Sublime Forum

Is ST calling home (telemetry)?

#1

I am wondering, is ST calling home or have some sort of telemetry, which sends data about user system to developers?

I know that VS Code have telemetry (but to be honest, they have precise mentioning about this on their pages in FAQ and how to disable it), Atom also have it (there was issue about it, because it was enabled by default and developers didn’t told about enabled telemetry to their users. Finally, 2 years after starting this issue and many complaints - they asking to opt-in for this when user starts Atom for the first time).

So, is ST have something similar, and if yes, what exactly it sends to developers and when?

Also, is it possible for PLUGINS to send some data to their devs?

1 Like
#2

ST3 had a telemetry implementation from build 3023 until build 3064. It was enabled by default in dev builds from 3029 to 3064. It was permanently disabled in 3064 and later removed from the codebase. See the linked post for details.

There is a crash reporter, but I do not know any details about it. As far as I can tell, the server used for reporting is not currently accepting requests. I do not have access to the server nor have I ever had access to any crash dumps.

Package Control by default records package installs, upgrades and removals. It can be disabled via the settings. Data includes operating system, version of Sublime Text, Package Control and versions of the package being manipulated. All of the code related to this is open source at https://github.com/wbond/package_control and https://github.com/wbond/packagecontrol.io. I am the only person who has access to the server and database. I use it to power https://packagecontrol.io/stats. It is never sent or made available to anyone other than myself. I occasionally will make a post here on the forum or on GitHub with some summary information such as the percentage of Package Control users on a certain version of Sublime Text.

Plugins can do anything they want, including reading all files off of your hard drive and uploading them onto a public GitHub repository. This is part of the reason Package Control enforces a strict requirement of SSL connections for the default channel. I don’t want anyone spoofing DNS and installing random software on your machine.

9 Likes
#3

Hi!
Thanks for reply.

Please, clarify:

  • ‘Package Control by default records package installs, upgrades and removals. It can be disabled via the settings.’

– if disabled, it stays completely silent or sends some sort of “opt-out” signal (Atom behaves like this)

  • ‘Plugins can do anything they want, including reading all files off of your hard drive and uploading them onto a public GitHub repository.’

– reading all files across whole system or which is added to sublime instance? In current project for example.

Thanks :slightly_smiling:

0 Likes
#4

out of interest, why was ST’s built in telemetry removed?

0 Likes
#5

Plugins can run arbitrary python code. Hence read all files across the system and execute other programs.

0 Likes
#6

Horrible. What a lack of security :frowning:
Wondering, is it true for ST only or for every text editor with plugins?

0 Likes
#7

I think that’s true for most editors, because it is necessary to provide some features. For example LaTeXTools opens compiled pdf with the sumatra pdf reader. To do this it reads the windows registry to get the installation path of sumatra. It also needs to be able to run the pdf reader to open the pdf.
In addition it also scans the system and searches for installed sty files to provide a proper auto completion, when the user types \documentclass.

It is not really a lack of security, but you need to trust the installed packages, which are usually open source.

3 Likes
#8

What Will is saying is that plugins are not sandboxed. This really is quite standard across all editors that I know of. I think it would be really interesting to explore sand boxing in this area, but no one has done it seriously to my knowledge.

0 Likes
#9

which is why the packages that get submitted to Package Control are all reviewed to be sure they don’t do anything naughty :slight_smile:

0 Likes
#10

Sidebar Enhancements collects information. I don’t know why. It isn’t clear how to disable it in Windows. I think that it should be opt-in, not opt-out.

0 Likes
#11

May be there should be some setting at editor level not package level to opt out from all statistics. For now the solution is to find all packages which collect data and see if there is a setting to opt out per package.

Here is how you can stop sidebar from collecting anonymous statistics.

# This code sends basic, anonymous statistics.  We use this to understand the popularity
# of different operating systems, builds of Sublime, Package Control plugin popularity,
# and programming language popularity.  We use these statistics to target and prioritize
# various features.  If you would like to opt out of these statistics, create a file in
# your home directory called `.SideBarEnhancements.optout`.  You can do this by running
# the following command:   touch ~/.SideBarEnhancements.optout
0 Likes
#12

Yes, but those instructions are for Linux/Mac OS. How do you opt out in Windows?. As I wrote, they don’t need to collect those statistics, and I have uninstalled Sidebar Enhancements.

0 Likes
#13

You seem quite paranoid. Don’t use plugins, then! SublimeText is not Android!

Most plugins are open source python plugins with little number of code lines. So use only those open source plugins, review their code for strange network usage and create a pull request to remove harmful plugins from the main line repository! I did not find one by now!

Sublime Text uses python interpreter as runtime environment and kind of sandbox for plugins, which provides interfaces to most operating system functions by nature. This is nothing terrible but what it’s meant for. It is the basic requirement for most plugins to work and makes Sublime Text sooo great. Btw.: Python is state of the art technology used by many cross platform applications to provide scripting support.

Sublime Text is not a web browser used to browse the web with possibly harmful javascript code being pulled to your machine and executed without your knowledge.

0 Likes
#14

I think SideBarEnhancements recent attitude towards and implementation of data collection is appalling. It exemplifies how dangerous plugins can be when a very popular plugin can suddenly start snooping on users or worse without so much as a howdy-do.

And let’s be clear, SideBarEnhancements is not like say Package Control. PC by design hits the network and passes along some small bits of usage of PC itself. You can also disable it via a “submit_usage” setting.

SideBarEnhancements data collecting is very different. It doesn’t hit the network by design. It collects far more data than PC ever does. And it collects it HOURLY. Nice. Gotta get that data.

            data = {
                        "protocolVersion": 1,
                        "addresses": address,
                        "os": platform.system(),
                        "osVersion": platform.release(),
                        "editor": "sublime",
                        "editorVersion": sublime.version(),
                        "editorUUID": address[0] if len(address) > 0 else None,
                        "activeNonBundledPackageNames": sorted(sublime.load_settings('Package Control.sublime-settings').get('installed_packages'), key=lambda s: s.lower()),
                        "name": "SideBarEnhancements",
                        "activeEditorFileExtension": active_editor_file_ext,
                        "numMinutes": self.num_mins,
                        "numMinutesCoding": self.num_activity_mins,
                        "numMinutesCodingPython": self.num_py_activity_mins
                    }

Plugins could easily use a global setting e.g. “submit_usage” and only collect data if enabled. But just like how they don’t want to implement a opt-in (nobody would), they won’t want to use a global setting because that’s too easy.

1 Like