If you're reading this Kite. I now have a negative view of your product. We cannot allow corporations to take over open source tools. Donating is perfectly fine and encouraged, but the above example is a downright take over. If you want another tool then create one, don't take over an existing one and use the communities trust of that tool to promote your product.
I fell for this. I enabled it because I was curious about trying new development tools, only to find out later it uploaded all of the source code on my computer to their service. What the hell.
It took me months to get through to a human to get them to delete my code, including two emails to the CEO.
I like the idea, but there is no way I would use it after this experience.
WTF, this could get people fired. Many companies do not descriminate whether an employee has uploaded code to a third party server intentionally or not. If corprate software monitors catch this happening, its pink slip in many places. I just can't believe anyone would play with developers this way. What a cruel company.
> WTF, this could get people fired. Many companies do not descriminate whether an employee has uploaded code to a third party server intentionally or not.
That is why developers should be very careful what applications they install on the corporate computer and what cloud services they use.
> it uploaded all of the source code on my computer to their service.
That sounds crazy, so I reviewed their privacy policy[0]. It looks like Kite now requires users to whitelist the directories it indexes and automatically purges files you remove from the local index.
The Privacy Policy says that:
> When you use our services, we may collect [...] Any source code files on your computer's hard drive that you have explicitly allowed our services to access. To learn how to control access to your source code files, please visit our FAQ.
The FAQ[1] says
> Kite only uploads files that:
>
> 1. Have a .py file extension,
> 2. Are children of a whitelisted directory,
> 3. And are not ignored by a .kiteignore file.
That doesn't seem like "any source code file on your computer" to me - unless it whitelists root by default, which would be a hella dark pattern.
Also, removing a file from the local index should remove it from the server as well [2]
It sounds like they changed something after I signed up. I am not super paranoid, but I am pretty savvy about privacy and keeping my data safe. There is no way in hell I would have agreed to upload all of my data to their service.
I was actually questioning myself when I realised what had happened -- I thought, "perhaps I just messed up". But after I saw this story about their other dark patterns, I'm convinced they just deceived me.
Hard to read that wording and not infer it was specifically phrased like that to prevent saying "we upload literally every file, recursively, in the below directory".
Easy to see very intelligent and circumspect people interpreting "where enabled" to mean "when I ask for autocomplete" and "your code" to mean "that specific snippet" because who the hell would actually think it's cool to just carte blanche upload other people's workspaces?
> Also, removing a file from the local index should remove it from the server as well [2]
Maybe you are thinking only for your self. What about the majority of the users of minimap/(other hacked plugins) who doesnt know this is going on, and they are not aware that some files need to be deleted from someone elses server.
ps. i know "hacked" is not the proper term here ,but you get the idea.
I totally agree that putting proprietary integrations into open source packages is shady. However, I don't think that the Minimap "kite promotion" [0] went so far as too actually upload code to Kite's cloud platform. It looks like it just added tool tips that referenced Kite's documentation. That's distracting and unwanted, but not as egregious as uploading your code without permission.
Not sure when you're seeing the privacy policy change was made but as an early user of the Kite desktop tool, directory whitelisting has been in place for a year or more.
I have zero faith this page actually works though. A few months ago I deleted all of my data and I checked back today and it has reappeared. (I uninstalled the client and deleted my login token back then too, so as far as I can see it's their issue.)
I have sent them a stern email to delete my data. If you want your data deleted too, I would recommend doing the same rather than trusting their web interface. None of the emails on their website seem to work, though. Emailing the CEO does work eventually, but I don't want to start a witch hunt. My email is in my profile if you want his email.
Well technically you did consent by clicking "Enable Kite". I'm not familiar with Kite but the linked image has a line that says, "Click here to learn more.". I'd wager that it eventually links to a page that explains that all your source will be uploaded to their servers.
I don't really want to defend Kite, but when it says "Kite achieves this by analyzing your code in the cloud" I would assume that my code is uploaded to the cloud.
My assumption from that dialog box would be that at most, the code I currently have open in my editor would be uploaded. Not all the source code on my computer.
How can autocomplete work without looking at all the other code too?
Edit to add: oh, wait, I misunderstood. It grabs all the code on your computer? That's crazy. I just meant it's not totally unreasonable to grab the whole git repo you're working in, say.
If you're going to upload potentially private code from your user's computer to your servers, you better warn him with big fat red letters before you upload a single byte.
I'm not defending their actions. I'm just saying that I don't think they're as surprising as people make them out to be given the messaging in the product.
This is why some data protection and privacy laws are starting to require active, informed consent before taking some actions, instead of merely specifying "consent".
Even without that, basic contract law in many places requires a degree of mutual understanding for the contract to be valid in the first place. You can't just bury a surprising term with a huge effect deep inside a long legalese document and expect it to actually stand up in court, and if you're doing something dubious and relying on that as your defence then you might be in for some disappointment.
What they did is figuratively a felony (literally a "indictable offense") here in Canada. These guys are going to go to prison. Courts have ruled time and time again that hiding unreasonable or otherwise illegal actions in ToS does not absolve liability or criminality.
Just out of curiosity, what part of this is considered illegal? Not defending Kite here, but it seems that even though they are using some shady tactics to gain users, none of their product/ToS seems illegal.
Copyright infringement is not theft. These are two completely different issues. When data is copied it is not taken away from the owner like when physical goods are stolen. Secondary damages may or may not occur, but they are not the same as depriving someone of a good. As an analogy, I wouldn't steal a car, but I surely would copy a car if I could do so by simply pressing a button...
This isn't necessarily only about copyright infringement (though it's definitely that too). If some of the source code on your machine contain sensitive information, like API keys, database passwords, etc.
Legally, the word "theft" isn't only used when one party loses anything; a victim of identity theft doesn't lose their identity, yet we don't call it "identity infringement". I'm not familiar enough with US law to know for sure, but it wouldn't surprise me if the word "theft" is used somewhere for obtaining sensitive information without permission.
That still leaves corporate espionage, which (last I checked) is a very severe offense. If that "source code" contained significantly-sensitive data (like medical info or info about legal cases), then there's a giant can of worms right there (and each of those worms has a surname of "Felony").
Copyright Infringement is an act, and at least here in the US, an act which both criminal and civil laws provides specific penalties/remedies. On the criminal side, obviously, one of the penalties is imprisonment.
Ah, I was unfamiliar with criminal penalties for copyright infringement. Could you go ahead and link me to the relevant US Code text that provides for such penalties?
But that's about as unlikely as the code containing trade secrets.
Plus:
- For copyright infringement, they'd need to actually redistribute the code. Using it for machine learning and distributing short snippets wouldn't be copyright infringement.
- For that trade secret stuff you'd need to prove intent.
For copyright infringement, they'd need to actually redistribute the code.
IANAL, but I don't think so. In MAI v. Peak[1], the court determined that even loading a program from disk to RAM was a copy, and therefore infringing without a license. Congress has since then added a specific exception for "Machine maintenance and repair", but that's it. Copying from a remote machine and storing it in their disks should certainly qualify.
> But that's about as unlikely as the code containing trade secrets.
Unpublished code, is itself a trade secret. Even just the processes, procedures, organisation, tooling, library use, etc in the code provides a competitive advantage. i.e. The 'metadata' is also a trade secret.
The only intent you'd need to prove is that the accused is using the trade secret to the 'economic benefit of anyone other than the owner'.
It seems obvious that Kite is training a proprietary ML algorithm, with trade secrets, for their own economic benefit.
Makes me imagine some angry and equally shady person might contribute to some open source projects that Kite uses internally. With a ToS addition giving them access to all available data on the company network if you are Kite.
Obviously this would a be a terrible thing to do and no one should.
It does not just feel criminal, it probably is. On top of that it might make you liable for reproducing some company code without permission. Very very bad idea.
I've almost been bitten by them in the same way. I vaguely remember that it was through HN that I found out about Kite and installed their plugin(s). It definitely felt 'dirty'.
>only to find out later it uploaded all of the source code on my computer
It didn't ask? Sounds like malware, and meets the definition of theft. Inviting someone into your house does not give them permission to steal things in your home, and leave with them.
It clearly states in the diagram that the code you run Kite on will be analyzed in the cloud. If it truly uploaded "all of the source code on [your] computer" then obviously that is radically different but from my experience with the product, it did not upload my code besides what was directly related to what I was working on and understood would be analyzed in the cloud, just like Code Climate or any other code analysis service.
Iff they had foreknowledge that the changes were going to happen, which is unlikely. Id be surprised if Kite bought/acquihired/etc the product by disclosing a list of shady changes beforehand.
The question remains, would he have accepted the purchase/job if he had known that Kite intended to do this? My point is that he probably didn't know until instructed to do so my his new bosses.
This changes their power dynamic. One could argue they ought to find another job once the shady stuff started, but I still think you should focus on the actual instigators rather than the pawns.
In a security-sensitive corporate setting it is already harmful if anything gets uploaded to some cloud service - if this occurs, the damage already happens and anything that follows is "just" damage containment.
I believe about every company that develops software has some clauses about what software is allowed to be installed on the corporate computers and who has to initial any request to install a new program on the computer.
It's interesting watching HN get indignant when a company treats them the same way their idol companies treat everyone else. A lot of grab all data, track everything, and hide the creepiness in fine print type companies.
A system of permissions for plugins would be welcome in my mind for Atom, similar to browser plugins or mobile apps. Then a new "feature" would require the "transmit your code to a third party" permission.
> We cannot allow corporations to take over open source tools.
I don’t know how much I agree with that statement in general. There are several major open source projects with corporate “control” – Mozilla, Google and Apple control/heavily influence Firefox, Angular and Swift respectively and there are probably a dozen others. The idea that corporations are “bad” is a tired trope. Some corporations are bad, some are good, some are in the middle.
But I agree with your actual actual sentiment though – corporate involvement in open source should be as benevolent as possible.
"Corporations are organized around profit, open-source is not. With only that in mind you can predict what will happen in most of the cases.
"
All three of these statements seem like nonsense.
First, "Corporations are organized around profit".
No, they are legal entities, organized around articles of incorporation. These have a purpose statement. Often, those purpose statements are directed toward lawful business goals.
But you do not have to be.
Non-profit vs profit corporations can, quite literally, have the same set of purposes. The only difference between the two is what you can do with profits.
"open-source is not".
I'm not even sure what you are trying to say here.
Very large amounts of popular open source, is, in fact, produced by for-profit companies, and has been since the beginning of open-source.
The term was even created by a group of people at a for-profit company. So ....
"With only that in mind you can predict what will happen in most of the cases."
No, you can let whatever biases you seem to have stoke your imagination and prognosticate. You can't actually predict what will happen. There are plenty of happy, well functioning for-profit companies in open source that have been helping open source for many many many years. There are also plenty of non-profits that have harmed open source greatly.
It takes a lot of blindness to see this stuff as simply black and white.
I explicitly tried to put out "god" and "bad" from the discussion but OK, let's do that.
Red-Hat main worry is to be profitable. That's is above any other concern.
You can be sure that, if their bottom line was threatened, they will be pushed, in order to survive, to change their business model and they will not be beyond behaving in a "bad" (but legal) way if they don't see other way around the problem.
If fact, we can argue, that Red-Hat management, being it a public company, is forced by law to do that.
I'm sure you're aware of the Solaris exodus that happened when Oracle decided to make OpenSolaris proprietary after acquiring it from Sun. The entire OpenSolaris engineering division quit in the span of a month. Do you think the same wouldn't happen if RedHat decided to start doing horrible things to their customers or the community?
You're acting as though nobody who works at Red Hat cares about the community which they worked with before they had a job at Red Hat. I work at SUSE, and I work primarily as a member of a community. If SUSE started mistreating their customers or the wider community I would quit.
I hope that if you found that your company was mistreating the wider community you would also quit.
--
My point is not that "all companies are good". I'm saying that making a judgement that "all companies will harm free software at the end of the day" ignores the fact that companies still need humans to work for them that do said contributions. Personally I find that many people who work in free software have quite strong ethics when it comes to things like this, but that's just my anecdote.
My (somewhat strong, sorry about that) response was mainly a reaction to the larger trend I've seen in the free software community as of late -- that companies that work on free software are somehow a net negative.
I don't know where this view comes from, it was Stallman's goal from day one that it should be possible to have companies built around free software. The fact that my first job out of high school was working at a free software company should be celebrated as a huge accomplishment by the wider community. But it's not seen that way. I find it quite disheartening, because I've always been an advocate for free software and my job title doesn't suddenly change that.
I realise that you're not saying that (and so I'm sorry for the strong response), and of course we must question the motives of companies. But it's become a popular game these days to pretend as though everything that a free software developer does as part of a job must be part of a conspiracy to create a monopoly -- it's ludicrous and is quite grating.
History has proven time and over it's generally a very bad idea to be dependent on others' good will that is by nature self interested and ephemeral.
I think people are interested in their basics, income, job, family before any other priorities.
Some people infact become so paranoid about this they may overlook even support unethical action as long as they are safe.
Surveillance, profiling and dark patterns by leading SV companies including Google, Facebook, Palantir etc composed of tens of thousands of engineers who may at one time have loudly proclaimed contrary values is just one example of this.
But how, in the end, did that affect Oracle? Did their stock price drop? Were they unable to sell things? Or did business kinda go on as usual?
The comparison isn't as appropriate, as Oracle is a much bigger company, and is able to handle the loss of that many people in a better way. But the jist is similar.
Oracle Solaris is on life support because they don't have any of the old engineers. They have not worked on ZFS or DTrace since then (and the illumos community has massively improved those projects in the meantime). Recent news makes it look like Oracle Solaris may be killed quite soon.
That was the result, they tried to mistreat the OpenSolaris community and then Oracle no longer was competitive in the Solaris space.
If fact, we can argue, that Red-Hat management, being it a public company, is forced by law to do that.
You could argue that, but you would almost certainly be wrong. It is a myth that management at a company is always required to seek profit above everything else. Indeed, many companies explicitly do not do this, for example by having policies about operating in an environmentally friendly way for ethical reasons.
Companies have policies until they stop having them.
I'm not saying that companies have to search profit above everything, I am saying that it's its main concern, otherwise they will not survive.
Indeed, management will have space to be nice when things go well, but they, automatically, will receive pressures from investors to change their nice ways when things go bad.
This is the way that it's intended to work and there is, I think, nothing surprising there.
Even if it were as simple as that, it wouldn't be as simple as that!
There's a difference between short-term and long-term profitability. Being 'nice' might limit profits in the short term but might be crucial for long-term survival.
And, nobody knows for sure what the correct long-term strategy is. Not every step that yields an immediate profit is a step in the right direction.
For instance, you call Mozilla a non-profit. But it is a non-profit corporation, a legal entity that has organized itself in a certain way and applied for special tax treatment.
Isn't Mozilla organized as a for-profit that owns a non-profit? Actually, if you look at US tax law there are reasons that some non-profits have for-profit parts. I know Mayo was organized that way. I think it had to do with some salary requirements, but its been twenty years, so I'm a bit fuzzy.
There is a non-profit (The Mozilla Foundation, affectionately referred to as "mofo") which owns a for-profit (The Mozilla Corporation, known as "moco") as a wholly-owned subsidiary.
The Mozilla non profit is the owner of a for profit company that carries out much of their activity. Which you probably meant, but you've typed it the other way around.
Sure, as stated in the articles of incorporation. Many states offer an in-between type of corporation called a benefit corporation. It is for-profit, but the articles of incorporation require it behave, additionally, with social benefit in mind. And they are obligated by their charter, and can be dissolved by the state responsible for the entity's creation, if they don't follow it. The public would have some degree of standing that wouldn't necessarily apply to other corporations.
Technically, non-profit only means that the corporation is not allowed to directly redistribute profit to it's shareholders. This reduces the amount of pressure from shareholders to generate large profits, but still even non-profit corporation has to pay it's expeditures somehow and not lose money doing so.
> This reduces the amount of pressure from shareholders to generate large profits
Just to clarify, since this sentence was ambiguous: not-for-profit companies do not have shareholders or owners. So the fact that there is no "pressure from shareholders" is vacuously true, because there are no shareholders.
Not-for-profits typically have donors and boards of directors, who both apply pressure to see the corporation's funds used to realize its mission.
When I wrote that sentence I thought about changing "shareholders" to "members" or "stakeholders", but then I left it as it was because it seemed to more clearly represent the contrast or absence there of to for-profit corporation.
I'm board member of smallish Czech non-profit and one of the things I've found out is that the legal requirements on the corporate governance structure are mostly equivalent to what is required for publicly tradeable corporation that is actually not publicly traded, thus for me it makes some sense to equate voting members to shareholders.
> With only that in mind you can predict what will happen in most of the cases.
With just this information and no other, I think I'd predict corporations to make better software than open source. I take it that's not what you had in mind.
(This is for similar reasons that I expect for-profit companies to provide better service than government-run ones. I don't particularly want to get into a debate right now about whether that actually happens, just trying to explain my intuitions.)
For a non-technical user Windows is the infinitely better product than typical Linux desktops, you should see the pain that people go through that use commercial software nominally supported on Linux such as Cadence tools compared to the same experience on Windows, not to mention the lack of any serious well made office suite.
Heck in direct comparison Ubuntu 16.04 looks like a joke system compared to Windows 10, for example Ubuntu doesn't let me use my on board sound and only displays the dedicated sound card, but only half of the time. It has a horrible toy like ripped off user interface with ugly buttons, I can't think of a single application that is actually better than an equivalent application that is also available on Windows.The only reason I'm using Linux is because in a lot of areas including the field I work in it has achieved the same lock in that windows has for the general desktop market.
It is kind of sad that the only two alternatives are a clone of 70s technology or a clone of 80s technology. I feel like there should be a way to get things unstuck, but research into operating system design has all but ceased, with very few exceptions, many of them ironically coming from Microsoft.
Ubuntu is backed by Canonical Ltd. so it's corp vs. a much bigger corp. Linux as server vs Windows Server might be a more appropriate comparison for this.
It's so frustrating that the data derived from this reality never agrees with these simple economic theories I derived from first principles and my econ 101 class that are so obviously correct.
I blame the so-called "experts" and their propaganda about "complexity" and "human behaviour" for distorting the efficient market. In the cases of historical data it seems they have even retroactively distorted the markets.
I didn't say corporations make better software than open source. I said that if I had only a single piece of information that's the prediction I'd make.
I have opinions about to what extent my counterfactual prediction is correct; and to what extent it's not; and why it fails, in the cases that it fails. I left them out because they weren't relevant. If you wanted to talk about them, that's a thing I might be willing to do. But I'm not interested in being snarkily accused of mistakes I didn't make.
What I mean is this: If you mix open-source with a for-profit entity, don't be surprise when that entity try to extract profits even in orthogonal ways to the original intention of the project.
Of course, in practice, and by the nature of open-source, this is a very difficult to do and, normally, can be prevented, but the trend is there and should be take into account.
Mozilla made firefox. Google made angular. Apple made Swift. That's not "taking over". While I am not a fan of this phenomenon either, that has nothing to do with the current situation. They simply built something and open sourced it, nothing was "taken over".
I'm going to take a contrarian stance on this one: I believe there is no story here — adding an ad for an opt-in cloud-based tool to dev tools is not spyware. It's opt-in! It's clearly stated. Would people raise a fuss to find out their CI service like CircleCI or linter service like Code Climate had access to their code (it's sufficiently obvious)? I don't really see why this tool is any different other than they are one of the first to make a code analysis service that runs in realtime.
I beta tested the Kite product when it first launched maybe two years ago. I don't use it today but I would try it again. Since then they've only tightened down on permissions and made things clearer.
Kite was also not the first to run ads in an IDE plugin (Wes Bos has sponsored several), at least not in Sublime. Personally it's not my preference to have ads either but ultimately this is up to the maintainer of each repo. The tool is still free to use. It clearly states that using the cloud engine will upload your code to do analysis in the cloud. It's 2-3 sentences, not like it's buried in some long EULA.
Shame on the article for labeling inserting an ad as "taking over" and labeling an ad as "spyware"… pure clickbait targeting non-devs.
The new Kite engine also clearly states it is a cloud-based service and they build integrations for their service. The whole industy works the same way. You don't have to use their engine to use autocomplete-python and its opt-in too.
It appears you have misunderstood my argument. The atom-minimap extension you linked is not the autocomplete-python extension discussed in the parent thread. I have not used the atom-minimap extension and didn't make any comments on it — I use Sublime. My comments are about the autocomplete-python extension.
I think you're overlooking the diagram linked above which shows enabling the Kite engine is an opt-in button click.
The CEO also states that it is opt-in in the article: "Most users who install autocomplete-python close the engine selection prompt, which results in not getting Kite or its benefits," [the CEO] said in an email.
As I stated above, I beta tested the Kite product early on and have used it in Sublime through a similar add-on. I am not a current customer / user, but I do make my own dev tools. It was always completely transparent to me that they are sending code to their server to run a cloud analysis platform. Based on that, I still maintain that the community is massively overreacting to something that was made explicit upfront.
Well, who benefits from having the ads there? Wouldn't it be better for most users without the ads? What value is Kite adding?
It's a slippery slope, similar to the controversies over using BitKeeper for the Linux kernel or adding DRM to HTML5 (both justified, I think). The openness in open source needs to be defended.
While I would not argue anything about ads directly, I think that all users benefit from having additional options in the plugin, and if the ad is relevant to a portion of users and leads to some users discovering an additional dev tool for their workflow than it was worthwhile. That is the perspective I have in mind for the hypothesis that Kite was testing.
I genuinely don't understand why this service is getting a disproportionate amount of backlash relative to the plethora of cloud based services out there that analyze one's entire codebase. Maybe it's because they're interacting with the code from the dev machine directly vs integrating with repos on the git server? Would that make it different to you?
The massive difference is that Kite is using manipulative, dishonest tactics.
When I sign up for a service like Code Climate it's very clear that I am giving them access to some of my code. I also have easy control over what code they can see. They are honest and upfront about what they are doing and why.
Kite has been trying to hide what they are doing, with the goal of tricking developers into doing things they otherwise wouldn't. They're taking advantage of the huge amount of trust in the open source community. Kite must know that abusing this trust has a high chance of hurting the community, but they don't seem to care, as long as they can make a quick buck or two for themselves.
A lot of people here really cherish that trust and goodwill among strangers in the open source world, and are understandably pretty pissed when someone comes along and messes with it.
The bottom line though is being honest and upfront with developers. I suspect Kite could have been a bit more forward about what they were doing and the developer community would have reacted with much less outrage.
Where I work, the VPE signed up for Code Climate. Code Climate also gets our code by asking for git creds, making it very clear what they're doing.
Installing Kite and accidentally allowing them to sucker me into uploading the entire corporate source tree -- quite possibly with creds -- is literally a walk you out fuckup. At bare minimum I would have to page ops and roll creds on every bit of prod. Want to know why there's both a gitignore and a git commit hook making sure 'config/creds.py' is not uploaded anywhere?
There's virtually no ethical way to build that dialog unless you put 40 point red font saying "We upload your entire source tree" and make you wait 10 minutes before continuing. This is not a decision line level devs are allowed to make on their own, and Kite tricks them into doing exactly that.
Hi Ruben, founder of Kite here. I think this issue deserves a more thorough response because there are a lot of misrepresentations in the article.
One misrepresentation that I wanted to quickly highlight is that the autocomplete-python install flow has three steps, not just the one linked in to in the screenshot above. The other two are:
Small technicality: these screenshots say that Kite is installing but it's actually only downloading the installer binary to memory; the actual install doesn't happen unless the user goes through all three steps.
It's also worth noting that if the user clicks "Add Later" no code is sent to the Kite servers for analysis until they whitelist a directory.
You are trying to blame the user, but the design of this flow is to blame. It does not explain clearly what is going on.
It's funny seeing this now to see where I tripped up. When you say "enable access in /Users/ben", I guess 6-months-ago-me assumed it meant "enable access to code in /Users/ben when I am working on it". It felt a bit like an iOS permissions dialog, where I was giving you access to my filesystem. Parsing it now, I realise that the text above the button says "where enabled, your code is sent to our cloud".
You could argue I should have read that more carefully, but that copy doesn't scream to me "I'm about to upload all of the source code on your computer including proprietary stuff and secrets". Because that button was the default highlighted button, I assumed it wasn't going to do anything drastic like that. (It's like Ryanair having a big red "YES I WOULD LIKE INSURANCE" button, hiding the "no I don't want to spend $100" button somewhere in the small print.)
Above all, you certainly shouldn't have included that as a shady update to some Atom extension I was using.
> I think this issue deserves a more thorough response because there are a lot of misrepresentations in the article.
From the article:
> Smith also said that most of the negative reaction was due to confusion around what the tools actually do. (Connor pointed out that it’s not possible to review what Kite does, since it itself is not open source.) Then he blew this reporter off. “I apologize in advance that I can't answer any further questions,” he wrote. “I need to focus on other parts of the business, including continuing to improve the product for our users, and conflict like this is always doubly distracting.”
The above sounds like you were given the opportunity to explain things but shrugged it off as a distraction.
If it deserves a more thorough response, why hasn't that been given? Even in this reply you only "quickly highlight" one point.
Even with the additional steps and even with explicit whitelisting of directories (from screenshots it looks like it defaults to the user directory, which is just bad) before code's uploaded, the point is that Kite took over a useful, popular open source package, clearly hitching on to the popularity of the package to promote Kite, which is distasteful when it comes to OSS.
Why not fork the original autocomplete-python with one that has Kite enabled instead? Then users who want Kite or use Kite are able to do so, without screwing over everyone else who have no idea what Kite is and dont want anything to do with it.
Reminds me of software downloaded in the past that comes with some random search toolbar that gets installed in browsers. Annoying. Shady. Not cool.
This. That would have been the correct solution. Fork the code and offer their "Kite enabled" version separately. If Kite has to resort to these type of tactics to push their product it seriously makes me doubt it's efficacy. If they can't market their product based on it's merits, why would I want to use it?
This situation seems to have the best and worst of open-source. Best, in that the license of the projects allowed them to be forked without too much effort. Worst, in that it shows how easy it is for a project to be subverted once the maintainers are bought (in this case, given a job). It also remains to be seen if the average Atom user will see the difference between the Kite-branded (and, currently, more popular) and the forked versions of these plugins.
Besides the open source issues, this tactic seems to reveal a massive desperation by the Kite folks. There is no way they couldn't have seen how negative this was going to look once people found out. Their ability to attract new users through word-of-mouth and organic advertising must have plateaued. Sneaking their service into a well-used plugin would have given them a boost in users, maybe enough to attract a new round of funding, but they must have known it would cause this kind of bad blood. Especially based on their past reception on HN, which was highly upvoted but in which they never convincingly answered the concerns about uploading users' source code to the cloud:
> this tactic seems to reveal a massive desperation by the Kite folks
That's the weirdest part to me. Who, exactly, thought this was going to go well? It is hard to be sneaky with open source. And even harder to win back goodwill after being caught out.
For instance, now that I know, it would take a change of management and business model before I'd even consider running any of their code, and I'll be writing a Kite-detector for our code scanning tool this week.
Kudos to @mehcode for the fork [1]! And the author @abe33 for the apology [2]! I'm thinking, that @abe33 might not be responsible for this, but was "asked" by his employer (Kite) to do that.
Then, there are alternatives such as sublimetext/vscode, which have the minimap builtin...
Disclaimer: Not affiliated, I prefer n/vim anyways. This is a copy from my comment in the issue. Please read @abe33's comment [2] in the issue. This might explain a thing or two.
That's a pretty sorry excuse for an apology, in my opinion.
First, he focuses heavily on how much stress the backlash has caused him. Then he tries to paint it as a "misunderstanding" on behalf of the users. None of this strikes me as the behavior of someone taking full responsibility for their actions.
Further, I keep seeing people trying to justify his actions with the pathetic excuse that he was probably just doing as told by his employer. Sorry folks, that's not how being an adult works. There's a reason virtually every formal code of ethics stresses personal responsibility. Take, for instance, 8-b from https://www.nspe.org/resources/ethics/code-ethics
Engineers shall not use association with a nonengineer, a corporation, or partnership as a "cloak" for unethical acts.
Software engineers shall act consistently with the public interest. In particular, software engineers shall, as appropriate:
1.01. Accept full responsibility for their own work.
Just because we're in the comparatively-"lower stakes" profession of web development, that doesn't mean we can use the sorry-ass excuse of "my boss told me to do it." Unless they held a gun to his head, he had a choice, and his choice should stick with his reputation for better or worse. Now his name is going to be attached this dumpster fire of a PR mess because he didn't have the will or integrity to say no, and smart people within the community will have a very good reason to no longer trust his judgement, much less his future contributions.
Thanks for posting abe33's apology, hadn't seen it when I read about this issue last week. One of the more unnerving things about it was how he made this change without explanation months ago nor did he did he explain it now. It must have been frustrating for him, as the plugin's original developer, to be dragged through this crap. He ultimately is responsible for his actions, but I wonder if he knew that subverting his own plugin would be a job requirement?
I can't imagine he would sabotage his own project for no reason, so most likely he got the job or some compensation in exchange for his cooperation and access to his repository, probably how they got python-autocomplete too.
Otherwise, if they offered the job with no conditions attached he'd be under no obligation to change his own personal projects for them.
Yeah, I was wondering if Kite had a deliberate strategy to inject themselves into popular IDE-plugins, and their hiring plan includes reaching out to such creators. It's not unthinkable that they would slip in such an obligation after the contract is signed. I mean, we're talking about a company that conspired to covertly slip in these dark-pattern ads into mainstream open-source plugins. Ideally, the minimap creator could have taken a moral stand and quit, but I imagine his work situation and prospects (being from Europe) is different than if he were a developer in the Bay Area.
This would actually be a smart and ethical strategy, if the changes were made in a way that they were opt-in and clear about what they were doing. Unfortunately it looks like they got greedy, and this is what happens when you dance the line: much easier to cross it.
While I could see how it can be done in a way that isn't outright unethical, it still strikes me as 'wrong' in the sense that it betrays my expectations of how open source works and relates to for-profit endeavors.
There's no implementation I can think of where I wouldn't feel icky about this, even if the 'Kite update' did absolutely nothing without turning it on explicitly through some setting that I actively have to look for (so no 'would you like to opt-in' screen' at all).
Secondly, even if it may seems to come late, we've heard you and decided
to revert all the changes related to the python links feature. The next
release will no longer show anything. I'll also make sure that the relation
between Kite and the minimap package are as clear as possible. I've been an
employee at Kite for over half a year now and this plugin is now
officially maintained by Kite.
Even if there was nothing contractual, being asked to do something like this by the CEO after starting a new job would make anyone feel pressured to play along and not make a bad early impression.
> It must have been frustrating for him, as the plugin's
> original developer, to be dragged through this crap.
Completely agree.
Then, this sets a precedent. It reminded me of Google injecting some binary code into Chromium [https://news.ycombinator.com/item?id=9724409]. However, we have a single person here. I can wholeheartedly imagine, that this can cause quite some stress. Also, it could have happened to many, I think...
Edit: I'm happy about the discussion here. At least, this won't happen again, anytime too soon.
I've tried Kite twice now. Once when it first launched, and once again when I installed autocomplete-python and it persuaded me to give it another go.
So far I have found it utterly unconvincing to the point of near uselessness. It rarely finds anything intelligent to say about my code, and gives a significantly worse view of documentation than Dash (for which I have a hotkey bound for near-instant lookup).
On top of that, I found Kite to use significant resources, there's no way to inspect what it's uploading so now way to ensure you aren't uploading things you don't want to, and the second time I tried it the UI was filled with dark patterns and I found it quite difficult to uninstall (I reverted to just trashing all the files I could find relating to it).
I paid I think $79 for a year of Kite-pro and frankly, so far it is pretty useless. That said, it has permissions and settings to whitelist which folders on your computer can be indexed. Then, the settings page states that if you remove the directory from whitelisting then "any directories removed here will also be removed from Kite servers." Of course, that doesn't mean they will actually remove previously indexed data. Overall, probably this is a product that I would not want my dev team to install.
I'd ask for your money back. Installing Kite left me with a really bad after-taste, but at least I assumed that if I'd bought into it, it would do as advertised.
It is a featured[1] Atom package, which may point to whom is GitHub endorsing in this issue, though we could see a more direct response from them regarding both minimap and autocomplete-python.
After reading sadovnychyi's reaction[2] to the autocomplete engine selection screenshot, I think forking is also the only remaining step for autocomplete-python.
> “Most users who install autocomplete-python close the engine selection prompt, which results in not getting Kite or its benefits”
This type of entrepre-narcissism has to be shutdown hard. How deluded does somebody have to be to imagine that putting a confirm-shaming dialogue in an opensource tool is not Advertising?
Every interaction I have with these kind of guys proves to me that they deep down believe their own BS and that they are actually blind only to their own actions. I consider a delusion much more dangerous than a malign stratagem.
It's a real shame as the service was good, but nothing is good enough to justify advertisements in my work-space. The fight against distraction is hard enough as it is without having to think carefully about where I'm clicking due to dark-pattern UI.
He didn't mention using it under a company. I was tempted to use this for personal projects as I don't care where my code gets uploaded, it's all on github anyways.
PSA: I removed the whitelisted directory from my local install of Kite and then uninstalled the application. Logging into https://kite.com/settings/files still shows my machine and all of the synced files.
I still had to manually purge my machine and files from that page.
If you think your files were removed, check again.
Hi, Kite founder here. If you uninstall right after removing the whitelist directory then the removed files may have not have been synced to the server before the uninstall, particularly if you have a lot of files on your machine. We will address this by adding a "remove all whitelisted directories and log out" link to the local settings.
Something different was likely happening in bfirsh's case (sibling comment). If you delete the files from the kite.com/settings/files page but Kite is still installed then they will get synced up again. The most fail proof way is to uninstall and then wipe files from kite.com/settings/files. We will make the wipe files link log Kite out on that machine.
Sorry about the edge cases. We've been working on it, and will continue to do so!
It's nice this is getting more response today - my submission yesterday got no comments.
I almost spit my coffee out when I learned about this (as I'm a minimap user who had no idea this was going on). Not a fan of these shady practices - completely breaks the trust between package maintainer and users.
I think we need a swift and damning response to this. I'd rather have an even worse walled garden than the Apple 'App Store' than deal with having to worry about my source code getting stolen to be used by some stupid cloud service. I don't even want data collection in my text editor; maybe from the vendor its acceptable but not N times for each plugin. I now feel compelled to vet the network usage of any plugin I install.
Thanks, Kite. I'll make sure to remember this in case anyone ever considers your service.
Let's not make this a witch hunt. Yes, the company should be ostracised, but don't ask for every little person remotely involved with them to pay the price of a stupid lead decision.
I don't know much about this particular case, so I don't have an opinion on the comments above, but the argument that employees shouldn't be punished for participating in an unethical for-profit scheme doesn't really make sense to me.
Well, there is also the question of actual participation:
Let's say [A]dam thinks they're not getting enough data and had this stupid idea to fix the problem, bought a bunch of repos when he had the chance, and told programmer [B]en to patch this in, while [C]hloe in another room is working on the website or tweaks the ML algorithm. How much is she at fault and involved here? What about [D]elilah and [E]ric in Support? Blaming them all individually and equally harshly for being associated with [A]dam is not really justifyable.
This kind of polarised thinking doesn't really work - usually you don't have a choice if the entire system turns because it happens relatively fast and not all implications are completely clear to you in the beginning, and usually the system will also just plain lie to you to appear much less destructive than it is. Also: Then every single American is at fault for Trump? I mean, they let it happen, right? So they must take responsibility.
Collective punishment and guilt by association are morally reprehensible but getting everyone off the hook is equally wrong irrespective of their rank in the food chain.
I am not saying that you necessarily advocated for this position in your comment but I just felt the need to make my point clear.
Of course you can't paint all the employees guilty and leave it at that, that's not what the Nuremberg defence means. If an employee knowingly acts malicious under orders from their boss, then they are just as accountable.
To be clear I'm not advocating a witch hunt, but saying all employees are innocent because they were following their bosses orders is a Nuremberg defence.
I know - my comments were more about the initial demand, and it's a little bit of a misunderstanding that people immediately compared it to me trying to invalidate the nuremberg trials.
If programming were an engineering proffesion, each engineer would be responsible for ensuring that the code they worked on was ethical at the potential cost of their license. It isn't of course, but there is nothing unusual about demanding personal responsibility for social implications from individual employees like that.
What makes you think that that the coverage of this event to be unbalanced and vindictive?
I think that we all agree that this event should be documented and reported objectively as it's newsworthy proved by this very article here and it deserves a mention in a subsection on their Wiki entry.
The effectiveness of this line of defense hasn't improved since the Nuremberg Trials. And the directly responsible committers are not "every little person".
I hope so. This is the kind of thing where a swift and somewhat brutal response is necessary, I feel. I wouldn't necessarily go as far as digitally tar-and-feathering all the developers involved (I've made mistakes myself that were a result of thoughtlessness), but the people in charge should be sent a message that this is not acceptable, and quite frankly I think public shaming/blacklisting is entirely justified when it comes to them.
Yeah. But this is the thread where two proponents of "sending a message" are using the Nuremberg Trials as a case-study.
So people should quite obviously chill a bit. Even if the pitchfork-people in this thread only wish bad PR upon this company, thousands of people are reading these threads, and it only takes one slightly unstable personality to think he'll be a hero for the community if he publishes the CEO's honeymoon photos (or whatever).
Also, to keep this in perspective: they did nothing illegal. Changing the rules is a much better course of action than vigilant justice if you believe this to be wrong.
Is publishing honeymoon photos illegal? (I'm presuming nothing compromising.) If the photos were taken in a public place, then they are legal, and then therefore no harm done, right?
I wish our world worked like that, but unfortunately blackballing requires that the median participants of a group have some sort of moral compass.
I gave up hope for such things after seeing staff, investors, and speculators tripping over their own dicks to invest in Brendan Eich's latest venture (Brave) and its ICO, with full knowledge of his revolting and public bigotry against gay people.
The case with Brendan Eich's past donations is a troubling one, but I also found the way he was forced out of Mozilla questionable and also keep in mind that despite having this black mark on him, he's done many good things too and is not known to have done anything oppressive against anyone since then, yes troubling, but I also think that every person, even less accomplished one, has something they should be ashamed of in their past, so I don't agree that we should hold this one incident against him for the rest of his life, unless he does something to warrant it.
It's free speech whether you like it or not and I don't think your tactics of playing hardball with Eich or any other skeptic of gay rights would win him over to your cause as it foments feelings of resentment and discontent and likely lead to counter-productive results.
Kite's business model is just as legal as Eich's free speech money. But people still think it's wrong, and so they try to find ways to discourage others to act similarly.
I'm not completely sure if such punishment works, but I'm pretty sure that if it works for Each, it will work for Kite, and vice versa.
Kite's business model is attack against open source, thus pertinent to tech.
Eich's view on marriage is completely unrelated and attacks on his professional career for this are abhorrent and juvenile and should be condemned rather than encouraged. Even if you disagree with Eich's stance (which for the record I do).
I disagree that it's flamebait, but I do think this is all off-topic. But I just can't keep my dumb mouth shut when someone says that enforcing one's private religious views on others via the government is just fine.
A persons private religious views is no reason for a professional witch hunt. That is well beyond the pale of acceptable, and so is your comment.
There's no reason to turn this into a less reasonable version of a McCarthy type inquisition. Once we start up with that nonsense it doesn't lead to a good place. No matter how strongly you feel you are right.
To which "professional witch hunt" are you referring? Are "private religious views" still private when you are using the government to enforce them on others? Is a CEO who spends considerable sums of his own money to do harm to his own employees for no benefit fit to remain CEO? Are users not allowed to demand good behavior from the companies they support?
No. Users are not allowed to dictate private religious views to people who work for companies. That's unreasonable.
Boycotting a company because you don't like the political views of one of it's employees on the other hand is just silly.
What exactly is your issue with separating personal and professional life? Do you feel you should be professionally attacked or your company boycotted because you (presumably) support gay marriage and some people feel that's wrong? No, of course you shouldn't. You should have a right to vote, support, do whatever in this regard and it shouldn't affect you professionally.
Look, I personally support gay marriage. But this kind of behavior on the part of the "crusaders" is outrageous. It really is.
I think it's legitimately a fascinating discussion point! Thank you for engaging me on it instead of freaking out. While we disagree, I do understand where you're coming from.
Again, the issue was not his "private religious views." The issue was when he used his power and influence to enforce those views on other people who did not subscribe to them. The line is crossed when one tries to enforce their personal beliefs on others via the government. It's not about politics--I think there are many things in politics about which reasonable people can disagree--it's specifically about enforcing a religious viewpoint on other people through the government. I don't force my religion on others; I think it's reasonable to demand that others do the same, and to enforce that demand through the means available to me, which may well include a boycott.
Sure likewise. I mean, no hard feelings but go all the way up the chain to parent. He suggests Brave browser shouldn't get funding (and people shouldn't use it?) because at one point Eich gave a couple thousand bucks to a (failed) campaign to prevent gay marriage from becoming legal.
And who cares? The question should be is the browser any good.
Do you think people should call his place of employment and claim they aren't going to use the product unless they "fire the pervert"? It's ridiculous. It really is. And I'd be saying exactly the same thing if the relationship were switched.
The Proposition 8 campaign was actually successful in re-prohibiting gay marriage in California for about four years before it was overturned, meaning four years of legal limbo for already-married couples and four continued years of second-class-citizen standing for gay couples looking to get married. It also pushed out some incredibly offensive TV ads, claiming the marriage equality movement wanted to use schools to turn children gay and other nonsense. You can understand how someone affected by that proposition, and the decades-long fight before it, might not be so quick to say "oh, you rascals, let's let bygones be bygones;" even if marriage was legalized in the end.
I honestly don't know where I stand on Brave. I hate our current ad-supported world, and it's an interesting alternative to that. On the other hand, I loath Eich and have no interest in supporting him financially after what he has done. Mostly I just stay silent; my feelings aren't strong enough to actually oppose other people using it, but I won't use it myself.
Note that I never said anything about Brave one way or the other. My response was simply that Eich's donation was not simply "free speech," it was a sincere and successful effort to enforce his personal religious views on others, and that it's perfectly fine to oppose that behavior.
You can use whatever word you like, but you used your money and influence to cause incredible amounts of harm to your fellow citizens and previous employees through your bizarre need to use the government to enforce your personal religious views on other people. I don't know the right word for that kind of behavior.
So you concede your assertions about "legal limbo" were false -- good. That's progress.
Moving on to assert "incredible amounts of harm" as caused by me among a majority of Californians who supported both Prop 8 and the prior work of Mark Leno et al. on Domestic Partner Law, California's form of civil unions -- which as https://en.wikipedia.org/wiki/Domestic_partnership_in_Califo... says, and as Leno said at the time, ensures equivalent positive rights under state law for all -- is nonsensical.
We were allies when we supported civil unions. Obama was on side of civil unions in 2008, and likely strategically lying that he believed marriage was one man and one woman. Then the goalposts moved, and incredible yet heretofore invisible harm was being done? Nonsense.
Fixating on "religion" is also nonsense. Theft is against the law. Major religions teach that theft is sinful. Does this mean religious people are enforcing personal views on other people? Of course not. Atheists (I know some; neo-Darwinian evo-biologists) supported Prop 8. People who didn't like the Foucauldian agenda behind the whole thing, or the judicial overreach, or mayors like Newsom overreaching, supported Prop 8. For many and usually coherent reasons, religious or not.
It shows either ignorance or ill will to dismiss both group diversity of thought and individual integrity of thought by labeling views you dislike as "religious", and therefore somehow illegitimate as the basis of action in the public square. Frankly, it is un-American.
You are entitled to your own opinions, as Daniel Patrick Moynihan quipped, but not your own facts. The fact is Californians including me who supported Domestic Partner Law did not do "incredible amounts of harm" up to May 2008. We did not suddenly start doing harm in June 2008 when Prop 8 got on the ballot. We did not do harm when the majority passed it.
Federal law, DOMA -- an unconstitutional power grab against the states by congress and a pandering president -- caused hardships for Domestic Partners in Californians, but Californians could do nothing about that Bill Clinton era law.
As my search link shows, you've been calumniating me on HN for years, while trying unsuccessfully to stay silent on the topic. I'm not optimistic you'll stop now, but that search also shows I've tried engaging in good faith. Here I am again. Instead of silently dropping refuted assertions and moving the goalposts, e.g., to vague "incredible amounts of harm" imponderables, how about making an explicit statement of whom I harmed, how I harmed them, and how I can make amends.
The anti-gay community has a long, long history of belittling and harming gays[1,2]. Prop 8 was a continuation of degrading behavior towards gay people. Advertising claims that gay people want to harm or abuse children directly leads to anti-gay sentiment, which leads to closeting, bullying, and abuse. The campaign you donated to aired these kinds of advertisements[3] and the proposition itself was a direct attempt to maintain gays' second-class citizen status.
I do want to sincerely apologize if I've been misrepresenting your viewpoint. If I have, it was unknowingly. I assumed it was religious, because that's by far the most common objection to it. In all our years of sparring, you still haven't explained why you're opposed to gay marriage, to my knowledge. You always dance around the issue. If you tell me that it isn't based in religion, then I apologize and will immediately stop making that claim. But then what is it? If you're not actually opposed to gay marriage, but rather something like judicial overreach, was the continued harm to gay people worth whatever point it is you wished to prove?
> how I can make amends.
I can't speak to others. For me personally, an apology for supporting the campaign and a statement in support of gay marriage would shut me right up.
(Did you miss the "Update, April 23, 2014" at bottom of [3]?)
I never bullied anyone, so leave that out. Be careful arguing that I'm responsible for others' actions due to systemic problems and biases. That fallacious line of argument cuts in many directions.
Your whole approach, asserting religion only and as if illegitimate, asserting incredible harm ascribed causally to me personally, then moving on after rebuttal without any amendment to your assertions, shows ill will. I'm not going to "dance around" anything with you, and we are nowhere near a common understanding of all our priors.
The best I hope for is try to find common factual ground, which we are doing, slowly.
However, if you can only keep assuming your conclusions and smearing me by association with groups or people I didn't and don't support, I'm out. If you see no way for civil society to function without all the dissenters --
religious or not, we are many -- toeing your line and apologizing for their heresy, then we are definitely done. We can agree that "Error has no rights" and stop now.
I may not agree with you on everything you stand for (or against) but I feel for your position the more I read comments that speak ill of you.
If nothing else, these people come off as sociopathic and it makes me wonder if they are in opposition to you because they feel something immoral has been committed or simply because they just want to let out their hatred into the world.
Why not both? Jonathan Haidt, http://righteousmind.com/, goes into depth with moral psychology on why it feels good for many to vilify, call out, hate-mob, etc., and why we're seeing more such strife in the US, e.g., on campus. Recommended.
I had a response all typed up, but I wiped it, because I'm being unproductive by trying to argue. I should be trying to understand.
My viewpoint is that the only reason to oppose gay marriage is because you believe that gay relationships are inferior to straight relationships. Can you please explain to me a reason to oppose gay marriage other than that? You listed a few earlier:
> People who didn't like the Foucauldian agenda behind the whole thing, or the judicial overreach, or mayors like Newsom overreaching, supported Prop 8.
I don't know what "Foucauldian agenda" means. Sorry.
"Judicial/Newsom overreach" don't make sense to me in the context of a public referendum. These people voted against something they wanted just to prove a point about something else(?); and then what, they were going to vote in favor of it again sometime in the future? Okay, but that's pretty baffling behavior.
I just have a hard time believing anyone in support of gay rights would choose to vote against gay rights and support anti-gay organizations. Maybe you can explain this more for me.
"These people voted against something they wanted" -- no, people objecting to judicial and mayoral overreach voted to override that overreach. See https://news.ycombinator.com/item?id=12721928 on judicial restraint. I'm baffled you got my point exactly backwards, so pausing here.
But people have all kinds of ideas about what constitutes "proper and fair". Some people feel differently about marriage and being gay than you do (Or I do). They might come here and argue about perversion and degradation of society and and what their kids are exposed to. And what can and can't be tolerated as far as behavior. And how marriage is such and such and doesn't apply etc. etc. And, they feel every bit as strong about it as you do. This isn't a wacky fringe view (yet) and it isn't considered "discriminatory" by the people professing it.
As far as I know Eich doesn't condemn gay people for being gay. He just apparently has certain views on what constitutes marriage. And he isn't alone in these views. I don't agree. You don't agree. The Supreme Court doesn't agree. But the public crucification of the guy's professional work because of these beliefs (which as far as I know he kept private) is to me 100 times worse than the views he holds. And it's a dangerous stance to take. We've been here many times before. Moral crusaders (of all stripes) out to improve the world who do little but cause destruction. At some level we have to accept not everyone shares our backgrounds or political beliefs and work with this fact in a constructive, civil and reasonable manner. It's part of becoming an adult in a multicultural society.
I appreciate you aren't trying to knock his work, that was OP. My only complaint is your original over the top rhetoric, other than that fine, I understand you have a different view than Eich. But you can not like an idea a person has without personally hating a person for having the idea. And that is the right thing to do.
I think for quite a few people (including myself) it wasn't primarily about 1) his personal views being disagreeable to us, and/or 2) him 'expressing' these views through a donation, but rather 3) him being CEO of Mozilla.
I'm still not certain whether I agree with what happened entirely, but calling it ridiculous is a bit of a stretch.
Being in the position of CEO gives you many powers and perks, and I think it's perfectly acceptable that it also gives you responsibilities that may include 'not being controversial'. I'd say this is especially the case when you're CEO of a a very large, important, and well-known non-profit.
Basically, it's the whole 'with great power comes great responsibility thing'. People in positions of power can be held to standards that don't necessarily apply to everyone else.
I completely understand if people disagree with this position, but it's far from ridiculous.
(and of course I can't speak for those who do feel that aforementioned reason #1 and #2 are enough).
Are you serious? Eich wrote it for Netscape in 10 days. If you want to blame anyone, blame those at Netscape who only gave him a week and a half. He did a phenomenal job given the situation.
Thanks for mentioning Brave. I've really been enjoying using it as a browser. Typing this response on it right now. Really hope it gets some traction as it's a cool idea.
I think your claim of "bigotry" is a bit overstated and I don't really care about people's political views in this context.
The problem is not that they built some product and monetized with ads. The problem is they injected themselves into a product they didn't build. Worse yet, they're open source projects.
If you can't see the distinction between this and the examples you mention, you really don't qualify to make sarcastic comments.
Exactly. And don't forget about the proliferation of the internet-of-shit devices, which are blasting everything they can learn about your home network to every company involved.
HN is specifically geared towards people who make a living coding things in the new "surveillance economy." This particular example (to go along with the dotnet command line issue) is just a difference in degree, not kind. They're mad that someone else is abusing their trust and privacy.
That is a narrow way to look at things and is not the full picture. Plenty of people protested and still protest Google's unethical business practices.
Brand power! I get totally nauseated every time tools/frameworks/programming languages get adopted just because they have the Google brand on it, when there are perfectly better alternatives.
Holy shit that 'apology' is a steaming pile of crap. This guy is actively subverting not one but multiple open-source projects and he responds with some pathetic crisis-management sob story and an 'oops, sorry'?
Open source is very vulnerable to manipulation. Some years ago, I spent some time trying to understand the PAM module LDAP module on Linux (PAM is used to enable external authentication so its critical code). I found it to be completely impenetrable. We take such components for granted but if someone could inject malware into such code, it could be catastrophic.
Not to mention it must be trivial for a large and determined adversary to subvert Debian, Arch or other distributions' packaging process, for example by getting a "sleeper" rogue developer in there. As someone into security and using open-source systems exclusively, it would be somewhat embarrassing to become a security problem yourself that way.
I don't distrust Linux distributions' respective security guidelines; but it can't be that hard to find a loophole in community-driven system/software development and the damage would be substantial if a popular Debian package would have been subverted and have gone out with updates.
The same statement could be made about any organization. If you get a sleeper agent into Apple, Google, Microsoft, whatever... There is a certain amount of goodwill we rely on in this world.
It's not quite the same thing as, AFAIK, the debian project doesn't have the same power as an employer does to do background checks before hiring.
There's a significant level of risk around open source projects changing hands, something which may be invisible to the users of those projects, especially as they become more heavily used and therefore more tempting targets for attackers.
Employers only have that power because you grant it to them. Of course you don't have a lot of choice if you want the job.
In theory, Debian or any organization could do the same background check, but is that the best use of their limited resources? And would they want to do it anyway given the ideals of the general OSS community?
Sure, my point was companies do do that checking and Debian doesn't do that checking, so from the perspective of this risk, it would be harder for an attacker to do this to a large corporate like Microsoft than it would to do it to an open source project like debian.
But companies wouldn't give commit access to somebody they just "hired" over the internet that "wants to help", and they'd (hopefully) have multiple layers of code sign-off before it ends up in the repository. Having worked in PCI-DSS environments, it would not be easy to get code into production without anybody else noticing.
Open-source projects often have random people "from the internet" working together with a great deal of individual autonomy (authority doesn't go down well when you are contributing for free). This ad-hoc style works well for open-source development, but it does make some kinds of code/system subversion a lot easier and we'd do well to keep that in mind.
Besides, I'm into open-source and security exactly because I don't want to rely on the goodwill of Apple, Google and Microsoft. ;)
Most large software companies do continuous scans of their own source code looking for potential backdoors. Obviously this is not guaranteed to catch such attempts but definitely necessary in the current environment where Zero days are so valuable.
I'm pretty sure this is somewhat unique to the history of pam_ldap and its stewardship by PADL Software compared to other PAM modules; its dense nature encourages commercial engagement for those who care enough to know how it works or want to use it for their own purposes. They're not motivated to make it easier to understand (i.e., for outsiders to contribute to or maintain).
pam_sss is easier to understand and its functionality expands upon it, but it was a redesign.
Honestly, I feel that at the very least the core team behind Kite should be held accountable for what they're doing. I'm not arguing in favor of an all-out witch hunt, but in the context of developers doing their development thing this kind of behavior should have consequences that potentially might include 'black-listing' at least the higher-level people behind it that thought this was a good idea.
In short: A startup is taking control of open source editor plugins relevant to their product.
I admire their cleverness.
If it were me: I'd create an extension interface for completion libraries to accept third party plugins. I'd stop at putting in a third party stuff in by default. A sufficiently good plugin API for python-autocomplete shouldn't require it even to know about Kite.
That said, I don't think Kite should be disallowed. If they have a secret sauce that they think can empower completion plugins, give them an API to plugin to.
It's not in the spirit of open source to shut the door on proprietary solutions (IMO). Transparency should be paramount. Normally most Linux users opt-in to using proprietary/blob software/drivers one way or another anyway. Open source projects routinely maintain relationships with vendors (NVIDIA, Intel). It doesn't necessarily mean evil is at work.
Though, as someone who's struggled with the performance and reliability of completion tools, I don't know if I'd personally opt to outsource that functionality. I'd wait and see if our current tools get better.
So, what prevents any Atom package from being silently taken over and turned into a private code Hoover? Is there anything in Atom's packaging APIs that ensures plugins that can read source cannot also access the network without permission?
This is why we can't have nice things. As you say, such limits weren't necessary - because people in the community weren't assholes. Now, thanks to Kite's abuse, somebody will have to implement a permission system to editor plugins...
That is probably a long time overdue though in the case of editors like Atom.
Simply put; if some unethical corporation can hijack projects like this, then a much more malicious actor can as well. One that isn't as easy to detect, and does much more harm (like harvesting any code or input that looks like it could be private data such as credit cards numbers, SSNs, email and passwordish strings found near each other, etc.).
Extensions, plugins, and what have you are cool, but straying outside of the fairly monitored confines of you OS's controlled packages carries a risk.
Man, where does this crap end? A permission system to click on a menu or type a character? A permission system to draw windows...?
I think there has to be some responsibility from projects that pack such plugins, to police their ecosystem. I can understand browsers having security layers, because they work exclusively with the biggest cesspool of them all (the internet), but stuff as basic as a text editor should not need something like that - if it does, something else has gone deeply wrong with the project.
Total biased takeaway [Please read all the github complete thread.]:
@jlozano:
> Hi, folks -- Juan from Kite here, thank you for the feedback, we appreciate it.
[...]
> We have decided to leave the feature as opt-out since many users have found it useful. [...]
@abe33
> [...] I've been an employee at Kite for over half a year now and this plugin is now officially maintained by Kite. [...]
I think that the BDFL system work in open source because it's too easy to fork the project. The old BDFL just transferred the power to a new BDFL, but it was not so clear for the community. There is a fork now, so if the situation doesn't improve and the users are unhappy, the Kite team will be the BDFL of an empty project without users.
This is one of the things that makes me think software development, like most other professions, should really have a formal code of ethics. If a lawyer or a construction engineer tried to do something equally dodgy, they would very soon find themselves hauled before a professional authority.
It should be made clear to the employees, management and investors of Kite that this is the sort of thing that marks you as someone willing to engage in unethical and underhanded behaviour. I wouldn't hire any such person into any team I manage, and I suspect quite a few other people wouldn't either. Actions have consequences. Especially unethical actions.
An argument that explicitly talks about the consequences of unethical behaviour when it happens is not painting anyone as ethical paragons. You are missing the point, I think.
"Subjective" how exactly? There are surely some variations, but if this is about "my wallet has feelings too" morality, that would be all the more reason we'd need an (enforceable) code of ethics.
Subjective in the sense that something you find morally wrong i could find it morally right, or morally neutral. E.g. for the specific issue of this thread, I consider what they did to be morally neither bad or good. The developer has no obligation(moral or legal) to check with me before commiting stuff in the repo he controls. He doesn't owe me anything. In fact I could say that I owe him (morally, by my moral standards, because I 've been using his code). But that's just my view.
Well yes but morals and ethics are almost by definition about valuing the interaction between people. As such, even if you assume that moral is subjective, if you only have your own personal morality, that's rather useless - it only becomes useful if you can agree with some other people about common rules of behavior.
You could say for yourself "I personally don't believe in private property, so I don't see any objection with theft" but my hunch is that this argument wouldn't do much to calm the victim of your theft.
That proposed code of ethics in software seems like an attempt to create exactly such an agreement.
Things like this are bound to happen, as long as people have to pay their bills and they don't get as much retribution as they would like for their work. If the original authors of the plugins that Kite took over had got a dollar from each user, maybe they would have thought it twice before handing over their creations to a company with dubious purposes.
I have been saying it for a long time: we need better and more flexible software markets, and as developers, we should appreciate the work and time of fellow developers and as a matter of principle try to compensate them.
> “I apologize in advance that I can't answer any further questions,” he wrote. “I need to focus on other parts of the business, including continuing to improve the product for our users, and conflict like this is always doubly distracting.”
If you don't have time to deal with controversy, maybe don't take actions that will inevitably lead to it, eh?
What Kite supposedly does is crowd-source code by uploading users' code to its server and then aggregating that data to train their ML algorithm. Then they can apply said algorithm on a specific client's code to recommend autocompletion suggestions as you type.
There are plenty of great use-cases for ML in building coding tools, but the shady manner in which Kite imposes itself on Atom users who have these plug-ins installed (which is a large portion of the user-base), leaves a seriously bad taste in your mouth.
The thing is I don't trust this explanation for a second especially as it applies to non-paying customers; they could have just as easily trained a generic ML algorithm on a publicly available data set, like I don't know, the public stuff on github.
Moreover, they could have trained their suggestions to actually be useful before throwing this out there as a feature set they thought people would want to use.
Plus then it'd make sense for people to open up their code, as a "local dictionary" of sorts that could be prioritized over generic suggestions. But at least then it would have had demonstrated value.
How much content are they auto-completing? Seems like this could easily end up with some other organization's proprietary code auto-filling inside your project. This is very dangerous; it's either only auto-completing single standard-library function names in which case it doesn't need cloud connectvitiy, or it's auto-completing actual code which opens up users to IP issues.
They use machine learning to see which code patterns follow other code patterns and then make suggests based on that. "Oh, I see you've written X. Most people who write X follow it with Y."
However, this requires reading people code that they upload to their servers. See their privacy policy here: https://kite.com/privacy.
You just need to compromise their database and you should have access to plenty of source code running around, possibly with secrets/credentials etc - a disneyland for bad guys.
We, the open source community, need to respond to this pollution firmly and decisively. Apart from removing the sneaky code put in for these types of purpose, we may need to consider adjusting the licensing to forbid such doing ... the entire open source world need to unite against this ... it is threatening the future of open source.
Is Facebook part of the "open source community?" I would expect that most people here would say yes, for reasons I will assume are obvious to most readers here. Yet they've built, arguably, the world's second largest (non-governmental) data mining operation on the back of open source software, designed for nothing more than slurping up user data to sell to advertisers. How is that fundamentally any different than what's described here? Because the product is "more" useful to end users? Because it's true nature is "more" visible? It's a difference in degree, not kind. If you hate what's been done here, by extension, you should hate the business model of Facebook and Twitter, et. al. (I do, and I refuse to participate.) There seems to be a bit of hypocrisy having this sort of outrage on this particular site.
So that's the difference, here, that exculpates Facebook? That they don't put their analytics code in PHP or React? Granted, Facebook doesn't put analytics code in those products, but almost every web programmer in the world happily embeds Facebook's JS blob/web bug in almost every single site on the planet to track every single click, by Facebook users or not, which can be tied back to at least a shadow profile in the mothership. That's cool? If so: Got it.
I can see the distinction you're making, but, IMO, it's splitting hairs. Either tracking users activity, by the simple act of their use of your product, is morally acceptable, or it's not. To me, this seems like this exact same thing.
As Scott McNealy said, "You have no privacy. Get over it." I wish that wasn't true, but it would seem that the every government and company is hell bent on making it so.
Is it splitting hairs to point out that many developers use React who also don't "happily embeds Facebook JS blob/web bug" in their pages? That's the whole point under discussion here, that the spirit and body of open source is that software can be transparently built and maintained for the greater good, and that Kite's quiet, self-serving changes seem to violate what most people consider standard conduct.
How far do you want to take the sins-of-the-creator argument? Does everyone who writes or executes JS become an abettor to Brenden Eich's beliefs on same-sex marriage? How many Internet users are linked to U.S. war actions given DARPA's large role in creating the Internet?
An argument about whether Facebook and Google are evil is out of scope for this thread, but pretty much argued daily in various other daily threads. I think it's possible for people to like corporations and open source, yet find it disturbing when corporations violate community standards of open source.
> How far do you want to take the sins-of-the-creator argument?
Say wha?... I thought I was being clear. Again, Facebook (and Google, et. al.) have built vast empires on mining people's data in the process of them using their software. I'm arguing that, if a person is NOT opposed to this, then they SHOULDN'T be opposed to Kite's or Microsoft's shenanigans with dev tools. Arguing, "if you don't like what Facebook does, don't use it," is exactly analogous to, "if you don't like what Kite did, don't use their plugin."
Either we live in the world where trading our privacy and activity is the cost of using someone else's service or software, or we don't. But, clearly, we do. Arguing against this particular infraction is trying to unring a bell.
"Sins of the creator?..." I swear, sometimes, it's just not worth chewing through the straps in the morning.
OK, it seems like you have a different interpretation of the OP article than I do. You seem to think that people are bothered because a Kite-plugin uses and advertises Kite services. However, that is not the main point of contention. The problem is that a popular plugin that was not previously affiliated with Kite came under Kite's control. Kite analytics/advertisements were then surreptitiously added to the plugins.
When Kite's alteration to the plugins came to light, people took umbrage and stopped using the Kite-controlled version of the plugin. Problem mostly solved, but that doesn't mean people can't continue to criticize Kite for its actions.
If Facebook, which is the official maintainer of React, were to add a line of code that caused all React implementations to add a Facebook button to their webpages, I would bet good money that everyone criticizing Kite here would be ripping on Facebook.
Don't forget that there are actual people that come up with, and write the code for projects like React.
They're often solving problems that affect large numbers of developers (initially, inside their company). And, because of the scale of a company like Facebook, they can afford to work full time on these projects.
They then open source them because there's no strategic value to keeping them private, and significant upside to building a community around them (and not undermining that).
I'd argue that some of the best open source projects come from large companies - due to the sheer number of developer hours they can throw at them. Small dev shops can't afford it, there are very few OSS foundations, and there just aren't that many people (relatively) that can devote enough time on the side to compete.
FWIW, Facebook's head of open source, James Pearce, had an excellent interview with Changelog about FB's motivations and challenges for maintaining open source projects: https://changelog.com/podcast/211
According to Pearce, the amount of resources to manage open-source is non-trivial. For now, there's a decision process before deciding whether a project should go open source because of the maintenance cost and because they don't want dead projects under their banner (e.g. codebases that don't get used by the non-FB open-source community). One interesting point Pearce brought up was that React takes community contributions, but FB's policy is to have a single version of React, i.e. the React that's released to the public is exactly what runs on FB production, which requires a certain level of logistics.
The main benefit of OS, besides the free labor from the open source community, is public adoption of the software, which gives FB some kind of leverage in the software world. But it also means that job candidates can come in already experienced in React etc.
It's a battle you can win with forking and shunning any plugins they take over. That will show developers that injecting Kite into your popular project leads to it becoming very unpopular, very quickly.
Is there a reliable way to search github for projects that are managed by Kite? Looks like it is only mentioned in the readme, and it would be simple for kite to simply not put in references to kite.
Probably, but it could be an on-going fight as server names or even library names could change over time. I guess in the long run it will become like any other virus/malware scanning.
While this Kite company seems rather scummy, I think it's a bit disingenuous to frame it as an attack on open source. Actually it's the one thing open source can handle better than anything else: just fork the repo and carry on.
Maybe I'm reading too much into the article but it feels like a weakness in open source is exposed when in fact the real problem would be if those applications were closed and you were stuck with crappy software if you didn't want to switch to a brand new tool. How's Skype doing lately?
Open source is vindicated by these scummy tactics, not undermined.
This is actually the most ridiculous part of the entire story.
It would be one thing if a corporation was stealing your code and taking over open source projects as part of a detailed plan to make money. That would still be objectionable, but at least there would be a clear motive for these voyeuristic activities.
Apparently, there is no master plan. They're just doing this because they want to be voyeurs and then maybe figure out how to make money off of that somehow later.
Not sure how the Atom plug-in store works: if this were yum / CPAN / pip, I would think there'd be some way to kick these plugins out of the stores and force anyone who really wants it to install manually. I think that's the best way to tackle this kind of deception: fork it, kick it out of the app stores, and make it difficult as possible for someone to inadvertently download the adware-written version.
A maintainer for amp (atom package manager I guess?) explicitly said they're sitting this one out. The mini-map plugin has been forked and rolled back to the version before the ads popped up.
That's a pity. It is incumbent upon the package manager vendors/curators to watch for this kind of stuff and bring the hammer down when it happens. Apple does it. Google does it. Mozilla does it.
I can guarantee that there are other commercial companies watching how this plays out. If the changes are simply rolled back without any real repercussions, what other malevolent entities will take away from this incident is, "You can inject adware into your acquired FOSS applications, but do so discretely."
It is somewhat ironic that the community affected is the Atom one, which was supposed to be built by (and for) next-gen cloud-first types who live in the browser. If all data has to live in the cloud, your source code will inevitably get there too - because source code itself is data. Sure, Kite went about it with an anti-pattern, but that makes little difference. Live by the cloud, die by the cloud.
Let's be honest, the real problem here is that Kite's offer is still not good enough. The service they provide at the moment is not worth handing out all your code, unlike with services like GitHub; and their leadership is not seen as smart (or honest) enough to tolerate them taking stewardship of this or that established project - something that happens every day in the OSS world (loads of companies de-facto own this or that OSS project, from RedHat to Google to Ubuntu to IBM, steering as they see fit).
As soon as Kite (or anyone else) can provide a compelling service, people will go to great lengths to use their stuff and give them their code, without any dark pattern being required - ethics be damned.
In many small project the owner (o small set of owners) just commit the changes without approval. In same case on person writes more than the 50% of the commits, and it's not practical to get someone to review the code.
In this case abe33 has the 75% of the commits, someone else 15% and the rest is a bunch of people with 1% or less.
Once your project gets to a certain level of users or activity, you should still be submitting PRs or MRs for comment before merger.
With our server toolkit in a project I work on, we have 2 devs and 5 active users, with the devs being 2 of those, but we still manage to at least put every change in a PR, with a minimum review and comment time of 24 hours unless it's a security issue or major bug fix.
It's not hard, and it makes you actually justify your change and have talented second eyes point out minor bugs or edge cases to you.
Direct commits are only used for version bumps for the auto build/release thingy.
Please use your skills and spirit to fork both of the projects in question and put one of your known good actors in charge of each.
Either new project leaders are available and will immediately come forward to claim these projects as their own, or we need to change the subject to FLOSS sustainability.
There is a fork[1] that reverted the changes made by Kite.
This is not a question about sustainability as the project was well supported, feature-complete and saw regular releases.
Rather, this questions the consequences of giving companies permission to acquire community efforts. Doing so erodes trust in the Atom ecosystem. If the Atom team is OK with what Kite is doing, then I can expect other companies to follow along, and I'll have to be more cautious when installing plugins in general. It also destroys the incentive of contributing code to Atom plugins, because I don't want to contribute to giving companies control over basic features like a minimap. Why stop at the minimap? StackOverflow might as well hijack CTRL+F, or Heroku might subvert a git plugin.
If we let this become a trend, it will suck for everyone.
The consequence of forks is that their desired userbase is now seeing double, and whenever a potential user asks about it someone from the community tells them, "Don't use the one with ads and/or other junk, use this one instead."
If other companies follow along then Atom's ecosystem-- and therefore, Atom-- will suffer as a result.
Regardless, there probably should be more caution when installing plugins.
Yes, I agree, forks are another bad consequence and usually undesirable (though there are exceptions, e.g. it worked for the Node.js community). Had Kite not subverted the plugin, there wouldn't be a need for a fork.
It's not clear to me from the article or the comments what it was actually doing.
Looking briefly at kite.com, it looks like they provide a potentially useful tool/service that is kind of an alternative to searching the web for documentation.
What I can't tell is whether what they did was make minimap incorporate results from Kite, so that you were essentially getting the Kite service (or a light version of it) bundled with minimap, or if they were putting ads for the Kite service in minimap, or if they were putting ads for other things in there.
I'm curious to what the ads looked like? I installed it but can't see them and the article only includes it's own ads for razors not pictures of the ads it's talking about.
I'd never heard Kite until today and following a one of the links ended up at Adam Smith's blog a couple of hours ago.
I did no more than to read a blog post.
Just now I went to checkout from my local tortoisesvn repostitory and instead of the usual local address this was present as the repository url:
I remember the day Kite was launched. I took a brief look, realized it would be uploading entire codebases of mine to their servers, and said no.
The fact that they have since slipped their stupid product into popular open source tools (probably because it isn't as well received as they thought it would be) is very similar to how some douchebags buy up popular browser extensions, then inject ads or do more nefarious things with them. Utterly distasteful.
This is evil. We need a way to deter activities like this. The public shaming on HN is a good first step but this would be forgotten too quickly. Any ideas?
Honest question: if someone starts a hobby project, open sources it, and later decides to monetize it in some way, is that considered bad form? I can think of many open-sourced projects that are being monetized - eg Reddit/GitLab.
I was under the impression that open-sourcing something literally means just making the code publicly available, and doesn't restrict what the owner chooses to do with the project in future.
This is a bit hyperbolic. If the original maintainers of a project are making changes you don't like, just fork it.
That said, if I was already unlikely to trust Kite, I don't want to work with them at all given this behaviour. Betraying the trust of a significant portion of your potential customers is a sure way to be exed from an industry you never capitalized on. Congratulations, Kite.
Smith also said that most of the negative reaction
was due to confusion around what the tools actually
do. (Connor pointed out that it’s not possible to
review what Kite does, since it itself is not open
source.) Then he blew this reporter off. “I apologize
in advance that I can't answer any further questions,”
he wrote. “I need to focus on other parts of the
business, including continuing to improve the product
for our users, and conflict like this is always doubly
distracting.”
Love and avoiding negativity have become the bywords of unaccountability. To foment conflict and then not comment...
As distasteful as ads are, I'm always concerned about an update that introduces malicious behavior in the background. Something like NPM hyrdra for example, or those Chrome extensions that have been bought out
Sounds like a replay of uBlock / uBlock origin. The same solution (forking and rebranding) can apply here. If the original authors sell out to Kite and the license permits it, fork it and fuck them.
I personally want to know why Kite decided to show up uninvited in Atom. I don't want this shit, I don't care about it, if I wanted documentation i'd use Sphinx or Doxygen.
Sandbox that keeps them from your filesystem - maybe. But not from the editor or network (most of the plugins need or rather based on the idea of using them).
The answer to this should be a resounding "fuck off and don't come back".
Open source is great because it is generally free of this pushy and disingenuously non sense. Defection over cooperation leads to the detriment of the commons.
You started this flamewar and then went around the other side and started another. That sort of thing will get you banned here. So will generic ideological trolling, which you bring in here completely extraneously.
Please don't do any of these things on HN again. Instead, if you have a substantive point to make, make it thoughtfully; otherwise please don't comment until you do.
Please keep flamewars and online rage off Hacker News. We all know what the callout/shaming culture has wrought on the internet, and the idea of this place is to try to be different. You've perpetuated it in this thread as much as the other person whom you've scornfully criticized for it. That's the way these things usually go.
As for 'purge', if you use a politically charged word like that next to a rage word like 'fuckers', the internet dynamics are predictable. Therefore, the fault for the flamewar about communism and genocide the thread ended up in lies largely with your comment. We can argue in general about words and contexts (and sure, you're not wrong), but the point is irrelevant because the current context has such well-known properties, like dynamite and dry forests.
It's kind of amazing that this needs to be clarified. I'm starting to think that people around here are only familiar with the word as it relates to that dumb movie of the same name.
I feel like a lot of posters will take the most uncharitable interpretation possible of your post, no matter how implausible, and then argue against it.
It needs to be clarified because "purge" seemed like a very charged word which was meant to convey more emotion than information. I interpreted it as a double-entendre. The original commenter defended their use of the word but only in a way to stir the situation more.
I read it as the word used to describe bulimic emesis. The open source community has ingested something undesirable, and now it needs to induce vomiting.
We don't have to leap right to the edge of the mass graves whenever someone elects to use their thesaurus. Or would that actually be doubleplusgood, if people were to suffer ad hominem attacks based on their vocabulary choices? If you're headed to the bottom of the slippery slope anyway, you might as well grease yourself up and grab a boulder, right?
Was going into personal attacks of the other poster and Horseshoe Theory supposed to be a more measured and informative take on the discussion at hand?
To be fair, if one is a self-described "commie", there's only one possible interpretation. Maybe avoid associating yourself with genocidal regimes? Even as a joke (I sure hope it's a joke)? Maybe?
Communism isn't genocidal. You should read up on what it actually is instead of relying on pro-capitalism propoganda. "Somebody died because Stalin/Mao" holds no candle compared to capitalism's "somebody died because housing, hospitalizing, and feeding the poor wasn't profitable".
Ah the old "there were no poor people before capitalism" mistruth again. You might want to research what Mao did before defending it in any why.
But you're right, communism the idea is not genocidal, just all of its prominent leaders were. The fact that the ideology lends itself towards "there is only 1 truth" has nothing to do with that, I'm sure.
Rather than trying to argue capitalism vs communism I would like to point out that neither specifically calls for mass murder. Both to happen to be associated with plenty of it though.
For people thinking capitalism is completely clean please look up the Indonesian genocides. For people thinking communism is great, consider how mao and stalin could have been stopped by communism.
Definitely said nothing like that. In the US there are 6 unoccupied house for every homeless person. Somehow this is better because you found a way to decentralize the dictator and blame the victims?
You're free to have an opinion about which economic system is better. But the opinion that communism implies genocide and capitalism implies freedom is quite non-negotiably uneducated.
Your link makes no effort to suggest that capitalism is a positive force in reducing poverty or that communism is a negative force. In fact, it seems more likely you'd draw the opposite conclusion:
> Second, we can also see from this chart that despite remarkable progress, in some rich countries—notably the United States—a fraction of the population still lives in extreme poverty. This is the result of exceptionally high income inequality
The best conclusion I can draw here is that Western powers are rich because they imperialized other nations effectively and survived key historical wars. Africa is doing bad because they were heavily colonized and met the bad end of several wars. Communist nations failed to reach US levels of power because they imperialized less effectively than the US. No where in history or that article do you see "they became communist then became more impoverished"
The article even goes forth to mention poverty traps, a problem well known to critics of capitalism. A problem that socialism reduces and communism eliminates.
Again, you're free to pick capitalism as your ideal economic model, but you should at least start with factual information on the alternatives.
No idea. This new title seems vaguer to me. They changed it from 'How kite is undermining the open-source community' to 'How a VC-funded company is undermining the open-source community'. The title is clearer with the name of the company in it.
Edit: In case there is any confusion. The company is Kite. The VC-funded company is Kite. Kite. They are the ones this article is about. Kite.
> If the original title begins with a number or number + gratuitous adjective, we'd appreciate it if you'd crop it. E.g. translate "10 Ways To Do X" to "How To Do X," and "14 Amazing Ys" to "Ys." Exception: when the number is meaningful, e.g. "The 5 Platonic Solids."
> Otherwise please use the original title, unless it is misleading or linkbait.
In small obscure threads the mods sometimes don't notice and you can get away with small changes, like replacing "Photos of Encedalus" with "Photos of Encedalus, moon of Saturn". (But don't try "Amazing photos of Ecedalus will blow your mind!!!")
In big popular controversial thread almost always the title is reverted to the original title of the article, or the first sentence of the article when the tittle is too bad.
Psychopaths sometimes have trouble recognizing stuff that is supposed to make them ashamed, i.e. stuff that would reveal their character were it exposed publicly.
Maybe that seems like an over the top comment, and on any individual case, who knows? But I think it explains a good number of these sorts of scandals. Sometimes, the people who get on top are not "ambitious"... sometimes they are actual monsters.
Please don't do the internet psychiatric diagnosis trope on HN. Casually invoking a category like 'psychopath' significantly lowers the signal/noise ratio in a thread, and even if you don't direct it at a specific person, someone else will. Moreover the frame of this article means your comment is insinuating something about someone whether you mean it to or not, and that's beyond gross and into hideous.
Internet threads are like tag-team wrestling: the first guy drags a metal chair into the ring and then the second guy bashes a third guy over the head with it. Keep the chair out of the ring.
So by daring to say that this behavior might be caused by someone who is characterized by the worst kind of lack of ethics, I'm in the wrong?
This is a phenomenon that studies show occurs at something like 2-3% in the population at large... but more common among CEO's. https://www.theguardian.com/technology/2017/mar/15/silicon-v... Interesting how you ban my argument because I don't have a credential (do you even know which logical fallacy that is?) but when an article in which experts take the same opinion, HN bans it with a different excuse.
Do you think that, just perhaps, this could have an effect on the amount of abuse of people by some companies, that we see day-to-day? Especially when it seems to go to an absurd point, as in this case?
It doesn't require a degree to detect people who are willing to treat those around without scruple, as long as they're not exposed. It's a fairly simple definition and these people disproportionately cause abuse... so censoring mention of this, or suggesting that a degree is needed to even contemplate recognizing this sort of bad actor, means you are acting to ensure people are ignorant about it, to their potential harm. I hope you never encounter one of these people close up, dang.
I'm not all that surprised that HN's despicable form of soft-censorship was used here... as I realize the statement I made was sort of controversial. But I'm looking forward to more people realizing how rotten you guys have become at censorship, at which point the interesting conversation will finally move elsewhere. Unfortunately, you can't keep doing it with such a heavy hand and have people not catch on, over the long term.
In fact, the level of censorship has gotten so high here (or I have finally noticed how bad it is) that I don't want to participate anymore. Maybe this is a marginal case, but I've realized you guys are just rotten overall. I don't really think it's ethical to participate in a form that's so dramatically manipulated, especially so often in the direction of SV companies. I'm going to kill my account, if that's possible.
Or, since it looks like HN is too arrogant implement this feature https://news.ycombinator.com/item?id=7841742 I'll just, you know, stop using it and monitor the potential security hole for the rest of my life.
I really don't think it takes being a psychopath at all. All it takes is convincing yourself that the company's mission is inherently noble, instead of just a way to generate profit. I've seen this many times, where nice, reasonable people convince themselves of the morality of some business decision, without really questioning that all these "moral" decisions also just happen to be the ones that make the most profit.
Studies have shown that psychopaths are, on average, more successful as CEOs than non-psychopaths. This certainly seems like a good example of that (his reaction and behavior with the reporter were perfect!).
In my experience they have meteoric careers that then suddenly crash and burn spectacularly. Unfortunately after a big crash they're usually able to find more fools and repeat the pattern. You'll often see someone whose career looks like a sawtooth wave.
There is a book called Political Ponerology, with a fascinating provenance, which basically claims society at large (macro scale) goes on sawtooth pattern like this. The argument is that during the good times, people stop taking the steps needed to keep these people from attaining high positions... they remain in denial and make excuses for pyscho behavior. Then people finally take action only when it's just blatantly obviously necessary again. Which, if you think about it, is also the basic story of good & evil presented in Harry Potter :)
IIRC the book was written by the scientific wing of the Polish Resistance movement during authoritarian occupations of the 20th Century. Apparently, many of the people involved in sourcing the data (and, oh yeah, who had secretly diagnosed many of the Nazi/Communist leaders as psychopaths) were killed, when the first edition of the book was discovered in progress. And that first manuscript was destroyed, but the lead author wrote it again -- not once, but two more times -- and ultimately, had to wait for the fall of Communism in order to get it out of Poland. It was finally translated and published during the Bush administration, by New York liberals.
Except Lennart was working on systemd long before he worked at Red Hat and Red Hat has very little control over what he does in systemd. The reason Red Hat has "foisted" systemd is that it solved problems that other init systems hadn't solved (which is why other distributions also adopted it). That doesn't mean it's the best solution by any stretch (I don't like systemd personally) but pretending that it was the same as putting adware into a text editor is quite disgusting. It solved a real problem, and if you have a better alternative you're free to contribute it as another member of the community (in fact, please do).
I work for SUSE, not Red Hat, but I find it incredibly gross that being employed to work on free software is seen as a negative thing by the wider community. I spend every day working and thinking as a community member first, but because I was lucky enough to get a paycheck from a company to do that clearly I must be the enemy.
I toy with Linux but I mostly use OpenBSD. So I'm thankfully not that affected by systemd.
I can completely understand what the OpenBSD init system does. It's a lot harder to fully understand systemd. Plus, as a benefit of systemd, you get headlines like "Don't panic, but Linux's Systemd can be pwned via an evil DNS query"[1].
Red Hat doesn't care if Poettering is a brilliant genius or just a useful idiot. Instead, Red Hat loves systemd for a very different reason: lockin. Most Linux distributions are now utterly dependent on systemd, and by extension dependent on Red Hat.
systemd gives Red Hat far too much control over Linux. They were already the 800 pound gorilla, now they're almost invincible overlords. But go ahead, keep drinking the Kool-Aid.
It's quite clear that you didn't read my original message. I explicitly said that I don't like systemd (for some of the less inflammatory reasons you've mentioned), so I've not "drunk the Kool-Aid".
Red Hat conspiracy theories are quite interesting, but you might want to provide evidence for the claim that a unified init system somehow locks people into Red Hat. You do realise that you can have the exact same .service file work on RHEL just as well as it works on openSUSE or Debian? I will reiterate that I don't like systemd by any stretch of the imagination, but a unified init system makes life so much simpler for any user.
Rather than bashing systemd, the community should be working on alternatives. GNU Shepherd is a viable alternative, maybe we should work on that rather than sitting around complaining about what systemd is doing.
It's quite clear that you didn't read my original message.
I did read your original message. Whether or not you personally like systemd or whether or not SUSE likes systemd, it nevertheless is in openSUSE. I don't know enough about SUSE to know if you have any other distributions that don't have systemd.
Why is systemd in openSUSE? How was that decision made? If I were in the leadership of SUSE, I would hate being so dependent on key software that is essentially controlled by my largest competitor.
At this point systemd has become the entrenched incumbent. So "alternatives" are mostly wishful thinking. For people to switch away from systemd, they would need to be convinced that something like GNU Shepherd wasn't just equal, but was significantly better. That seems unlikely to happen anytime soon.
People aren't directly locked into Red Hat, but they sure are locked into a very key piece of software controlled by Red Hat.
This state of affairs has to hurt SUSE. When selecting a distribution, why wouldn't businesses buy from companies as far "upstream" as possible? Why buy software from SUSE if key pieces come from Red Hat? Why not just buy from Red Hat directly?
> For people to switch away from systemd, they would need to be convinced that something like GNU Shepherd wasn't just equal, but was significantly better. That seems unlikely to happen anytime soon.
You seem to be arguing two things: 1. systemd should not be used and 2. it is unlikely that you could convince current users to switch to an alternative.
These seem to me to be at odds with each other. If systemd is so bad, why do people keep using it? I'd guess that the alternatives are even worse for current systemd users. But that doesn't mean that the alternatives couldn't be improved to the point where they can replace systemd for most users. Unless of course all init systems are doomed to suck and you can only choose which one to complain about ;)
> Why is systemd in openSUSE? How was that decision made? If I were in the leadership of SUSE
That decision was made by the openSUSE community. openSUSE is not owned by SUSE in any sense, the community is run by the users and developers of the distribution. There is a board that is elected by the community (and no single company can have >50% of the board seats), but it's role is more dealing with conflicts than anything else.
openSUSE chose to use systemd because some people stepped up and did the necessary work to support systemd. And yes, people still complain about it, but the key point is that nobody has put work into replacing it. There is no reason that openSUSE couldn't support running everything without systemd -- nobody would stop you from doing that work -- but in our community the people who make such decisions are the people who do the work.
> I would hate being so dependent on key software that is essentially controlled by my largest competitor.
Ha-ha, it appears as though you don't understand how free software development works in this context. While Red Hat is a competitor to us, we work with them on their upstream projects just as they work with us on our upstream projects. I spend a large part of my day collaborating with my counterparts at Red Hat. Hell, I'm a co-maintainer with several folks from Red Hat and I contribute to their projects in my free time.
If a customer doesn't like us, they can go to Red Hat. If they don't like Red Hat, they can come to us. If they don't like either they can go to Canonical or wherever else. Hell, we even provide support for migrating to SUSE from Red Hat (and I believe they have the inverse). The benefit of building everything on free software is that you don't have vendor lockin, and systems like this really do "just work".
> For people to switch away from systemd, they would need to be convinced that something like GNU Shepherd wasn't just equal, but was significantly better. That seems unlikely to happen anytime soon.
So you agree that systemd solves problems that are not solved by other systems? Then I don't understand what you're arguing for -- should we intentionally ship software that doesn't solve user problems? Or wait for the community to decide on the best way to move forward before we ship a release (hint: those arguments will never end)?
If you want to get people to switch you need to have an alternative, it's a simple as that.
> This state of affairs has to hurt SUSE.
That's kind of like saying that because 'shadow' is developed by Debian it must hurt Red Hat. Or because Apache is developed by the Apache Foundation that must hurt Canonical. It's a nonsensical argument, that's now how free software works.
> When selecting a distribution, why wouldn't businesses buy from companies as far "upstream" as possible? Why buy software from SUSE if key pieces come from Red Hat? Why not just buy from Red Hat directly?
First of all, Red Hat uses many pieces of our software as well, this is a symbiotic relationship. Red Hat is not the only player (in fact we were around before them). Their new dnf package manager uses our libsolv RPM solver implementation. They are using openQA to perform testing of Fedora. kGraft and kSplice were merged upstream thanks to being able to compare the two approaches and come to a solid decision. There are many such examples.
But to answer your question, it's because we sell different systems with different opinions on how to do things. I'm not going to give you the marketing pitch (I'm an engineer), but we have plenty of really interesting technology that we ship in our products that Red Hat chose not to use (and vice-versa). SUSE and Red Hat both sell operating systems, but they are very clearly distinct and potential customers are given a choice with who they want to do business with.
Ha-ha, it appears as though you don't understand how free software development works in this context. While Red Hat is a competitor to us, we work with them on their upstream projects just as they work with us on our upstream projects.
Thanks for providing such a detailed write up. I hope that knowing a little about how "frenemies" work together is also of interest to others on HN.
Maybe Red Hat and SUSE will coexist happily well into the future. But you're both public companies, and you each owe certain duties to your shareholders.
In the software world the archetypical example of companies collaborating is Microsoft and (... any of dozens of companies go here ...). It seems that never ended well for anyone but Microsoft.
But perhaps the nature of open source / free software fundamentally changes this dynamic of collaborating with the dominant player in an industry.
I see nothing wrong with this. This is why open source is beautiful. If you don't like what some contributor is doing, fork it. Kite can even pull in updates from the main fork. I think this kind of thing happens all the time just not publicly.
Why not use this to fund open source? Have a checkbox to disable ads if you really want to give people freedom. I just can't see how open source can compete without enough funds.
After 12 years working at Red Hat, I can assure you that Open Source not only competes, it is actually winning everywhere. And business models exist that are fair to all sides, allowing us to employ a lot of developers and participating in upstream.
Ads are not a solution IMHO, they are a big part of the problem.
The internet primarily runs on open source software. Your browser is primarily open source software, unless it's IE/Edge, but let's be serious here. Your phone - primarily open source, unless it's WP/BB, but again, let's be serious.
The desktop/laptop you're using right now probably isn't open source, but much of the important software running on it is, and most of the computers it talks to are, and most of the other computers, obvious or hidden, in your life are too.
Not to mention that pretty much all of the services you use are mostly a glue layer over open source projects/libraries/services, including its OS and all those services.
Mac OS is made of large swathes of open source code... but before publishing the source of the kernel, Apple runs a script to strip out anything iOS-specific.
That's just one example but I think it portrays Apple's iOS-OSS relationship pretty well.
The vast majority of phone is Android, though. One of the reasons I'd always recommend Android to friends and family is the open source component, even if said friends and family have no direct benefit from it (only indirect, through open source stuff being used and us being able to look at it and improve it).
> I can assure you that Open Source not only competes, it is actually winning everywhere. And business models exist that are fair to all sides, allowing us to employ a lot of developers and participating in upstream.
It would be great to see not only an assertion but an article that spells this out in some detail.
Why would you need an article? Most large tech companies share their infrastructure on their tech blogs, and most often it's completely composed of open-source software (e.g. Kafka, Nginx, Storm, Postgres, Redis, other Apache products, etc.).
I think it's fair to say that open source has made inroads everywhere. If I were to tell my 30-year younger self what the future looks like, I don't think I would have believed myself. Having said that, there are lots of places where open source is having a hard time. In telecom and medical software for instance. I mean, I can set up a SIP server and inspect the Android source code, but there is a long way to go (like actually being able to build and deploy on a piece of commodity hardware in the case of Android). For medical software, just try to get access to source code for any medical device. You get the thing installed in your body and you can't even look at it.
Like I said, in every place open source has won important battles. The future looks good, but let's not understate the challenges either.
To me, it looks like Kite miscommunicated but didn't propagate spyware. From what I understand after reading the related issue on Github, it did not do any requests to its servers without explicit user permission.
And I think the bigger problem is that 3rd party plugins are becoming a thing. Now, it's all about plugins, installing dozens of plugins that are difficult to audit before hand. It's like blindly installing software from torrenting sites, but shinier because it has the Github stamp on it.
Could you please elaborate ? I read the whole thing when I posted this comment: it seems like Kite did not automatically request its servers and I do think that plugin-mania is the bigger problem here. Installing plugins with no way to audit or restrict their access to the system capabilities is the problem. They should run in a sandbox. This has even been suggested before [1] but it seems like it has not yet been implemented.
If you're reading this Kite. I now have a negative view of your product. We cannot allow corporations to take over open source tools. Donating is perfectly fine and encouraged, but the above example is a downright take over. If you want another tool then create one, don't take over an existing one and use the communities trust of that tool to promote your product.