| ▲ | Bender 18 hours ago |
| Given the telemetry, how did uv ever get approved/adopted by the open source community to begin with, or did it creep in? Why isn't it currently burning in a fire? |
|
| ▲ | simonw 18 hours ago | parent | next [-] |
| The telemetry they removed here isn't unique to uv, and it's not being sent back to Astral. Here's the equivalent code in pip itself: https://github.com/pypa/pip/blob/59555f49a0916c6459755d7686a... It's providing platform information to PyPI to help track which operating systems and platforms are being used by different packages. The result is useful graphs like these: https://pypistats.org/packages/sqlite-utils and https://pepy.tech/projects/sqlite-utils?timeRange=threeMonth... The field that guesses if something is running in a CI environment is particularly useful, because it helps package authors tell if their package is genuinely popular or if it's just being installed in CI thousands of times a day by one heavy user who doesn't cache their requirements. Honestly, stripping this data and then implying that it was collected by Astral/OpenAI in a creepy way is a bad look for this new fork. They should at least clarify in their documentation what the "telemetry" does so as not to make people think Astral were acting in a negative way. Personally I think stripping the telemetry damages the Python community's ability to understand the demographics of package consumption while not having any meaningful impact on end-user privacy at all. Here's the original issue against uv, where the feature was requested by a PyPI volunteer: https://github.com/astral-sh/uv/issues/1958 Update: I filed an issue against fyn suggesting they improve their documentation of this: https://github.com/duriantaco/fyn/issues/1 |
| |
| ▲ | stackedinserter 17 hours ago | parent [-] | | Now people on HN defend telemetry. How did we come to this point? Don't be surprised when you're asked to drink control bottle in order to continue living. | | |
| ▲ | simonw 17 hours ago | parent [-] | | Explain to me the harm that is caused to users of pip when this particular set of platform information is sent to PyPI. (In case you were going to say that it associates hardware platform details with IP addresses - which would have been my answer - know that PyPI doesn't record IPs: https://www.theregister.com/2023/05/27/pypi_ip_data_governme... ) Then give me your version of why it's not reasonable for the Python packaging community (who are the recipients of this data, it doesn't go to Astral) to want to collect aggregate numbers against those platform details. | | |
| ▲ | stackedinserter 4 hours ago | parent [-] | | Any telemetry should be done after explicit user consent, period. The harm is that you normalize total surveillance with these little, seemingly innocent steps. | | |
|
|
|
|
| ▲ | albinn 18 hours ago | parent | prev | next [-] |
| I don't think it is too bad, the telemetry it sends is quite rudimentary. However, would have been a good move from astral-sh to be open and explicit about it, and allow turning it off. |
|
| ▲ | arjie 18 hours ago | parent | prev | next [-] |
| > These things include your OS, py version, CPU architecture, Linux distro, whether you're in CI. All baked into the User-Agent header via something called "linehaul". We ripped that out. Now it just sends fyn/0.10.13. That's it. I imagine it's just that the User-Agent is something that we've grown accustomed to passing information in. I am fairly biased since I'd always opt-in even to popcon. I think it's useful to have such usage information. |
| |
| ▲ | PurpleRamen 17 hours ago | parent [-] | | This is so useful, I'm shocked they even make a big thing out of it. And now I'm questioning whether this is even their real intention, or just a diversion? | | |
| ▲ | tfrancisl 13 hours ago | parent [-] | | Theyre saying "we removed telemetry" with the hopes of getting an emotional response from people who are privacy-focused, to get quick stars/attention. |
|
|
|
| ▲ | blitzar 18 hours ago | parent | prev | next [-] |
| It was really really good. |
|
| ▲ | Ygg2 18 hours ago | parent | prev | next [-] |
| Telemetry isn't bad in OSS per se. Without it, it's hard to say how an app is used and how to develop it in the future. |
| |
| ▲ | yjftsjthsd-h 15 hours ago | parent [-] | | On the contrary, OSS is precisely where this kind of spying on your users is least useful, since there's already a culture of them telling you, sometimes with code, what they need. | | |
| ▲ | simonw 14 hours ago | parent | next [-] | | That's not been my experience at all. The default response to open source code is stone cold silence - getting any feedback at all takes real effort. Those PyPI download numbers are one of the most useful hints as to whether my stuff is being used by anyone. | |
| ▲ | Ygg2 11 hours ago | parent | prev [-] | | If that's the issue, that's a problem. They are telling you X. People, if they tell you, don't give their honest feedback. Or they might be a loud minority. If you ask people what coffee they want, they will all tell you low-sugar, very bitter black coffee. Then you see what they buy, and they keep buying sugary and creamy coffee that contains almost no caffeine. Telemetry isn't spying. At least when done properly. How do you figure out rare OOM crashes without some telemetry data? What if the reporter doesn't know how to figure out their OS and installed software that's required for debugging? I'm NOT saying telemetry should capture everything and sell that data to info brokers. I'm saying, done properly it give you valuable feedback. And you should be transparent about it. | | |
| ▲ | yjftsjthsd-h 11 hours ago | parent [-] | | > Telemetry isn't spying. At least when done properly. How do you figure out rare OOM crashes without some telemetry data? What if the reporter doesn't know how to figure out their OS and installed software that's required for debugging? Recording information about someone's computer and then sending it to the developer without their knowledge or consent is spying. If you want to include a feature in the software to report a bug or collect crash info or whatever that tells the user what it's going to send and gets their affirmative consent, then yeah that's totally fine and not spying, but that's not what we appear to be talking about here. To use your analogy, > If you ask people what coffee they want, they will all tell you low-sugar, very bitter black coffee. Then you see what they buy, and they keep buying sugary and creamy coffee that contains almost no caffeine. That might be true, but it doesn't justify sticking a camera in their pantry to find out. | | |
| ▲ | Ygg2 10 hours ago | parent [-] | | > Recording information about someone's computer and then sending it to the developer without their knowledge or consent is spying. That's why I said done properly. You need full transparency. What is recorded and why, and how is the information dealt with. In practice most people don't care. If they did they would disable all achievements, because even achievements are a form of telemetry. You can see what percent of people finished the game for example. What percent played mini game, etc. Anything that reveals remote metrics, is telemetry. |
|
|
|
|
|
| ▲ | add-sub-mul-div 18 hours ago | parent | prev [-] |
| Because not everyone has a knee-jerk emotional reaction to a word when that word can mean something benign aside from its typical FUD connotation. |
| |
| ▲ | Bender 18 hours ago | parent [-] | | I will always have a "knee-jerk" response to opt-out or mandatory telemetry or any other outbound connections I did not ask for being initiated automatically. In a corporate world I would have to block this and depending on what the telemetry is connecting to that could impact other outbound connections leading to contention without the org. One of the optimal ways to do this would be to opt-in by setting an environment variable to enabled any combination of extra debugging, telemetry, stats, etc... Perhaps even different end-points using environment variables. | | |
| ▲ | plorkyeran 15 hours ago | parent | next [-] | | Are you saying that when you tell uv to install a package you aren't asking it to make outbound connections to download the package from PyPI? The telemetry in question is just setting an appropriate User-Agent header with only slightly more data than what browsers traditionally put there. It does not make extra network requests purely for the sake of reporting information. | |
| ▲ | maverwa 17 hours ago | parent | prev [-] | | If I understand the description of this „telemetry“ in fyns „MANIFESTO.md“ correctly, it does not make outbound connections you did not asked for. It sets the user agent http header to something that identifies your OS, CPU, python version and if you are running in Ci when communicating to the package registry. It does not send any of that to astral, not ist any of that highly personal. Sure, it should not be there by default, especially OS & CPU imho. But it’s not really what I’d call „invasive telemetry“. |
|
|
