I’m in a similar position with proprietary code and the entire concept of uploading it anywhere freaks me out. I mean, I did create an alternative package. But banning someone is pretty severe. Example: I have interacted with abe33 from Atom’s Minimap previously when working on Atom packages and he is a super friendly and helpful guy. His involvement with Kite was clearly a misjudgement he really regrets. Gotta assume he just didn’t think it through, and give him the chance to correct himself. Tito is quite a different case of course, but still, I don’t believe a permaban is the way to go. The community will be extra alert for anything he creates any way. Better to let him retain his account, rather than being forced to create a new one.

If I understand it correct Minimap added some commands to open Kite related homepages, but did not violate the users privacy by collecting some statistics. Hence this whole discussion wouldn’t affect the behavior of that package.
In general adding a way to quickly open homepages can be very useful. E.g. a python package with a command to open the PEP8 homepage or the documentation. I also added something like this to the LaTeXTools package. IMO the problem starts if you get money to add the links/commands, because then your are advertising instead of providing useful stuff for the user.

Thank you for taking this seriously wbond. I also vote for solution #1. Thanks for bringing this to the attention of the community. Packages should not track users in any shape or form without prior consent.

The blanket invitation to re-add addons if they get caught is far too soft and probably even encourages bad behavior.

There should be some sort of soft grace period for existing packages to get changed, but blatant abuses like SideBarEnhancements absolutely warrant a much harsher response. Maintainers essentially accepting bribes to inject malicious code is not something that can be allowed to stand if anyone expects the ecosystem to survive.

So you put some crappy tracking code in your package and then forgot about it for over a year? If I were one of the people who just invested $4M in your start-up, I’d be pretty concerned about my money right now.

The primary reason I added SideBarEnhancements back so quickly is so that all users get upgraded to a version with no tracking. Otherwise, no one would be able to install it fresh, but all current users would keep being tracked.

Users here are being too kind.

I have developed a trust with sublime text over the course of years.

This company saw fit to violate that trust and now acts like they made a simple mistake, forgot about the spyware they wrote and unwittingly distributed to users.

I say ban them immediately. Show the community this is unacceptable and that sublime text stands by its users. Anything less is disrespectful to us and an insufficient punishment to the liars who spied on us.

This is a really good reason to re-add it back, but at the same time it still gives a lot of power back to the maintainer – which has clearly acted out of selfish interests already. I don’t think a plugin or plugins maintained by this maintainer should remain on package control for this. It sounds harsh, and maybe Tito could chime in as to what led to this, but it seems silly to let him get off for a decision that’s just as much his fault as it is Kite’s.

Maybe money. I can see no benefit that sending data to kiteco would bring to SidebarEnhancements. I have no proof of this. I know tito was also getting aggressive for donations by putting a menu entry in the sidebar to give dontations.

Kiteco sounds pretty shady in their practices: http://www.techrepublic.com/article/how-startup-kite-tried-to-ruin-two-open-source-communities/.

Edit: again I’m not saying any money changed hands, and I am not trying to smear anyone’s name, but I would love to hear the motivation here as I can only guess.

So far around 40k installs of SideBarEnhancements have been upgraded to the version without tracking.

Hello, I am the developer of Code::Stats and its ST3 plugin. I’ve been reading this thread and haven’t found any conclusions yet. Here are my concerns (that may not be answerable yet, but are here for consideration):

• The only point of my plugin is to collect usage data (amount of typed chars per language) and send them to the service. Will this be considered under an opt-in system? Will there be an API to accomplish the opt-in? Is “add your API key to the settings” enough of an opt-in?
• The user needs to register to my service, which has its own privacy policy (I would link here but new users can only add 2 links so click on the “Legal” link in the footer of the site). Will the plugin need an additional policy if it only communicates with the service?
• Will plugin authors be notified when a conclusion is made regarding policy changes in PC?

Thanks for all your efforts regarding ST/PC development.

Maybe Apple has it right? As a long term solution, make the package request access to that data. When it requests the user is prompted and then confirms if they agree for that to be given to the plugin. Otherwise the plugin has no access to the data. The same could be done for editing documents etc.

In the short term 1 and 2 sounds good.

There won’t be a reasonable way to enforce such a solution without effectively maintaining a heavily-modified fork of the Python programming language, which isn’t going to be possible with our current development team, and likely won’t be practical even with a much larger team.

I think it would be possible to create a notice when installing a package with Python code, and warning a user if an upgrade adds Python where none existed before. But then again, the number of packages with Python would probably desensitize most users to the point where it would likely be effectively ignored.

What I’m now interested in, is to see what other packages I have installed have kite tracking code in them… At least be honest and notify a user about the change in a readme or somewhere…

Hi , I am rather curious now. Can somebody confirm if Anaconda is also collecting telemetry just like this wretched plugin (sidebarenhancements) ?

Thanks.

As I already stated Anaconda does not collect data, but you can disable certain features if you use Kite. It also does not add commands to open Kite home pages (like Minimap) and uses jedi as local json server and did not switch to Kite (which was the critism with autocomplete-python).

I uninstalled kite from my machine, and the plugin as well. I removed SidebarEnhancements as well . Is there anything else that I should be doing to protect myself ?

Also I wonder when an apology from Tito is going to come for having fooled the community? If he wanted to make a few quick bucks for his plugin (and there is no harm in doing that ) he could have easily followed what other plugins are doing to raise money for their work -

1. https://wbond.net/sublime_packages/svn
2. http://www.sublimerge.com/

Thanks

SideBarEnchancement does not track anymore, but I would also stop using it. I am not aware of an other tracking plugin, but I don’t think it there is one, because SideBarEnchancement is so common that it would not be necessary. Nonetheless it would be good to review popular packages.

Just as a follow-up, I wanted to say thank you to @adam314 for getting the tracking server shutdown so no more data is being sent, even if users haven’t been upgraded to the latest version of SideBarEnhancements.

The Anaconda* packages are not based on Kite and do not send the full contents of files to Kite. That is not an accurate representation of the packages. I projected my own sensitivities around this issue onto the Anaconda packages. And as far as I understand, no, it does not send Telemetry data home or anywhere, or contain any Telemetry like SideBarEnhancements.

I updated my post above with the correction.