There is a distinction I don’t think has been emphasized enough here. We are talking about “telemetry” (perhaps we should use a different word), and “usage data”, which both (to me) imply that data is collected at various random points in the background and sent somewhere. For example that is my understanding of what happens in VS Code. But Pkg does not do anything like that. Data is sent only when you are already doing package server operations, so the data footprint is scarcely different from a normal server log. Some here have clarified that the random client UUID is the only contentious issue to them, and I appreciate that. But let’s please focus on that instead of expanding this to “julia now spies on you”.
PyPI is a useful point of comparison: Analyzing PyPI package downloads — Python Packaging User Guide You can click through from there to see their full schema, which includes country as well as more detailed system and distro information. AFAICT there is no UUID, but there are enough details that it seems fairly fingerprint-able.
Some might object to PyPI’s data collection as well — fair enough. But the comparison is relevant when communicating to others: if you only “warn” people about julia’s package manager and not anything else, you are sending the message that julia is somehow uniquely nefarious, so be aware of whether you intend to send that message.
Thanks to those who have filed specific issues and PRs about this; I imagine we will be taking at least some of those suggestions on board.