Hacker News new | past | comments | ask | show | jobs | submit login

it's ok, sneak literally just comments this on any mention of Homebrew. we've made many changes to analytics but, according to sneak, unless we move to opt-out: we're spyware.

weird how sneak doesn't post this on posts about all of the closed-source companies that use server-side analytics you cannot audit and data you cannot access.




There's no expectation of privacy when you send data to a server. There is when you run local software.

It's unethical for anyone, yourself included, to use an end user's device to spy on them without their consent. Transmitting their activity without explicit opt-in is spying, full stop. It's not spying to monitor your own server when servicing client requests as that is obviously done with the consent of the device's owner (yourself).

I'm not sure why you bring it up; surely you understand the difference between your own computer and someone else's? It feels like you are perhaps approaching it in bad faith.

There is no amount of ad hominem that will make producing and shipping spyware into an ethical choice.

Somehow projects much larger than your own, also run by volunteers, such as Debian, not only survive, but thrive, without spyware of their own, and also with pervasive policies that patch out spyware and phone-home and other such misfeatures in their packages. Nixpkgs manages to continue to grow without spying on their users, too.

If you really thought users would consent, you'd go opt-in. If you maintain the stance that opt-out is acceptable, it is implicit that you believe that not enough users would consent, which means you are intentionally violating their consent given that you know that. Hence, the ethical issue, which handwaving doesn't change.

Debian knows this. It's a shame that Homebrew doesn't. Normally you see for-profit enterprises selling their users out with surveillance; you have no revenue targets to hit so I'm not sure why you persist in this behavior.

> it's ok, sneak literally just comments this on any mention of Homebrew

I wouldn't have to if you would surface for your users when the software you provided them uploads their usage data. Most of your users are unaware of it.

I'll bet you $10k USD cash that if you printed some messages to the console each time you hit the analytics endpoint with a message that "brew analytics off" would disable it, you'd lose a double digit percentage of your inbound data within 100 hours. You won't take this bet and you won't surface the tracking in realtime because you know it's only giving you the data so long as users remain unaware of your unethical behavior.

Also, parhamn explicitly asked for reasons people might switch. This is the primary reason I use Nixpkgs and not homebrew, so it's a direct and accurate answer to their question. You might be surprised but there are lots of people who choose software based on the behavior (and resulting trust level) of the developers.


> There's no expectation of privacy when you send data to a server. There is when you run local software.

To engage on this point: Brew is server software (most installs happen via 'bottles'), no? Presumably most package distros keep track of which packages are installed and how often (e.g. Pip/NPM even publish their data). Even if you install from source github/mirrors/etc they have that data too. I'm sure the same is true in nix too? Curious how you categorized "brew" as not server-y software? And how nix possibly gets around the mirrors/code-distribution services from having access to similar data?

Though my point is mostly moot if you point to a place in the brew source code that is taking more personal information from my computer that a load balancer wouldn't have access to.


> Presumably most package distros keep track of which packages are installed and how often (e.g. Pip/NPM even publish their data).

This isn’t true. Most distributions do not collect this information. There are a few package managers that do as you note, but there are also some that explicitly hide it from package publishers (the Go module proxy cache comes to mind).

Nix and the big linux distros specifically avoid collecting this information. Brew has code to deliver it to additional endpoints without consent.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: