It performs an auto-update check. You know it's just performing an auto-update check. While there's not no argument to be made here, it's not like it's secretly collecting a bunch of data and reporting it before letting you opt out.
The paranoid, accusatory tone in the issue does nothing to help your argument, and I believe makes it harder for maintainers to take you seriously. Your argument is well thought out, and I don't necessarily disagree with it in principle, but you're making mountains out of molehills here. If you'd simply pointed out the issue and asked that the auto-update check be performed after the consent check - especially if it came with a PR implementing that - you'd go a lot further.
> You know it's just performing an auto-update check
Actually, I don't. I didn't agree to let it phone home. It does it before it tells me anything at all. It's also connecting to the telemetry service endpoint immediately on launch, despite not having selected a telemetry consent setting yet.
How about this one? It phones home when you click "don't phone home".
Don't use Atom then? Seems pretty obvious if you care that much.
I respect your privacy views and even share many/most of them (if not so strictly), and appreciate that you are probably just trying to bring this to people's attention. However, you are not the king of open source, and you cannot dictate how other authors must write their projects. It's an open source product written by a for-profit company. There's always going to be trade-offs.
Please don't make the "Don't use atom then" argument in response to someone sharing unexpected info about Atom. No one is saying that they are being forced to use Atom. They are sharing info others may not know about Atom.
You're saying "Don't use Atom", but what you're implying is "Don't talk about Atom"
That's very true. However, for several decades users had a bot more trust in FOSS as not betraying the user in the same way commercial apps do. Atom is abusing this trust. Just because Microsoft is doing what they want in Windows world it doesn't mean they can do the same when flirting with developers and preaching their love for FOSS.
I've never had a problem with people that have extremely strict views of privacy. In fact I usually think they're right. But it's incredibly impractical, and most people don't currently care, which is the real problem. Treating relatively trivial things like this as if it were some conspiracy on behalf of the surveillance state doesn't do anything to get people to listen.
Get people to start dropping Facebook and Google, then we can start tackling the smaller offenses like this. Until then, treating this like you're going up against the NSA is a vanity exercise.
That’s not “better”, in fact it’s not really in the spirit of open source, where criticism comes in the form of patches and forks.
“Doing one better” would be patching and compiling from source yourself. Better still would be maintaining an up-to-date fork for the benefit of other like-minded people.
There's a whole lot of gatekeeping to be found in your comment and I don't think it'll help open source as a whole if things were actually as you describe. It's perfectly acceptable to call out bad behaviour and it always has been. If anything, the community became significantly more polite about it as open source software has become more popular, probably because the users are not exclusively militant programmers now.
I really want to agree with you. But that assumes that the vendor/maintainer of open source software has a responsibility to not engage in "bad behaviour." I simply disagree. The only reason Linus Torvalds doesn't screw over everyone tomorrow is because he places value in the reputation of his code tree. (And also because his code tree sees so much sunlight that any such fuckery wouldn't go unnoticed.)
Clearly the maintainers of Atom don't place value in their reputation. Just be thankful that the maintainers have conveyed their true colours for all to see.
> But that assumes that the vendor/maintainer of open source software has a responsibility to not engage in "bad behaviour."
> "it’s not really in the spirit of open source, where criticism comes in the form of patches and forks."
Everybody has an obligation to refrain from bad behavior whether or not they are an "open source" developer, and everybody has a right to criticize bad behavior whether or not they consume software, and whether or not the software they consume is "open source." That may not be what "open source" means to you, but in that case I want nothing to do with whatever it is that it means to you. I don't subscribe to any ideology that obligates me to hold my tongue when I see somebody doing something I think is morally wrong.
You'll just have to find a way to cope with people criticizing things or people you believe should be immune to criticism. The simple fact of the matter is you have neither the power nor authority to set the bounds for acceptable criticism. People will continue to criticize software they choose to not use, and there is nothing you can do to stop that. You certainly can't stop them by telling them to shut up or by trying to overload the definition of "open source" with your own inane pet philosophy [namely: "All criticism should be formatted as patches or forks."]
You're responding to an argument that I didn't make. Your entire post appears to be a response to a fictional rewriting of my posts which doesn't exist.
For the record—:
• I didn't say (and I don't believe) that developers "should be immune to criticism"
• I didn't describe (and I do reject) an "ideology that obligates [anyone] to hold [their] tongue."
• I never defined any "bounds for acceptable criticism."
• I never said "All criticism should be formatted as patches or forks."
Nobody is obligated to act in accordance with anyone else's opinion of the spirit of a community. People are free to do whatever they wish as long as it's within the bounds of law and license conditions.
I have no problem with any form of criticism, although I do find it more worthy of one's attention when it's constructive. I do have a problem with the attitude of some people who get offended when their criticism is rejected or ignored.
What I reject is the assertion that the copyright holder of an open source software project is obligated to follow a certain mode of behaviour. By contrast, you're saying that "everybody has an obligation to refrain from bad behaviour." So in a surprise twist, it turns out the only person obligating a certain ideology upon others here is you.
Putting a restriction on the definition of open source that limits discussion to those with the time and ability to submit patches sounds, to me, like the opposite of openness. A piece of open source software being used by people outside the development group is a resounding endorsement of both the product itself and the model of open source development that led to the product being so accessible. Developers know that writing software is hard, and receiving criticism or feedback on software you worked on can be hard, too, but I think it’s ultimately to the benefit of the community of both developers and users that shortcomings (or unexpected behaviour) in the software are known. It helps people make informed decisions on what software they choose to use in their personal life, or even what software they trust to run their business on.
It's not a restriction on the definition of open source. A truly open source marketplace has space for apps that do shitty things—and for forks that do fewer shitty things.
If anything is a restriction of open source, it's demanding that the developers of Atom implement a feature the way you want. If you don't like their code or their stewardship, badgering them on this one point doesn't fix the underlying difference in principles.
Open source is a hacker thing. Hackers like open source because it avoids useless duplication of effort, which is toilsome and wasteful. Hackers don't like toil and unnecessary waste.
Forks are nothing but otherwise-unnecessary waste. They become necessary through asshattery like spying on users, but they are a last resort, because everything else about a fork is antithetical to most hackers: it's boring, wasteful, duplicated work, induced solely by an unreasonable upstream.
We try a lot of things before we fork, including naming and shaming.
The imperative to fork generally stems from fundamental philosophical disagreements between the current maintainer and the user base. Concern over privacy seems pretty fundamental to me.
Badgering the maintainer doesn't fix the fundamental philosophical disagreement.
Forks don't matter if they don't succeed—it only wastes the time of people volunteering to have it wasted. But when they do succeed, sometimes amazing things happen. The history of open source is rife with hugely consequential forks.
That's very neat, but it's not simply about me. It's about thousands and thousands of other, much less experienced people who use these software packages (Homebrew and Etcher and Atom in particular). They deserve privacy too.
I think most people don't realize. That's why these things do it silently.
Most people do care if you ask them. They don't want to be spied on. Given the option, most people will say "no, thank you". That's why these maintainers are so afraid of opt-in. They pay lip service to respecting user consent, but it's just that. They don't actually want to accurately reflect user consent, because they know that if they actually ask to measure it, they don't really have it. It's just like shitty web shops that automatically sign you up for their weekly marketing promo newsletter because you bought something one time. You don't want it, they know you don't want it, but they're still going to rob you of your time deleting them until you finally click Unsubscribe. Same deal.
Did you watch the John Oliver interview with Ed Snowden?[1] The show went out on the street and most people had no idea who he was or what he did or the information he released, but when asked if they knew that the government was logging all of their dick pics (which Ed gracefully confirmed that they are, in fact, doing), they said that they did not know and were not okay with it.
I think the core issue is ignorance, not apathy. I intend to educate people on the matter, and give them actionable steps to take to express their displeasure to the maintainers and their parent organizations. We can solve this issue before it gets any larger.
On the flip side, if you ask nicely I'm usually more than happy to give you some sort of usage information if it seems reasonable. If you don't, you sure aren't going to get anything from me, and I will go out of my way to stop you from collecting that information and tell other people about what you're doing, because you have clearly shown that you cannot responsibly collect usage data.
> However, you are not the king of open source, and you cannot dictate how other authors must write their projects
No, but I can convince other people who don't like their computers being used a spying tools against them to put social pressure on maintainers so that they stop doing this nonsense.
Atom's telemetry used to be on by default; spying silently caused them such a shitstorm that they added a consent dialog. They're almost there! Now they just have to make it functional.
There are precedents. We can push back, especially against open source projects.
> There's always going to be trade-offs.
I don't think that's how software works. I certainly don't take that to mean that I should just accept that it's going to spy on me. I don't want that, and I don't accept that, and I will yell, loudly, at anyone who says I should accept that without a fight.
If you actually care about that—as opposed to complaining for the sake of it—you shouldn’t be allowing new software to establish outgoing connections without your consent anyway.
So if you actually did care, you the user would know because your operating system alerted you.
Nagging everyone to comply with your interpretation of “the right thing” might feel good to you, but it’s actually a very weak and porous form of security theatre.
OK, are there any standard Debian packages that do this?
As I recall, it was a huge upset when Ubuntu app search hit Amazon by default.
And when you install Debian, it asks whether you want to participate in the packages survey. And the default is "no".
Edit: And just to be clear, this isn't about me. I assume that stuff will leak my IP address without warning, so I only connect via nested VPN chains. Or when I really care, that plus Tor.
This is about people who trust stuff that they use.
A popular solution has been available for MacOS for sixteen years (Little Snitch) so if something comparable isn't already available for Linux—the operating system of the internet—that's pretty embarrassing.
i use Little Snitch and DNS blackholing of tracking services, so these issues don't really affect me.
today i decided i care more about strangers than i thought i did
people brand new to our industry should be able to download a nice gui editor and not get their consent trampled and get spied on even after they click the "dont spy on me" button
it's easy to laugh and be like "oh lol it's software from microsoft what did they expect, noobs" like someone else did in this thread
but that's bullshit and you and i both know it
the software simply shouldn't do that when you say "don't send my data away pls"
i don't want everyone to have to say "oh use homebrew it's great but also add this weird line about analytics to your .bashrc before you install it oh wait you don't know what a bashrc is huh" when they talk to some teenager who just got a $15 rtlsdr and wants to install gnuradio on their mac
that's not a good first-10-minutes-at-the-command-line experience.
i don't think that's fair or good or optimal.
i want the world to be different, and i want these maintainers to realize that they made a mistake, and revert it. i don't think they're bad people, i think they're just misguided, and they're optimizing for vanity metrics like user count, which will effectively go away entirely if i succeed and they only get telemetry from users who said "yes it's ok i don't mind". that's a lot fewer users, and they know it, which is why so many of them are refusing to engage with the ethical argument about silently using a user's own hardware to spy on them without their knowledge or consent.
it shouldn't be a controversial position that our tools should not spy on us.
I don’t understand why some here take your reports on GH personally. The fact that your reports aren’t taken seriously by the Atom team worries me.
Your battle is right and presented in the right tones.
Whereas my point is that the developers of Atom have shown their true moral colours—and their honesty isn't sufficiently instructive to you? Unless you can get the developers to change their principles, getting them to change their source code today seems to be a rather temporary fix.
Meanwhile, isn't it strange that the default behaviour (on nearly all major consumer computer platforms) that we implicitly trust all applications with near-unfettered access to the internet. And we merely hope they don't betray us.
Yes I know. This person has been saying 'no one forces you to use atom, just don't use it' as a solution to spying but also says he runs DNS tools to prevent rogue programs.
> " This person has been saying 'no one forces you to use atom, just don't use it'"
That is a flat wrong summation of sneak's arguments in this discussion. I think you must have misread usernames, because sneak is saying quite the opposite of what you think he's saying.
Note that sneak is not sjwright (the other person in this thread you've responded to and who's argument you seem to have misattributed to sneak.)
(I'm not saying that's the case, by the way. It's just an observation. We can't really know if they're lying or not—and to that extent I agree with your point.)
What'd be really nice is transparent, built-in sandboxing of every non-system application by the OS. The desktop security model of "protect your files from other users but not from applications you run" is horribly outdated.
On top of all that, we also need deep packet inspection and filtering. All the data flowing into and out of the sandbox must be inspected while in the clear by filtering software under our control. If the packet is known to contain nothing but a unique identifier for tracking, it gets blocked. If it also contains useful data, the identifier is either deleted or anonymized before the packet goes through.
ISPs, companies and governments can do it for surveillance, censorship and security reasons. We should be able to do it too in order to empower ourselves.
>However, you are not the king of open source, and you cannot dictate how other authors must write their projects.
And you're not the king of what people are allowed to voice their views and opinions on in public forums.
Authors can do whatever they want and users can say whatever they want as a result. Doing something does not mean you are free of the consequences, including people voicing their opinions, of those actions.
The maintainers who reply dodge the issue in a way that must be frustrating to the reporter; and makes it seems like they'd probably not accept a PR that modified this behavior. Calling privacy advocates "paranoid" in today's climate is a bit suspect. There's a definite issue here that the Atom team should address - a reasonable user would expect that, after opting out, the app would never phone home, and it does.
Blaming tone is too easy - at this point the Atom team is representing Microsoft, so I'd say the burden is on them to soak up a little snark; especially coming from a user who maybe expects them to behave a bit more like the GitHub of old. Even if they were a small open-source team I would still expect them to directly confront the issue instead of beating around the bush. It's about privacy, and splitting hairs to deny the reporter's reality is a bad look.
> Calling privacy advocates "paranoid" in today's climate is a bit suspect.
It's an insult. They're comparing people with legitimate concerns backed by evidence and precedent to paranoid schizophrenics. They are implicitly saying that people who value privacy are delusional and mentally ill.
The application clearly states that it sends an opt-out notification anonymously after opt-out. I think they're doing better than most in terms of transparency. Is there room for improvement? Sure. But I don't think attacking people who are already doing pretty well compared to the field is the best use of anyone's time.
This is just picking on an open-source team which already has shown themselves to take user feedback about privacy seriously. If you are so suspect of third parties that any device or application sending any network traffic without previous authorization is of serious concern to you, there's a lot more important and impactful products to voice concern about. Like pretty much any other part of Microsoft.
The "never phone home" UI should make it clear that it will still phone home to check for updates.
But I'm sympathetic to Github here. Having users on unpatched software is a bigger risk to them than not having 100% perfect insulation from sending their IP address to Microsoft.
>Having users on unpatched software is a bigger risk to them than not having 100% perfect insulation from sending their IP address to Microsoft.
That's not a decision for Github to make. Let the user decide. Perhaps by even presenting them with a dialog on first run that informs them then asks them ti decide.
Somewhere out there (prog21 ?) is an article stating that the one in desperate need of electricity (the computing device) is subject to the one in a position to provide it (the user), and I agree with that sentiment.
I'd even like an IETF-standard-like T-shirt that says 'The user's will MUST be obeyed as faithfully as possible unless prevented by unrecoverable circumstances' or something like that.
Click-through EULAs and dialog boxes are another symptom of the 'elite-developer-itis' our industry can sometimes exude.
The more interesting question, which you completely sidestep by trying to categorize the leaked info, is whether software should perform an auto-update check before giving you an option to opt out. I don't think the author would have been concerned if they were asked whether the software should check for updates.
What's the alternative? I'm not sure how a client can query a server for updates without exposing its IP address beyond obfuscation like TOR or perhaps a VPN.
One typically gets packages from the distro's repository. And traffic with modern repositories uses HTTPS. So third parties don't see what packages are being used. And unless one configures a developer repository, there's never any traffic to the developer.
Also, IP addresses are considered PII under GDPR.
Edit: Still, if one cares that much about ones IP address, it's prudent to use a VPN service or Tor.
IP addresses are only PII if attached to other information. I can generate a list of IP addresses and store/sell that data and it's all fine because its meaningless without associated data.
In this case it would not be PII data if it was just an IP address in a webserver log saying someone checked for an update. It would be PII data if it was linked to your GitHub account.
an alternative updating mechanism that doesn't directly expose IP of the updater?
a dht/blockchain mashup comes to mind, but really it just pushes the IP knowledge to knwoledge of some other intrinsic variable that can be used for fingerprinting.
the issuer of public information (an update) doesn't necessarily need to know who collects the information, it's just architected like that for most internet things.
That’s just not feasible for most projects. Why ship a blockchain along with your product, when you could just go with a GET request? The technical complexity, server space, and additional bloat that would be needed to be added to the app would be a waste, IMO.
Or you could maintain the current version number on the Wikipedia page for your app. Your app could then request its wiki page over HTTPS as a check for updates.
Then the only useful logs would be held by Wikipedia. And more broadly, requests to that page would be utterly lost in the noise.
Ideally the article would contain (in a comment or some hidden field) a signature from the PGP key of the app's developer, covering both the version number and the date of release (to stop replay/rollback attacks).
Alternatively, the app could look at the article history and find the latest edit made by the developer's Wikipedia account, so that malicious edits would be ignored. This assumes the threat model doesn't include rogue Wikipedia admins rewriting history or hijacking accounts.
At the expense of a smaller anonymity set, it might make more sense for the app to query Wikidata instead of Wikipedia: https://www.wikidata.org/wiki/Q16766305
In my imagining, the content of the Wikipedia article does nothing more than trigger a notification to the user; it would be the user's choice whether to initiate a network connection with the vendor's server for the "real" check and binary download.
Yes, the "real" check would be made against the vendor's server.
I was a little unclear about what I meant by "replay/rollback attacks", though. My concern was that someone editing the Wikipedia page could vandalise it to remove the reference to a newly released app version, meaning the app never checked the vendor's server. They would be rolling back the article to a previous edit, or "replaying" a previous edit that was no longer truthful.
Moreover, an attacker could add a spurious reference to a version that hasn't been released, in order to trigger an app to make unnecessary requests against the vendor's server.
Fortunately, both of these types of vandalism would be ignored by a system which checked the revision history and knew the user name associated with the vendor.
The vendor could also independently monitor their Wikipedia page(s) and deal with the problem through Wikipedia's resolution processes. The benefit here is that the vendor would be the first to know when someone is attempting something nefarious.
That said I suggested Wikipedia mostly as a joke—though I do like the principles of indirection and hiding private material within the most noise.
--
Actually, it occurs to me that an appropriate place for software update notifications could be DNS. Something like a cryptographically signed TXT value with a long TTL. It does have the downside of being a cleartext protocol at the moment, but once that changes, you've got a great distributed, fast and resilient key-value store right there...
Everyone should just stop using atom, I found the way they responded to the issue very condescending.
"You are certainly free to block the network access and Atom will work in an offline mode if that is your preference, if that is not what you desire though there are plenty of other editors out there that may fit your needs better."
No one asked them if they are free to block network access or
if they are free to use other editors.
I love this thread. Every important question for privacy-conscious power users is raised in here: are automatic updates safe, how should software obtain consent to act on your behalf, how can power users keep up with the arms race of privacy settings, is phone-home inherently sleazy.
This user is running a firewall / connection observer (little snitch) -- as more people adopt tools like that + ad blockers, and as businesses figure out whether and how to serve those users, the norms for this stuff will get worked out.
For now, businesses benefit tremendously from surveillance for both sleazy and non-sleazy reasons and are totally incentivized to understate the potential harms and the ways in which they use what they collect.
"Atom is designed to run in an internet connected environment, doing things such as checking for updates (your first dialog) without prompting the user."
The problem with that, as I see it at least is, "doing things such as..." If it said "It's ONLY checking for updates", that seems fine, but "doing things such as..." could be literally anything, and maybe some of those things are things that many people don't want done without consent.
Checking for updates sends a packet out of your computer that contains your IP address, happens at a given point in time (timestamp), contains 'atom.io' in the TLS SNI, and is accessible to your ISP, their network providers, the national intelligence agencies that monitor those connections, Amazon network administrators, Microsoft systems administrators, and GitHub systems administrators.
It's telemetry because it happens whenever you open your editor, and it includes your IP, which in the hands of some of those recipients (i.e. intel agencies, your ISP, and Amazon) means your exact physical location (because you ordered paper towels to your street address using that IP two hours ago).
It can never be anonymous because it has to have a source IP on it, and even if the TLS connection is zero data, the fact that it has "atom.io" in the SNI field means that it's a data leak of the "person at 123 main street opened their text editor (Atom) at 1:23PM", and it leaks that information to a lot of people.
"only checking for updates" is, unfortunately, a form of telemetry, and must be gated on a user's explicit consent to telemetry, otherwise it (no hyperbole) sends an activity event that becomes available to thousands of people against the wishes of the user.
Remember when librarians got all up in arms about warrantless collection of what books you've taken out of the library? That was per-user. This is bulk collection, and is way more invasive: it has second-granularity timestamps.
Almost any other network request puts you at more risk than this. If that is your concern, then you are better off turning off your Internet.
If they were really trying to track you, there would also be an unique ID with the request as that makes it much easier to identify you. IP addresses alone are not as useful for those purposes.
That's fine; however opening my text editor (Atom), or running a static site generator (Gatsby), or burning an iso file to a USB drive (Etcher) is not a network request, and should not put me at risk.
It’s a little baffling the Atom team can’t seem to understand this is a bug. I get that the tone of the report is a little off-putting, but a bug is a bug. Fix it and move on.
They don't want to understand it, because understanding it would mean that a big chunk of their userbase could download and use the software, see the opt-out panel, opt out (because really, who wants to be spied on?), and they would receive no information whatsoever about it.
That's what they're trying to avoid. It's not about the user convenience benefits of autoupdate, it's about their metrics panel and the "success" it implies going dark/trending down.
You don’t get to gatekeep “open source project” on business venture or not.
If it has a free software license and the code is provided, it is a true open source project.
Simply being an “open source project”, however, unfortunately, does not mean that the maintainers are going to act ethically or not produce software that abuses people’s human rights.
What a number of comments in this thread miss is that in certain business environments you cannot use software that calls home, regardless of the reasons for the call.
Before someone says "it's open source, you can modify it", please understand that very few users of FOSS have the time and necessary knowledge to audit every single piece of code they install on their machines for compliance with company security and privacy requirements.
It is my personal belief that the correct stance in these cases is one that places privacy and security at the top of the stack. In other words, nothing calls home unless the user enables it. You are not entitled to initiate any such communications without user approval just because you wrote software people decide to use. That's intrusive and entitled. It's wrong. Disclose it and obtain their permission, and then it's OK.
In those restrictive business environments, the IT admins have a couple options: they can whitelist outgoing connections they've allowed and block everything else, and they can disallow users from installing anything but approved apps.
A business that says "you can't use software that calls" home is going to completely fail at enforcing that unless they implement technical restrictions that preclude it from happening in the first place.
Somewhat unrelated but why dos Atom even exist anymore? MS should just fold the Atom team into VSCode and go full in on VSCode. From Microsoft's perspective, I don' see any reason for Atom to exist. It's not like Chromium vs Chrome where Google wants to ship an open-source project with some important proprietary bits and pieces.
Why does vim exist anymore? Neovim exists and has more and newer features. We should just get rid of vim, and have Bram focus all his efforts on nvim instead.
Some of us don't like VS Code (for lots of reasons) but do like Atom. From Microsoft's perspective, they just bought a golden goose (GitHub) that can bring them a lot of developer goodwill. If they kill off that golden goose, they lose all the goodwill they just bought. Atom is a part of what GitHub stands for. It's a hackable editor for the 21st century. And when you're one of the richest companies on earth, you can afford to pay a few developers' salaries for a lot of goodwill.
> Lee Dohm:
@aviatesk This is a temporary status. Atom’s pace of development has always fluctuated over time as developers join and leave the project, take parental leave, have vacations, etc.
To implement something simple in VS Code, you have to write an entire package, or put out a PR to one. To implement something simple in atom, you open up your init script.
To change a bit of css in code, you have to write an entirely new UI theme. To change a bit of css in atom, you open up your stylesheet.
Vim mode plus is significantly better than VSCodeVim, both performance and feature wise.
I will freely admit that VS Code has better IDE features (especially out of the box) than atom does (built in terminal, better autocomplete, better LSP support).
But to say that VS Code somehow obsoletes Atom is misguided. Atom is exactly what it bills itself as: A hackable editor built by github.
If you feel strongly about a feature request on an open source project.... you know maybe actually do the work and not just wine about it? This is why people stop doing open source, these type of people with their weird feeling of entitlement reporting issues.
Please excuse the format of this reply, but this analogy is the best way I can think of to offer a different perspective to the one you are expressing:
"If you feel strongly about human rights violations in a democratic country.... you know maybe actually run for elected office and not just wine about it? This is why people stop becoming political candidates, these type of people with their weird feeling of entitlement exercising their right to free speech."
To be clear, my point isn't that we should solve all data collection problems with legislation (although that might be beneficial in some cases) or that automatically checking for software updates is necessarily a human rights violation. My point is that it's unreasonable to expect everyone who cares about any feature request to write software to satisfy their needs, especially if the upstream developers would refuse their patches. It's even more unreasonable to demand that people who care about certain issues never try to raise awareness of those issues with other people who might be affected or might be able to do something about the problem.
You are asking for open source developers to make the business decision on Microsoft's behalf?
Also, someone HAS already worked on it, and marked it as done. They have failed that ticket's stated goals, either because it did not align with business objectives, or because of an oversight. Nobody (afaik) has asked this person to take over and do the job properly, or even consult on a better flow. The response has been "You are wrong. It doesn't matter. Don't worry about it. Trust us. Stop using atom"
You can argue that if you aren't paying for the product, then you are the product... and therefore have no entitlement. That's a viewpoint I guess - but one very much at odds with the perceived values of the open source community.
Atom is developed by a for-profit company which is owned by the for-profit megacorp Microsoft. For them open source is a PR move and an employee retention measure, they just don't give a fuck if anyone is helping them out... at most they want to have contributors to help with PR and retention.
Secondly. Atom download page (https://atom.io/) contains text (well, someone may not even notice it, that's another issue):
> By downloading, you agree to the Terms and Conditions.
It says:
> Auto-Update Services
> The Software may include an auto-update service ("Service"). If you choose to use the Service or you download Software that automatically enables the Service, GitHub will automatically update the Software when a new version is available
Moreover:
> Privacy
> The Software may collect personal information. You may control what information the Software collects in the settings panel. If the Software does collect personal information on GitHub's behalf, GitHub will process that information in accordance with the GitHub Privacy Statement.
I'm not sure it's reasonable to expect users to read the ToS to find out whether their text editor will phone home. This also doesn't excuse the editor sending analytics for users who opt out of analytics.
This is EXACTLY what I expect to find out in TOS. Along with how they use and with whom they share the data (privacy policy).
TOS actually is stronger than preferences. If TOS doesn't state that I can opt out, I don't expect that I'm opted out of everything, even when I set such preferences in software. And that they can introduce some phoning home at will, as long as they comply with their TOS.
That answers a different question, whether you expect that content to be in the ToS or not isn't relevant. I asked whether it's reasonable to expect users to search the ToS to understand the behaviour of their editor.
I don't think it is reasonable, the language complexity expressed in a ToS is vastly different to anything written that's really intended for users to read. People with chronic illnesses experience brain fog and may not find it easy to read a document like a ToS, the elderly, young and those who use english as a second language are also more likely to have issues parsing one.
Even despite that point the software is currently in violation of its own terms of service. If it sends telemetry before you can open the settings panel then clearly you cannot "control what information the Software collects in the settings panel", as the preceding telemetry message can't be prevented.
I have ~2.5k packages currently installed on this computer I'm using. I frequently access 10 different computers directly, with very different configurations.
Those TOS have usually between 10 and 100 pages, the mean seems to be on the lower end, probably around 20. That would make 500k pages of unreadable legalese that I would be required to know by hearth and not miss any detail. A TOS also usually changes every year, so those numbers are yearly. So yeah, people don't read the TOS and complain. Rightly so.
On practice it's not that large a problem, because a TOS on software running on my computer is an extremely user hostile action that completely removes a software from my consideration.
Don't get me wrong. Lengthy TOS is an issue of itself. It's just that users who seek privacy should know how to evaluate it.
We are kind of getting closer to improve the situation with... GDPR. Makes software owners come up with, uh-oh, consent dialogs. Pro: User can see where his data go. And presenting this info is a requirement. Cons: Those annoying dialogs...
A text editor is not a service. Because there is no service, there can be no terms of service.
It is software, and the terms of using that software are the license it is released under.
Downloading free as in freedom software does not bind you to any terms of service other than the license to that software, which in this case is the MIT license.
Atom messes up my graphics driver on Linux; so it isn't installed any more.
Example: When i launch atom everything else in KDE disappears I can't see any other apps until I tab over to them. Moving the window in focus fixes it so the screen is back to normal until I launch a new application.
Quitting X and restarting it is the only thing that fixes it.
I liked Atom but like textmate it got forgotten and it will get harder to use over time
The paranoid, accusatory tone in the issue does nothing to help your argument, and I believe makes it harder for maintainers to take you seriously. Your argument is well thought out, and I don't necessarily disagree with it in principle, but you're making mountains out of molehills here. If you'd simply pointed out the issue and asked that the auto-update check be performed after the consent check - especially if it came with a PR implementing that - you'd go a lot further.