New “ Pkg & Storage protocols ” and an accompanying centralized service to host packages have been merged and are present in Julia v1.5.0-rc1. The new Pkg sends telemetry consisting of a user-specific UUID and other information to the server, where it is used to count the number of users and other sta…

Thanks for the productive discussion and suggestions, everyone. We’ve tossed this around a bit among the Julia committers group, and I think it’s clear that all this requires some additional design work, so here’s how we’re going to proceed: For 1.5, we will remove the UUID and all other stateful…

[image] dlakelan: Of course I’m exaggerating the scenario for effect. But I think this has the opposite effect than you intend; when I see wild exaggeration I’m likely to dismiss a post out of hand. Conversely, a well-reasoned and plausible scenario which could directly lead to user harm and …

I think you have to agree that the scenario where it’s time for little Billy’s coding camp, so he fires up his torrent client and downloads the latest hit movie, and then while it downloads he signs into his coding camp and they tell him to install packages xyz, and now some forensic investigator wo…

This would only work if the proposal stored UUID and IP (and time) cross-linked, which we’ve gotten specific confirmation that it won’t happen.

It won’t happen intentionally by Julia. Suppose I’m the MPAA and I am looking to set an example of some children and their families (ugh). I get cooperation from FBI etc to monitor the torrent site since it’s a major lawbreaker, so I have logs of IP addresses that persistently infringe… so then I go…

[image] c42f: I’ll add that I’m completely confident this is true for other core contributors commenting on this thread who are certainly among the most skilled engineers I’ve ever had the pleasure of working with. While it’s not un-true for me personally, I am a bit of a sucker for the use o…

[image] dlakelan: The more plausible scenario of course is something like what the RIAA used to do which is try to bankrupt single mothers because their tweenage kids shared music or movies online with their friends… only this time instead of a plausibly deniable IP address that’s recycled from …

[image] ninjin: 1.) Must one retain the 128-bit UUIDs in the logs in order to reach the desiderata? Is a lower-bound estimate in terms of usage numbers with some controllable confidence interval not sufficient so as to preserve plausible deniability and break the link between what is on the end-…

Sorry for the stupid question: would it help anything if we would use a linear map to convert the uuids before saving them to the database? This way the uuids in database and the uuids in people computers wouldn’t match. Still there would be all the benefits to use the linear map to match the uuid t…

That really just kicks the can down the road since now anyone who has the transformed UUIDs and the map can recover the original UUIDs, so in terms of security it would be window dressing. Same thing with encrypting UUIDs on the client side: if that’s done in a consistent way (which it needs to be i…

Pkg.jl telemetry should be opt-in

Internals & Design

dlakelan July 7, 2020, 5:00am 338

thanks for that acknowledgement, it was effective in convincing me that someone involved understands the issue. I’m happy to step away.

Topic		Replies	Views
Digression about privacy over OpenTelemetry.jl Offtopic	9	1041	November 6, 2021
The State of the Julia Ecosystem Community	109	9081	January 31, 2019
Some Julia growth/usage stats Community	42	13422	July 13, 2025
Julia losing popularity among Data Science users (KDnuggets Software Poll) Community	146	20769	June 23, 2018
Release strategy for juliac? Community binarybuilder , juliac	30	3383	April 7, 2024

Pkg.jl telemetry should be opt-in

Related topics