[AdmiralAsshat]

I'd implement an industry-wide blacklist, personally. This is strike number, two? three? of this company subverting well-known packages with telemetry. Any package that is proven to be connecting to their servers should be removed, the authors should be banned, and the company should be thrown onto a list of Known Bad Actors to prevent any kind of package, add-on, or extension from ever accepting them again.

You cannot fight this kind of malevolence with a finger-wag and a proposed solution that you simply inform the user next time before doing it. It will become buried inside the ToS and become ignored and commonplace. Stop it now and forever, while the spotlight is on it.

[fooey]

Seriously. Sublime, Atom, VSCode, and every other platform that supports plugins should all be in crisis mode over the crap Kite's been caught doing.

If we can't trust that an addon we installed yesterday is safe today, their platforms just turned into gigantic malware vectors that are totally wide open.

This kind of exploitation needs to be stopped immediately.

[mattbierner]

I work on VSCode. We are aware of the possibility of bad plugins or even good plugins that go bad. The real nightmare scenario would be what's happened with some Chrome plugins, where a widely used plugin is either co-opted or bought out and becomes malicious (even worse if it disguises its maliciousness).

All of these package ecosystems are similar to NPM in that they are built on trust and community policing. This is not enough. One possible way forward is to move towards an security model more like iOS's or Androids where apps need to explicitly get the user's permission before performing potentially dangerous operations like making network requests.

I'd be interested to hear how other platforms have tried tracking these sort of concerns

[ReverseCold]

Explicitly asking the user before a plugin can make a network request would be great! I don't know what "sidebar enhancements" is/was, but it doesn't sound like that would need network access.

[AdmiralAsshat]

My concern would be that throwing internet connection under a consent flag may stop some shady apps, but the rest will just invent a bogus reason for why they need to connect: "We need to connect to the internet to check for updates!" How many Android apps have requested access to your Contacts, and waived the harvesting concerns away by saying it only needs to see your Contacts so that it can more easily pair you with your friends? Nevermind that they're also uploading the entire contact list to their servers...

Without an easy way to know who the package is connecting to, it only instills a false sense of security.

[wbond]

This has definitely always been a concern among certain users of the Package Control community. Since the Sublime Text python environment is run as the user, without a sandbox, it is possible a rogue package would upload all of your data somewhere.

So far we've operated under a model of requiring the end user trust the package developer, which isn't going to be the case 100% of the time. We are set up in such a way that the connection is required to be secure to prevent hijacking the connection and replacing packages with hacked versions. But if the package developer is choosing to add code, that is more of a policy issue than technology issue.

[AdmiralAsshat]

I agree, completely. It is a policy issue. For that reason, I am imploring the maintainers of packaging communities like Sublime Text, pip, CPAN, etc. to put forth a firm stance in their policy that says No, we will not tolerate this, period. If you don't, it sends the message that this sort of scummy behavior is acceptable so long as you disclose it. I don't think that's okay, I don't think any sane end-user thinks that's okay. What little defense of this I've seen inevitably comes from other developers, who invariably have monetization in the back of their minds.