[wbond]

This has definitely always been a concern among certain users of the Package Control community. Since the Sublime Text python environment is run as the user, without a sandbox, it is possible a rogue package would upload all of your data somewhere.

So far we've operated under a model of requiring the end user trust the package developer, which isn't going to be the case 100% of the time. We are set up in such a way that the connection is required to be secure to prevent hijacking the connection and replacing packages with hacked versions. But if the package developer is choosing to add code, that is more of a policy issue than technology issue.

[AdmiralAsshat]

I agree, completely. It is a policy issue. For that reason, I am imploring the maintainers of packaging communities like Sublime Text, pip, CPAN, etc. to put forth a firm stance in their policy that says No, we will not tolerate this, period. If you don't, it sends the message that this sort of scummy behavior is acceptable so long as you disclose it. I don't think that's okay, I don't think any sane end-user thinks that's okay. What little defense of this I've seen inevitably comes from other developers, who invariably have monetization in the back of their minds.