A word of caution on CMS plugins for the Kaltura video platform


When the Kaltura video platform was announced in 2007 it made lots of people interested to know more. The promise of a commercially supported open-source video hosting platform, along with the choice of either running your own hosted content server or paying someone else, would be a great choice for both large firms looking to cut costs where they can, small & mid-size sites that want to use an open platform, and (us) developers who want to tinker with something.

Personally speaking, I was very excited about the potential, but was very frustrated when they kept breaking their previously published launch dates for public code releases. During 2008 I got involved with the Drupal CMS and in 2009 researched Kaltura as a standard platform for my then employer. Unfortunately, at the time several components were missing for our needs, so we went back to a different provider.

Skip ahead a year and I notice the excellent Drupal developer Dave Reid complaining that the Kaltura Drupal module had spyware problems along with a link to a discussion about it. After more than a year of the issue sitting there untouched by the module's maintainers (a Kaltura employee), Dave led the discussion to what quickly became a major issue for the Drupal webmasters group. As it turned out, the module was radioing home during both the install and uninstall processes, and despite multiple requests to remove the tracking code nothing was done about it.

After much discussion during which the original developer lost their CVS access, a patch was applied that removed the offending code, an official drupal.org security notice was published and the latest version is now bug-free.

Happy days for Drupal site maintainers.

The question remains, however: of Kaltura's official extensions how many still include the tracker code?


Wow. That's worrisome.

Wow. That's worrisome. Especially in light of the fact that they seem to be targeting universities and other large institutions... This is the sort of thing that could sour the trust.

Of course you could just a

Of course you could just a CMS which has Video (and transcoding) support as standard without needing countless addons, such as Ocportal.

...how many still include the

...how many still include the tracker code?

Judging by the attitude of the kaltura people that participated in the linked threads, I'm sure all of them. Not only did they refuse to acknowledge the issue, they claimed it wasn't spyware (if surreptitious phone home code is not spyware, I don't know what is), then claimed it was an oversight. More disturbing than the phone home code is the attitude of the developers-- who knows what other 'oversights' might appear.

Only the WordPress and Drupal

Only the WordPress and Drupal plugins use the iframe during registration/uninstall. The rest of them either don't use iframes or only use them for functionality (e.g. thickbox).

I wonder why they love WordPress/Drupal in this particular way :(

I was told there's a better

I was told there's a better version elsewhere anyway. Dono about the tracking code but it's something people should look for in all video / jquery-ish modules that are chucking code onto the screen.

I think you have the wrong

I think you have the wrong attitude to the situation

The good part, is that code is open, and you can remove whatever you do not like.
Also - with their latest community edition, which includes the full server side - you really can do everything on your own.

This is somehting you pay $$$ for in order to build/ buy
And it connects to all the CMS plugins you do not like, yet mention.

Not sure what you do not like about them.
I am actually a big fan.

I think they have a massive potential.
like many other open source companies that need to battle the commercial market, they actually need support from folks like you and me.

we should promote such type of bus-activity.

if you now go and say, their drupal extension includes spyware - you are not doing good. rather, you should reach out to them and explain, how they should handle this situation, and what is the right thing to do,
because in terms of functionality - they do amazing things.

Really any external thing

Really any external thing that you add to your site is most likely spyware. AddThis, AddToAny, Facebook, etc. etc. They're all harvesting the traffic patterns of your users.

Kaltura is an Open Source

Kaltura is an Open Source system, it's out there, you can take it, change it, and modify on your own to suit your needs.

The information was collected into a standard apache log file anonymously.
There were no surprises made, the iframe was a functionality we added in thinking of trying to provide better ability to learn & fix installation issues, but in reality due to lack of attention for that module, never actually got to analyze.

You can argue it was spyware or claim that we had bad intent - but let's be honest, the code is open - so everyone can see it and change it, more over, no one was harmed, quite the opposite, you got a kick-ass piece of software for FREE, that solves a real problem for management & publishing of rich-media that other-wise you pay a large price for (whether buying or building).

There was an issue with security about using an iframe, true. The extension was out-sourced, it wasn't developed internally by Kaltura - and naturally, we missed a point. That said, it was fixed when our attention brought to it, the new version does not include the usage of iframe.

Thanks to the great people in the community, the module keeps on living and we trust is actually in good hands right now (grobot is it's maintainer now).
We will keep on making updates and work with the module's new maintainer, we will provide as much support as possible to advance the project and make it better.

I welcome you to go on http://www.kaltura.org where you can join the Kaltura community where you can take active part in the development of the platform & it's extensions, change the features you don't like or add new ones you'd want to have.


Zohar Babin.

Zohan, there are several

Zohan, there are several problems with Kaltura trying to claim the moral high ground on this:

  • There were several other hidden links in the past, which raises strong questions of motive.
  • No action was taken for the full year between the original issue being created and the issue being escalated to the webmasters group.
  • It took until August 5th for Kaltura to resolve the issue with their self-hosted version of the module.
  • No information was provided in the documentation, on the project page or elsewhere indicating that there was any spying going on with the module.
  • Using "but it's FREE" is a poor excuse to add spyware to your published code without warning.

Open source communities are built on trust, Kaltura now has to rebuild some of that trust.

Hi Damien, The public

Hi Damien,

The public repository you found was never recommended by Kaltura for public use, the code was under two different branches, branches used by community developers that extended the module and needed SVN to work with.
We deleted these branches because they were not needed anymore and only caused confusion (as per your post).

Reason for lack of updates was, due to lack of involvement from Kaltura's side.
The Drupal module is not Kaltura's core interest, we do a media platform not drupal modules (neither is any of the other extensions available), and as such the module was maintained by an outsourced company. The maintainer didn't follow the guidelines to full and didn't maintain the project on an ongoing progress.
This is why we only became aware of the issues when it was escalated, and unfortunately too late.

That said, we take full responsibility.
There are many Drupal sites out there using the Kaltura Drupal module, and we'd like them to keep running and have a stable and updated module.
There are new maintainers that volunteered from the drupal.org community and Kaltura will support them in any way possible.
We have also set internal procedures to become quickly aware of any communication done on the Drupal.org community, so that other issues will be quickly resolved.

And Damien, we're not saying "it's free so...". We say it's Open Source, you can and should, change it if it has something wrong, and we appreciate having you as loud as possible both for the bad and for the good things you like.


How to reply

Care to add your own 2 cents? Let me know via Twitter or my contact page.