Hacker News new | past | comments | ask | show | jobs | submit login

A lot of people sign NDA's when they work as a programmer. Installing a spell-checker and accidentally break ones nda's seems as a valid surprise. That and passwords in wp-config and similar files being commented out occasionally make me actively avoid cloud solutions for spell checking.



> Installing a spell-checker and accidentally break ones nda's seems as a valid surprise.

No, that is a shocking lack of due diligence IMO.

Seriously, if we as developers can't be trusted not to install random junk without checking the consequences how do we expect the user-on-the-street to stop installing malware because they just have to take that "what Disney character's left testicle are you most likely find in your coffee tomorrow" quiz?!


I've done projects with NDA for the Android platform where using Android Studio today is almost mandatory.

After reading this post I remembered that Android Studio already has some kind of spell checking active by default and to be honest I didn't read the complete source code of Android Studio and all packages that are shipped with it by default, who does that?

Maybe you do, but who is going to pay you for completing that task (as a programmer) and reviewing every single update in the future.


There is a wide gulf of difference between installing an IDE from a trusted corporate entity who would be sued if they did this kind of thing by default without warning vs. installing a 3rd party open source plugin from a developer you've never heard of without reading the description.


>a trusted corporate entity who would be sued if they did this kind of thing by default without warning

Microsoft does key-logging by default in Windows 10. They don't hide the fact that they do key logging, but they don't advertise it to users either. And yes, it's key-logging even if they claim it's for "telemetry purposes only guys, for realsy".


There is a difference but it doesn't change anything for me as a contractor. I'd imagine suing Google or Apple would be no fun when I'm sued by some bank for a breach of NDA.

As a software dev we ideally should keep in mind for what kind of target audience we are developing our tools, and in this case it is obvious that this tool would be a problem for many if not most companies for security reasons.

Is there even a reason why anyone would want to have all his source code sent to some unknown third party? Or why this would be necessary for something like spell checking?

I doubt that the dev has bad intentions with this plugin, but imho this tool is badly designed and unusable. Doesn't matter how visible this information is, there are no justifications I can think of why I should allow my source code to be sent to a third party.


That is a lot of trust in a corporate entity who in all honesty trys to profit from you wherever possible, and they would not be sued if such items were spelled out in the TOS. In this plug in, the plug-in author placed a notice where it could be found by anyone, not hidden away. Here, just as dspillett said, do your own due diligence and select products accordingly.

At the same time,even large trusted corporations can impose interesting license agreements (runtime or otherwise) that you better be well versed on before you start creating releases of your product.


> but who is going to pay you for completing that task (as a programmer) and reviewing every single update in the future

If you can't factor it into your costs of doing business (that you pass on to the client) then you either have to factor it into your costs of doing business (that you have to eat) or decide to take the risk of not bothering.

The risk is your's to take should you chose of course (or if you don't work alone the risk is your company's to take) and depending on the 3rd party involved that risk might not be particularly high (as others have pointed out the risk profile of relying upon Google is vastly different to that of a small add-in developer hardly anyone has heard of), but if the worst happens and you end up in court you won't be able to just dismiss it as "well, how was I to know?".

If you leak NDA covered client information through your use of a tool or service and the client finds out, "but you'd have never paid me enough that I could afford to be more careful" is not going to be a defence that will get you very far, unless of course you have paperwork that states they were aware (perhaps you included the time in your quote but they asked for that bit of work not to be done due to the expense).


> If you can't factor it into your costs of doing business (that you pass on to the client) then you either have to factor it into your costs of doing business (that you have to eat) or decide to take the risk of not bothering.

Thanks, I know this myself. But there is a reality in which no one will accept you factoring in the costs of analysing every tool used.

You try to do this -> someone else gets the contract

You try to change the contract to cover for this -> someone else gets the contract


So you have no choice but to take the risk. Fine. But that doesn't make it a "valid surprise".

In ideal world it wouldn't matter: we'd have time to properly analyse everything we use and clients wouldn't mind paying to having things done properly. We don't live in an ideal world so someone somewhere needs to decide if the risk is worth taking. If you don't push that decision on to the client (because your competitors don't and you fear it will reduce your edge too much) then you have to make the choice and take responsibility for it.


But in this case the very top of the description was the warning that it is sending this data to a 3rd party to do the spell checking.

You don't need to rest he whole source code, but you should read the description...


My point is that this software is badly designed since almost no company would ever accept that the source code of their products will be sent to unknown third parties.

I mean the person that developed this plugin will probably also develop for some company and should know that.

So I can't see for which target audience this plugin is because almost everyone doing software development for a company would be excluded.

It's as if you designed a gun that will explode in your hands once you pull the trigger. What is the target audience here?

> You don't need to rest he whole source code, but you should read the description

Would you dare to test this in a court? I wouldn't.


I mean the person that developed this plugin will probably also develop for some company and should know that.

The author of this plugin works at Microsoft - he is the PM for Visual Studio Code. I have no further words to express my astonishment at this fact.


> who does that?

The person(s) who decided that "using Android Studio today is almost mandatory".




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: