I've done projects with NDA for the Android platform where using Android Studio today is almost mandatory.
After reading this post I remembered that Android Studio already has some kind of spell checking active by default and to be honest I didn't read the complete source code of Android Studio and all packages that are shipped with it by default, who does that?
Maybe you do, but who is going to pay you for completing that task (as a programmer) and reviewing every single update in the future.
There is a wide gulf of difference between installing an IDE from a trusted corporate entity who would be sued if they did this kind of thing by default without warning vs. installing a 3rd party open source plugin from a developer you've never heard of without reading the description.
>a trusted corporate entity who would be sued if they did this kind of thing by default without warning
Microsoft does key-logging by default in Windows 10. They don't hide the fact that they do key logging, but they don't advertise it to users either. And yes, it's key-logging even if they claim it's for "telemetry purposes only guys, for realsy".
There is a difference but it doesn't change anything for me as a contractor. I'd imagine suing Google or Apple would be no fun when I'm sued by some bank for a breach of NDA.
As a software dev we ideally should keep in mind for what kind of target audience we are developing our tools, and in this case it is obvious that this tool would be a problem for many if not most companies for security reasons.
Is there even a reason why anyone would want to have all his source code sent to some unknown third party? Or why this would be necessary for something like spell checking?
I doubt that the dev has bad intentions with this plugin, but imho this tool is badly designed and unusable. Doesn't matter how visible this information is, there are no justifications I can think of why I should allow my source code to be sent to a third party.
That is a lot of trust in a corporate entity who in all honesty trys to profit from you wherever possible, and they would not be sued if such items were spelled out in the TOS. In this plug in, the plug-in author placed a notice where it could be found by anyone, not hidden away. Here, just as dspillett said, do your own due diligence and select products accordingly.
At the same time,even large trusted corporations can impose interesting license agreements (runtime or otherwise) that you better be well versed on before you start creating releases of your product.
> but who is going to pay you for completing that task (as a programmer) and reviewing every single update in the future
If you can't factor it into your costs of doing business (that you pass on to the client) then you either have to factor it into your costs of doing business (that you have to eat) or decide to take the risk of not bothering.
The risk is your's to take should you chose of course (or if you don't work alone the risk is your company's to take) and depending on the 3rd party involved that risk might not be particularly high (as others have pointed out the risk profile of relying upon Google is vastly different to that of a small add-in developer hardly anyone has heard of), but if the worst happens and you end up in court you won't be able to just dismiss it as "well, how was I to know?".
If you leak NDA covered client information through your use of a tool or service and the client finds out, "but you'd have never paid me enough that I could afford to be more careful" is not going to be a defence that will get you very far, unless of course you have paperwork that states they were aware (perhaps you included the time in your quote but they asked for that bit of work not to be done due to the expense).
> If you can't factor it into your costs of doing business (that you pass on to the client) then you either have to factor it into your costs of doing business (that you have to eat) or decide to take the risk of not bothering.
Thanks, I know this myself. But there is a reality in which no one will accept you factoring in the costs of analysing every tool used.
You try to do this -> someone else gets the contract
You try to change the contract to cover for this -> someone else gets the contract
So you have no choice but to take the risk. Fine. But that doesn't make it a "valid surprise".
In ideal world it wouldn't matter: we'd have time to properly analyse everything we use and clients wouldn't mind paying to having things done properly. We don't live in an ideal world so someone somewhere needs to decide if the risk is worth taking. If you don't push that decision on to the client (because your competitors don't and you fear it will reduce your edge too much) then you have to make the choice and take responsibility for it.
My point is that this software is badly designed since almost no company would ever accept that the source code of their products will be sent to unknown third parties.
I mean the person that developed this plugin will probably also develop for some company and should know that.
So I can't see for which target audience this plugin is because almost everyone doing software development for a company would be excluded.
It's as if you designed a gun that will explode in your hands once you pull the trigger. What is the target audience here?
> You don't need to rest he whole source code, but you should read the description
Would you dare to test this in a court? I wouldn't.
After reading this post I remembered that Android Studio already has some kind of spell checking active by default and to be honest I didn't read the complete source code of Android Studio and all packages that are shipped with it by default, who does that?
Maybe you do, but who is going to pay you for completing that task (as a programmer) and reviewing every single update in the future.