Hacker News new | ask | show | jobs
by jacob-jackson 2785 days ago
Your concerns are understandable. It is about as risky as installing an editor plugin which updates automatically.

The private keys used to sign releases are kept offline and would not be available to an attacker even if they compromised my online accounts.

Finally, TabNine will work correctly if you deny it network access (say, by blacklisting update.tabnine.com).
4 comments
itdaniher 2785 days ago
...as risky as installing a proprietary editor plugin which updates automatically, yes.

Also, AFAIK most understandings of MIT, BSD, and Apache 2.0 licenses require you to acknowledge the copyright holders of the source code you compile into your binary, even if the licenses permit binary distribution. I can't find your "Copyright (c) 2018 Tokio Contributors" or "Copyright (c) 2014 The Rust Project Developers" that I'd expect based on `strings TabNine | grep github`. Maybe you've got a lawyer that suggests otherwise? Your plea of "trust me, I have good hygiene" carries less weight when I have to `strings` your stuff to know what shoulders of which giants you're standing on.

link
JimDabell 2785 days ago
> ...as risky as installing a proprietary editor plugin which updates automatically, yes.

Can't you make the same complaint about any auto-update functionality in any software? Even if it's BSD licensed, you're still counting on whomever has authority to push an update to not push malicious code.

This doesn't seem to have anything to do with the fact that his code is proprietary nor his monetisation strategy, so why are you singling him out for those?

link
itdaniher 2785 days ago
Proprietary - Can't patch out the autoupdate, which I might be tempted to do if something else in my toolchain did things at someone else's leisure.

DRM/monetisation - the product as of my comment didn't seem to acknowledge the open source works compiled into the binary, and I didn't think that was a good look for someone with the authority to push out malicious code.

link
eridius 2785 days ago
As risky as ones that don't update automatically either. Just because a plugin doesn't update automatically doesn't mean it doesn't still have the capability of doing network access. Unless you're actually sandboxing all your IDE plugins and denying most of them network access (and verifying on every new IDE plugin you install whether it's allowed network access), but I don't believe that's how IDE plugins generally work.
link
cyphar 2785 days ago
MIT only requires source attribution. It's the BSD licenses that require attribution for binary forms of redistribution. Still, it is good manners and good cover-your-arse practice to attribute whatever free software work they used (Google does this with their giant "open source licenses" page).
link
Benjamin_Dobell 2784 days ago
MIT has no special language regarding source or binary distribution, it simply states:

> The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.

It's up to a court to decide what "copies or substantial portions of the Software" means.

Personally, I've always very much interpreted that to mean both binary and source.

link
cyphar 2784 days ago
Well, you could argue that the notice is "present" (in a very esoteric sense) in a binary distribution of the software because it was present in the source code used to build it. You could also argue that a compiled version of a program isn't a "copy or substantial portion" of the Software (compilation is effectively a form of translation, which is a derivative work under the Copyright Act in the US -- and not just a copy).

Personally I would still include it in both, but I always had the impression that MIT was looser than BSD-2-Clause about this. BSD-2-Clause explicitly states that binary distribution needs to include the notice in "the documentation and/or other materials provided with the distribution", and I have a feeling that the license authors might've had a reason to want to be explicit about it.

link
dharmab 2785 days ago
Does the Vim version autoupdate? I'd rather it wait for me to run my plugin manager- I specifically don't want anything on my machine to update when I'm on-call or traveling.
link
asdkhadsj 2785 days ago
Wait, is the auto-update all that's needed for network? I assumed it was license validation or something. If it's just updating, couldn't you provide a different method of updating like manual update checking, and then peoples concerns would be solved?
link
itdaniher 2785 days ago
No, it does use the network to validate registration keys. Presumably this means a TLS connection per invocation of the binary.

> TabNine makes web requests only for the purposes of downloading updates and validating registration keys.

from https://tabnine.com/faq

link
half0wl 2784 days ago
> Finally, TabNine will work correctly if you deny it network access (say, by blacklisting update.tabnine.com).

Just to clarify - would it still work if I deny network acess for the TabNine binary, _after_ validating my license key? Or is the key validation invoked on every launch (hence requiring network access)?

link
jacob-jackson 2784 days ago
Yes, it will still work.

(License key validation requests go to tabnine.com, so you should blacklist that too if you want to deny all network access.)

link
half0wl 2784 days ago
Thanks! Purchased a copy :)
link