[StyloBill]

I think the answer to your question is :

"* Fine-grained privacy controls modeled after the .gitignore file format means that you can selectively and precisely decide which files and folders Kite indexes."

[Karunamon]

Unfortunately, that means that a really simple app where a developer hardcoded something like an API key, and didn't put it in a separate file they told Kite to ignore, will get uploaded.

Any system that relies on people following best practices is doomed in the real world :(

[Cyph0n]

You mean like Git?

[Karunamon]

Git isn't generally configured to automatically upload your files as you type or as files are saved.

There are things like GitFS, but I imagine those aren't part of an average developer's workflow.

[Cyph0n]

My point is that an inexperienced Git user can push their secrets to Github for example, just like a Kite user who doesn't specify a .kiteignore.

[Karunamon]

My point is that it's a lot easier to happen accidentally when the upload happens automatically and without intervention. With git, you directly specify what files you're committing (with the .gitignore as an additional safety net) and when that commit happens. It's all manual.

If I'm testing an app and I want to hard code an API key for testing, and I'm using Github, it's not a problem. I have to explicitly commit that file. Now, I have to both remember that Kite uploads everything, and avoid using that workflow at all, and use the .kiteignore thing (which is another random dotfile in my repo, great).

[Cyph0n]

Again, I go back to your whole issue with how an inexperienced user of Kite can easily shoot themselves in the foot. The same applies to Git: 'git add .' and push.

[waisbrot]

You can run your own git repository (it's really easy). And most of the Git-service providers offer an "enterprise" version where you can self-host.

[Cyph0n]

What happens when someone inexperienced pushes their SSH private key to Github? Isn't that same as not specifying a .kiteignore file?

[ino]

To do that, you have to commit and push. With kite, you might not even realize it uploaded something it shouldn't have.

[Cyph0n]

We're talking about inexperienced users, so it sounds pretty much the same to me. Case in point: go search for API keys on GitHub.

[Twirrim]

That reads like "enabled by default, denied only on request"

[askvictor]

Another post somewhere here from a kite Dev said that your code is only indexed of you explicitly allow it.

[hasenj]

Does installing Kite and clicking "I agree" on a legalese dialog count as explicitly allowing it?