Kite, a San Francisco based startup that develops tools for IDEs and text editors used by programmers, has apologized to the open-source community after its code was found to include what many considered to be ads for the company.
Sharp-eyed developers noticed that an update pushed to Kite’s Minimap for Atom Github page seemed to inject links in the code Minimap was looking at to Kite’s own website, and to upload scripts to Kite’s own servers. Uploading a programmer’s work to an untrusted third-party server is a security concern.
Was Kite being unethical? The open-source community certainly thought so.
Kite, founded in 2014 by CEO Adam Smith, makes tools that use machine learning to acquire data from GitHub with the stated intention of making a programmer’s work easier and better.
Open-source software has driven innovation in computer technology. At this moment, I’m using LibreOffice Writer to compose my words, Google Chromium to use the web for my research, and Kubuntu Linux as my operating system. And the internet is largely built on open technologies – HTTP, HTTPS, HTML, Apache web servers, email, among others.
Open-source software’s most enthusiastic cheerleader is Richard Stallman, who says that proprietary software cannot be properly trusted, and the key to having control over one’s computer systems is open-source software.
Proprietary software means, fundamentally, that you don’t control what it does; you can’t study the source code, or change it. It’s not surprising that clever businessmen find ways to use their control to put you at a disadvantage.
Today you can avoid being restricted by proprietary software by not using it. If you run GNU/Linux or another free operating system, and if you avoid installing proprietary applications on it, then you are in charge of what your computer does.
Kite’s code is open-source and available on GitHub for review. And reviewing it is exactly what the open-source community has been doing since the script and its functions were noticed.
Here’s what GitHub users have been saying about Minimap for Atom’s “implement Kite promotion” script:
As I understand the function of this package, it should not even be in there at all.
Time for Adblock for Atom.
This is not cool at all. Kind of crazy that anyone would think this is okay.
Definitely against company policy to upload code to external servers. This is the kind of BS that makes companies completely lockdown the software developers can use. Very disappointed.
Seems like the developer is ignoring our concerns. If there won’t be any update on the situation in the near future someone should really think about forking the project and publish it on apm. I don’t think many people are okay with the ads and everyone I know that uses Atom also uses Minimap, so I guess there is a huge demand for a fork.
Autocomplete-python is another Kite tool, which it took it over from GitHub user Dmytro Sadovnychyi in December 2016. Other GitHub users didn’t appreciate how Kite acquired the project:
@sadovnychyi, thanks for following back. I’m not sure if you have researched this issue, but many of us feel the autocomplete-python package is being overtaken by the Kite team, and the popularity of this plugin is being used to promote their service.
It’s also worth noting that there are no regular signs of these new maintainers being introduced to the project. Having push access before your first contribution is atypical, and it is not an isolated case of one developer.
I believe we could hear more about how this collaboration came to be, and how/where did those discussions happen.
Sadovnychyi replied:
It’s hard to deny that as a result Kite did get a promotion out of this. It’s not like we have a lot of autocomplete options available for Python, so I did have some interest in Kite when it was announced. It would be awesome if Jedi (or another opensource project) would add completions based on machine learning, but it didn’t happen yet.
I’m sorry that they weren’t properly introduced into the project, but this is not a huge opensource project with strict guidelines, so I considered it would be fine.
The discussion happened over email and as I said it seemed like both parties (Kite and autocomplete-python) could improve each other based on this collaboration.
With support for a fork growing, Ryan Leckey delivered one on July 5:
I forked, renamed, and reverted the Kite nonsense. I’d appreciate it if anyone else wants to help.
Information about Leckey’s plugin can be found on Atom’s website.
So what happened? Here’s what Kite’s CEO Adam Smith had to say when he finally responded to the controversy earlier this week:
Over the last few days, Kite has been knocked around in social media (and the actual media) over several moves we made to expand our user base. It was a humbling experience, and I’d like to apologize to the entire open source community for our handling of these projects. While we had good intentions, we inadvertently angered many in the open-source community in the process – and we’ve now taken steps to address those concerns.
We’re big believers in open source – we’ve made contributions as individuals and as a company. But we messed some things up. We’re trying to fix the issues we created, and we’re eager to hear additional feedback from the open source community.
The Kite controversy illustrates the value of open-source software to cybersecurity. Kite’s actions raised understandable concerns among security-minded users, but also show how the community can spot and act on problems.
The incidents should fuel the debate about open-source software and security. Is open source good for security or not?
Mark Stockley
The security promise of open source is that “many eyes make bugs shallow”. However it’s a fallacy is to assume that because a project is open source it will attract many eyes or that all eyes are equally good at looking for security flaws. Some really important projects get by with a very limited pool of developers and bugs like Heartbleed and Shellshock can sit in plain sight for years.
Mozilla’s Secure Open Source is now offering security audits to open source projects. In many ways that’s the antithesis of the “many eyes” approach. It’s offer has been taken up by cURL and Dovecot amongst others and the results show that excellent security is certainly possible with open source software it’s not a given.
As to Kite… I can’t think of a quicker way to throw away your VC funding than to mess with the open source tools used by the very people with the wherewithal to fork your bad ideas out of existence.
Bryan
“it’s fallacy is to assume that because a project is open source it will attract many eyes or that all eyes are equally good at looking for security flaws.”
I mused this basic sentiment when I first heard the “many eyes/shallow” aphorism. Not qualified myself to spy flaws in OpenSSH or the Linux kernel, I marvelled and wondered who had the time and skillset to comprise this army keeping my computer safe…grateful but dubious.
Sometimes in life you’d simply rather be wrong.
:-/
Laurence Marks
“However it’s a fallacy is to assume that because a project is open source it will attract many eyes or that all eyes are equally good at looking for security flaws.”
Indeed! It’s even a fallacy to assume that because a project is open source that bugs will get fixed. The reason I don’t go near Firefox (or Thunderbird) is that all those open source “developers” wanted to do ten years ago was add on cruft to support their own favorite features that no one else wanted and no one wanted to work on the memory leaks. The project literally fell over due to its own weight; big, ponderous, clunky, and leaky.
I’m told it’s better now but have no interest in trying it again.
RichardD
“… didn’t appreciate how GitHub acquired the project”
Shouldn’t that be “how *Kite* acquired the project”?
Kate Bevan
You’re absolutely right – thanks for being eagle-eyed; we’ve fixed it.