

It would be one thing if a corporation was stealing your code and taking over
open source projects as part of a detailed plan to make money. That would
still be objectionable, but at least there would be a clear motive for these
voyeuristic activities.

Apparently, there is no master plan. They're just doing this because they want
to be voyeurs and then maybe figure out how to make money off of that somehow
later.

------
AdmiralAsshat
Not sure how the Atom plug-in store works: if this were yum / CPAN / pip, I
would think there'd be some way to kick these plugins out of the stores and
force anyone who really wants it to install manually. I think that's the best
way to tackle this kind of deception: fork it, kick it out of the app stores,
and make it difficult as possible for someone to inadvertently download the
adware-written version.

~~~
andreareina
A maintainer for amp (atom package manager I guess?) explicitly said they're
sitting this one out. The mini-map plugin has been forked and rolled back to
the version before the ads popped up.

~~~
AdmiralAsshat
That's a pity. It is incumbent upon the package manager vendors/curators to
watch for this kind of stuff and bring the hammer down when it happens. Apple
does it. Google does it. Mozilla does it.

I can guarantee that there are other commercial companies watching how this
plays out. If the changes are simply rolled back without any real
repercussions, what other malevolent entities will take away from this
incident is, "You can inject adware into your acquired FOSS applications, but
do so discretely."

------
toyg
It is somewhat ironic that the community affected is the Atom one, which was
supposed to be built by (and for) next-gen cloud-first types who live in the
browser. If all data has to live in the cloud, your source code will
inevitably get there too - because source code itself _is data_. Sure, Kite
went about it with an anti-pattern, but that makes little difference. Live by
the cloud, die by the cloud.

Let's be honest, the real problem here is that Kite's offer is still not good
enough. The service they provide at the moment is not worth handing out all
your code, unlike with services like GitHub; and their leadership is not seen
as smart (or honest) enough to tolerate them taking stewardship of this or
that established project - something that happens every day in the OSS world
(loads of companies de-facto own this or that OSS project, from RedHat to
Google to Ubuntu to IBM, steering as they see fit).

As soon as Kite (or anyone else) can provide a compelling service, people will
go to great lengths to use their stuff and give them their code, without any
dark pattern being required - ethics be damned.

------
codepilot
If someone approved their own PR in our team they would have some explaining
to do, approving your own PR in an Open Source project - SMH

~~~
gus_massa
In many small project the owner (o small set of owners) just commit the
changes without approval. In same case on person writes more than the 50% of
the commits, and it's not practical to get someone to review the code.

In this case abe33 has the 75% of the commits, someone else 15% and the rest
is a bunch of people with 1% or less.

~~~
MrStonedOne
Once your project gets to a certain level of users or activity, you should
still be submitting PRs or MRs for comment before merger.

With our server toolkit in a project I work on, we have 2 devs and 5 active
users, with the devs being 2 of those, but we still manage to at least put
every change in a PR, with a minimum review and comment time of 24 hours
unless it's a security issue or major bug fix.

It's not hard, and it makes you actually justify your change and have talented
second eyes point out minor bugs or edge cases to you.

Direct commits are only used for version bumps for the auto build/release
thingy.

~~~
gus_massa
Your method may be better, but there are a lot of small and medium projects in
the wild that don't follow it.

------
jancsika
Dear free software and/or open source zealots:

Please use your skills and spirit to _fork_ both of the projects in question
and put one of your known good actors in charge of each.

Either new project leaders are available and will immediately come forward to
claim these projects as their own, or we need to change the subject to FLOSS
sustainability.

~~~
bauerd
There is a fork[1] that reverted the changes made by Kite.

This is not a question about sustainability as the project was well supported,
feature-complete and saw regular releases.

Rather, this questions the consequences of giving companies permission to
acquire community efforts. Doing so erodes trust in the Atom ecosystem. If the
Atom team is OK with what Kite is doing, then I can expect other companies to
follow along, and I'll have to be more cautious when installing plugins in
general. It also destroys the incentive of contributing code to Atom plugins,
because I don't want to contribute to giving companies control over basic
features like a _minimap_. Why stop at the minimap? StackOverflow might as
well hijack CTRL+F, or Heroku might subvert a git plugin.

If we let this become a trend, it will suck for everyone.

[1] [https://atom.io/packages/minimap-plus](https://atom.io/packages/minimap-
plus)

~~~
jancsika
The consequence of forks is that their desired userbase is now seeing double,
and whenever a potential user asks about it someone from the community tells
them, "Don't use the one with ads and/or other junk, use _this_ one instead."

If other companies follow along then Atom's ecosystem-- and therefore, Atom--
will suffer as a result.

Regardless, there probably should be more caution when installing plugins.

~~~
bauerd
Yes, I agree, forks are another bad consequence and usually undesirable
(though there are exceptions, e.g. it worked for the Node.js community). Had
Kite not subverted the plugin, there wouldn't be a need for a fork.

------
random3
This is why Open Governance is just as if not more important than the actual
OSS License. Foundations such as the ASF can protect from these situations
[https://www.apache.org/foundation/how-it-
works.html](https://www.apache.org/foundation/how-it-works.html)

------
tzs
It's not clear to me from the article or the comments what it was actually
doing.

Looking briefly at kite.com, it looks like they provide a potentially useful
tool/service that is kind of an alternative to searching the web for
documentation.

What I can't tell is whether what they did was make minimap incorporate
results from Kite, so that you were essentially getting the Kite service (or a
light version of it) bundled with minimap, or if they were putting ads for the
Kite service in minimap, or if they were putting ads for other things in
there.

------
intoverflow2
I'm curious to what the ads looked like? I installed it but can't see them and
the article only includes it's own ads for razors not pictures of the ads it's
talking about.

------
barking
I'd never heard Kite until today and following a one of the links ended up at
Adam Smith's blog a couple of hours ago. I did no more than to read a blog
post. Just now I went to checkout from my local tortoisesvn repostitory and
instead of the usual local address this was present as the repository url:

>"[http://adamsmith.cc/"](http://adamsmith.cc/")

I have no idea how that could have happened.

~~~
yvesmh
You probably copied the url, I think tortoisesvn puts the content of the
clipboard as repository url if it's a valid url.

~~~
barking
Yes you're right! That's a relief, thanks. I feel stupid now for going into
complete paranoia mode.

------
oefrha
I remember the day Kite was launched. I took a brief look, realized it would
be uploading entire codebases of mine to their servers, and said no.

The fact that they have since slipped their stupid product into popular open
source tools (probably because it isn't as well received as they thought it
would be) is very similar to how some douchebags buy up popular browser
extensions, then inject ads or do more nefarious things with them. Utterly
distasteful.

------
dabei
This is evil. We need a way to deter activities like this. The public shaming
on HN is a good first step but this would be forgotten too quickly. Any ideas?

------
whack
Honest question: if someone starts a hobby project, open sources it, and later
decides to monetize it in some way, is that considered bad form? I can think
of many open-sourced projects that are being monetized - eg Reddit/GitLab.

I was under the impression that open-sourcing something literally means just
making the code publicly available, and doesn't restrict what the owner
chooses to do with the project in future.

------
microcolonel
This is a bit hyperbolic. If the original maintainers of a project are making
changes you don't like, just fork it.

That said, if I was already unlikely to trust Kite, I don't want to work with
them at all given this behaviour. Betraying the trust of a significant portion
of your potential customers is a sure way to be exed from an industry you
never capitalized on. Congratulations, Kite.

------
kayoone
I think what Kite is doing isn't very smart, their audience are developers who
will usually not put up with stuff like this so easily.

------
amelius
Can't we have laws against software that combines ads with spyware (or user
tracking for that matter)?

~~~
water42
Not as long as ads/tracking make companies money

~~~
lucb1e
In America, anyway. I still don't understand the lobbying system.

------
bluepeter
Bottom of the Kite web site I find this tell: "Made with [love emoji] in San
Francisco"

~~~
solidsnack9000

        Smith also said that most of the negative reaction
        was due to confusion around what the tools actually
        do. (Connor pointed out that it’s not possible to
        review what Kite does, since it itself is not open
        source.) Then he blew this reporter off. “I apologize
        in advance that I can't answer any further questions,”
        he wrote. “I need to focus on other parts of the
        business, including continuing to improve the product
        for our users, and conflict like this is always doubly
        distracting.”
    

Love and avoiding negativity have become the bywords of unaccountability. To
foment conflict and then not comment...

------
sdwisely
For some reason that animated underline makes me feel like I can only read one
word per minute.

------
DrFukushima
Merge request to remove Kite in minimap was closed: [https://github.com/atom-
minimap/minimap/pull/596](https://github.com/atom-minimap/minimap/pull/596)

------
mattbierner
As distasteful as ads are, I'm always concerned about an update that
introduces malicious behavior in the background. Something like NPM hyrdra for
example, or those Chrome extensions that have been bought out

------
mnm1
Sounds like a replay of uBlock / uBlock origin. The same solution (forking and
rebranding) can apply here. If the original authors sell out to Kite and the
license permits it, fork it and fuck them.

------
thrillgore
I personally want to know why Kite decided to show up uninvited in Atom. I
don't want this shit, I don't care about it, if I wanted documentation i'd use
Sphinx or Doxygen.

------
daotoad
I think the real dark pattern here is the stupid animated scribbles under the
section headers.

WTF?! Is this 1997? Why don't you bring back the blink tag while you're at it!

Sigh.

------
thrillgore
Is there a comprehensive list of Atom extensions that are maintained or used
by Kite? Or should I just write off Atom altogether?

------
edem
We can just fork these tools, and re-release them without the malware Kite is
injecting. The licenses are MIT AFAIK.

------
Dowwie
I wouldn't be surprised if this leads to click-wrap terms of use prior to
installing Atom packages..

------
mfringel
Two years ago, this would have been called "growth-hacking". What changed?

------
fh973
That sounds Atom plugin specific. Do Atom plugins not run in some sort of
Sandbox?

~~~
proaralyst
To sandbox them away from the editor contents? I can't think of many of my
(Vim) plugins that would work without access to the editor itself.

~~~
fh973
To sandbox them from network and or disk access.

~~~
striking
No, they're executable code with full access, just like in basically any other
editor.

------
rurban
Oh my, just fork it and avoid all the drama.

------
CodeWriter23
FFS, "Fork this on Github'

------
mychael
Kite is malware. Plain and simple.

------
trymas
so we'll need to have ad-blockers in our editors now? /s

------
tnone
The answer to this should be a resounding "fuck off and don't come back".

Open source is great because it is generally free of this pushy and
disingenuously non sense. Defection over cooperation leads to the detriment of
the commons.

~~~
sctb
We marked this flamewar subthread off topic.

------
jwilk
Why is the submission title different than the original one?

~~~
RubenSandwich
No idea. This new title seems vaguer to me. They changed it from 'How kite is
undermining the open-source community' to 'How a VC-funded company is
undermining the open-source community'. The title is clearer with the name of
the company in it.

Edit: In case there is any confusion. The company is Kite. The VC-funded
company is Kite. Kite. They are the ones this article is about. Kite.

------
threepipeproblm
Psychopaths sometimes have trouble recognizing stuff that is supposed to make
them ashamed, i.e. stuff that would reveal their character were it exposed
publicly.

Maybe that seems like an over the top comment, and on any individual case, who
knows? But I think it explains a good number of these sorts of scandals.
Sometimes, the people who get on top are not "ambitious"... sometimes they are
actual monsters.

~~~
dang
Please don't do the internet psychiatric diagnosis trope on HN. Casually
invoking a category like 'psychopath' significantly lowers the signal/noise
ratio in a thread, and even if you don't direct it at a specific person,
someone else will. Moreover the frame of this article means your comment is
insinuating something about someone whether you mean it to or not, and that's
beyond gross and into hideous.

Internet threads are like tag-team wrestling: the first guy drags a metal
chair into the ring and then the second guy bashes a third guy over the head
with it. Keep the chair out of the ring.

We detached this subthread from
[https://news.ycombinator.com/item?id=14837253](https://news.ycombinator.com/item?id=14837253)
and marked it off-topic.

~~~
threepipeproblm
So by daring to say that this behavior _might_ be caused by someone who is
characterized by the worst kind of lack of ethics, I'm in the wrong?

This is a phenomenon that studies show occurs at something like 2-3% in the
population at large... but more common among CEO's.
[https://www.theguardian.com/technology/2017/mar/15/silicon-v...](https://www.theguardian.com/technology/2017/mar/15/silicon-
valley-psychopath-ceo-sxsw-panel) Interesting how you ban my argument because
I don't have a credential (do you even know which logical fallacy that is?)
but when an article in which experts take the same opinion, HN bans it with a
different excuse.

Do you think that, just perhaps, this could have an effect on the amount of
abuse of people by some companies, that we see day-to-day? Especially when it
seems to go to an absurd point, as in this case?

It doesn't require a degree to detect people who are willing to treat those
around without scruple, as long as they're not exposed. It's a fairly simple
definition and these people disproportionately cause abuse... so censoring
mention of this, or suggesting that a degree is needed to even _contemplate_
recognizing this sort of bad actor, means you are acting to ensure people are
ignorant about it, to their potential harm. I hope you never encounter one of
these people close up, dang.

I'm not all that surprised that HN's despicable form of soft-censorship was
used here... as I realize the statement I made was sort of controversial. But
I'm looking forward to more people realizing how rotten you guys have become
at censorship, at which point the interesting conversation will finally move
elsewhere. Unfortunately, you can't keep doing it with such a heavy hand and
have people not catch on, over the long term.

In fact, the level of censorship has gotten so high here (or I have finally
noticed how bad it is) that I don't want to participate anymore. Maybe this is
a marginal case, but I've realized you guys are just rotten overall. I don't
really think it's ethical to participate in a form that's so dramatically
manipulated, especially so often in the direction of SV companies. I'm going
to kill my account, if that's possible.

Or, since it looks like HN is too arrogant implement this feature
[https://news.ycombinator.com/item?id=7841742](https://news.ycombinator.com/item?id=7841742)
I'll just, you know, stop using it and monitor the potential security hole
_for the rest of my life_.

------
PhantomGremlin
There are those who would argue that foisting systemd onto the Linux community
is the quintessential example of "behaving badly".

~~~
cyphar
Except Lennart was working on systemd long before he worked at Red Hat and Red
Hat has very little control over what he does in systemd. The reason Red Hat
has "foisted" systemd is that it solved problems that other init systems
hadn't solved (which is why other distributions also adopted it). That doesn't
mean it's the best solution by any stretch (I don't like systemd personally)
but pretending that it was the same as putting adware into a text editor is
quite disgusting. It solved a real problem, and if you have a better
alternative you're free to contribute it as another member of the community
(in fact, please do).

I work for SUSE, not Red Hat, but I find it incredibly gross that being
employed to work on free software is seen as a negative thing by the wider
community. I spend every day working and thinking as a community member
_first_ , but because I was lucky enough to get a paycheck from a company to
do that clearly I must be the enemy.

~~~
PhantomGremlin
I toy with Linux but I mostly use OpenBSD. So I'm thankfully not that affected
by systemd.

I can completely understand what the OpenBSD init system does. It's a lot
harder to fully understand systemd. Plus, as a benefit of systemd, you get
headlines like " _Don 't panic, but Linux's Systemd can be pwned via an evil
DNS query_"[1].

Red Hat doesn't care if Poettering is a brilliant genius or just a useful
idiot. Instead, Red Hat loves systemd for a very different reason: lockin.
Most Linux distributions are now utterly dependent on systemd, and by
extension dependent on Red Hat.

systemd gives Red Hat far too much control over Linux. They were already the
800 pound gorilla, now they're almost invincible overlords. But go ahead, keep
drinking the Kool-Aid.

[1]
[https://www.theregister.co.uk/2017/06/29/systemd_pwned_by_dn...](https://www.theregister.co.uk/2017/06/29/systemd_pwned_by_dns_query/)

~~~
cyphar
It's quite clear that you didn't read my original message. I explicitly said
that I don't like systemd (for some of the less inflammatory reasons you've
mentioned), so I've not "drunk the Kool-Aid".

Red Hat conspiracy theories are quite interesting, but you might want to
provide evidence for the claim that a unified init system somehow locks people
into Red Hat. You do realise that you can have the exact same .service file
work on RHEL just as well as it works on openSUSE or Debian? I will reiterate
that I don't like systemd by any stretch of the imagination, but a unified
init system makes life so much simpler for any user.

Rather than bashing systemd, the community should be working on alternatives.
GNU Shepherd is a viable alternative, maybe we should work on that rather than
sitting around complaining about what systemd is doing.

~~~
PhantomGremlin
_It 's quite clear that you didn't read my original message._

I did read your original message. Whether or not you personally like systemd
or whether or not SUSE likes systemd, it nevertheless is in openSUSE. I don't
know enough about SUSE to know if you have any other distributions that don't
have systemd.

Why is systemd in openSUSE? How was that decision made? If I were in the
leadership of SUSE, I would hate being so dependent on key software that is
essentially controlled by my largest competitor.

At this point systemd has become the entrenched incumbent. So "alternatives"
are mostly wishful thinking. For people to switch away from systemd, they
would need to be convinced that something like GNU Shepherd wasn't just equal,
but was significantly better. That seems unlikely to happen anytime soon.

People aren't directly locked into Red Hat, but they sure are locked into a
very key piece of software controlled by Red Hat.

This state of affairs has to hurt SUSE. When selecting a distribution, why
wouldn't businesses buy from companies as far "upstream" as possible? Why buy
software from SUSE if key pieces come from Red Hat? Why not just buy from Red
Hat directly?

~~~
cyphar
> Why is systemd in openSUSE? How was that decision made? If I were in the
> leadership of SUSE

That decision was made by the _openSUSE community_. _openSUSE is not owned by
SUSE in any sense_ , the community is run by the users and developers of the
distribution. There is a board that is elected by the community (and no single
company can have >50% of the board seats), but it's role is more dealing with
conflicts than anything else.

openSUSE chose to use systemd because some people stepped up and did the
necessary work to support systemd. And yes, people still complain about it,
but the key point is that nobody has put work into replacing it. There is no
reason that openSUSE couldn't support running everything without systemd --
nobody would stop you from doing that work -- but in our community the people
who make such decisions are the people who do the work.

> I would hate being so dependent on key software that is essentially
> controlled by my largest competitor.

Ha-ha, it appears as though you don't understand how free software development
works in this context. While Red Hat is a competitor to us, we work with them
on their upstream projects just as they work with us on our upstream projects.
I spend a large part of my day collaborating with my counterparts at Red Hat.
Hell, I'm a co-maintainer with several folks from Red Hat and I contribute to
their projects in my free time.

If a customer doesn't like us, they can go to Red Hat. If they don't like Red
Hat, they can come to us. If they don't like either they can go to Canonical
or wherever else. Hell, we even provide support for migrating to SUSE from Red
Hat (and I believe they have the inverse). The benefit of building everything
on free software is that you _don 't have vendor lockin_, and systems like
this really do "just work".

> For people to switch away from systemd, they would need to be convinced that
> something like GNU Shepherd wasn't just equal, but was significantly better.
> That seems unlikely to happen anytime soon.

So you agree that systemd solves problems that are not solved by other
systems? Then I don't understand what you're arguing for -- should we
intentionally ship software that doesn't solve user problems? Or wait for the
community to decide on the best way to move forward before we ship a release
(hint: those arguments will never end)?

If you want to get people to switch you need to have an alternative, it's a
simple as that.

> This state of affairs has to hurt SUSE.

That's kind of like saying that because 'shadow' is developed by Debian it
must hurt Red Hat. Or because Apache is developed by the Apache Foundation
that must hurt Canonical. It's a nonsensical argument, that's now how free
software works.

> When selecting a distribution, why wouldn't businesses buy from companies as
> far "upstream" as possible? Why buy software from SUSE if key pieces come
> from Red Hat? Why not just buy from Red Hat directly?

First of all, Red Hat uses many pieces of our software as well, this is a
symbiotic relationship. Red Hat is not the only player (in fact we were around
before them). Their new dnf package manager uses our libsolv RPM solver
implementation. They are using openQA to perform testing of Fedora. kGraft and
kSplice were merged upstream thanks to being able to compare the two
approaches and come to a solid decision. There are many such examples.

But to answer your question, it's because we sell different systems with
different opinions on how to do things. I'm not going to give you the
marketing pitch (I'm an engineer), but we have plenty of really interesting
technology that we ship in our products that Red Hat chose not to use (and
vice-versa). SUSE and Red Hat both sell operating systems, but they are very
clearly distinct and potential customers are given a choice with who they want
to do business with.

~~~
PhantomGremlin
_Ha-ha, it appears as though you don 't understand how free software
development works in this context. While Red Hat is a competitor to us, we
work with them on their upstream projects just as they work with us on our
upstream projects._

Thanks for providing such a detailed write up. I hope that knowing a little
about how "frenemies" work together is also of interest to others on HN.

Maybe Red Hat and SUSE will coexist happily well into the future. But you're
both public companies, and you each owe certain duties to your shareholders.

In the software world the archetypical example of companies collaborating is
Microsoft and (... any of dozens of companies go here ...). It seems that
never ended well for anyone but Microsoft.

But perhaps the nature of open source / free software fundamentally changes
this dynamic of collaborating with the dominant player in an industry.

------
waynenilsen
I see nothing wrong with this. This is why open source is beautiful. If you
don't like what some contributor is doing, fork it. Kite can even pull in
updates from the main fork. I think this kind of thing happens all the time
just not publicly.

~~~
lucb1e
They did not pull in the wrong pull request. They bought the project from the
developer, either directly, or indirectly through employment.

------
GoToRO
Why not use this to fund open source? Have a checkbox to disable ads if you
really want to give people freedom. I just can't see how open source can
compete without enough funds.

~~~
jwildeboer
After 12 years working at Red Hat, I can assure you that Open Source not only
competes, it is actually winning everywhere. And business models exist that
are fair to all sides, allowing us to employ a lot of developers and
participating in upstream.

Ads are not a solution IMHO, they are a big part of the problem.

~~~
jacquesm
> I can assure you that Open Source not only competes, it is actually winning
> everywhere. And business models exist that are fair to all sides, allowing
> us to employ a lot of developers and participating in upstream.

It would be great to see not only an assertion but an article that spells this
out in some detail.

~~~
vultour
Why would you need an article? Most large tech companies share their
infrastructure on their tech blogs, and most often it's completely composed of
open-source software (e.g. Kafka, Nginx, Storm, Postgres, Redis, other Apache
products, etc.).

~~~
jacquesm
This discussion goes well beyond infrastructure.

------
conradk
To me, it looks like Kite miscommunicated but didn't propagate spyware. From
what I understand after reading the related issue on Github, it did not do any
requests to its servers without explicit user permission.

And I think the bigger problem is that 3rd party plugins are becoming a thing.
Now, it's all about plugins, installing dozens of plugins that are difficult
to audit before hand. It's like blindly installing software from torrenting
sites, but shinier because it has the Github stamp on it.

~~~
codegladiator
You should really read the github thread AGAIN.

~~~
conradk
Could you please elaborate ? I read the whole thing when I posted this
comment: it seems like Kite did not automatically request its servers and I do
think that plugin-mania is the bigger problem here. Installing plugins with no
way to audit or restrict their access to the system capabilities is the
problem. They should run in a sandbox. This has even been suggested before [1]
but it seems like it has not yet been implemented.

[https://github.com/atom/atom/issues/1763](https://github.com/atom/atom/issues/1763)

