Pkg.jl telemetry should be opt-in

Agree, but probably best for a separate thread as to not distract from this one

I know; I meant as the reply stands, some might visit the link with serious intention, and felt disappointed and mocked when looking at the contents. I’d had put at least an emoticon or something like that, to avoid unnecessary offence. But yeah, I understand the good intention, so nothing else to add about it.

I think if we follow the KISS philosophy in Linux, we should create our package that does one thing and does it well. If we install Pkg, we expect that it does Pkg management. Maybe, Telemetry should be a separate package so that people installing it really meant to install it. In this way, we don’t permute the real function of Pkg with that of Telemetry? Of course, relying on the passivity of people or on the ignorance of people on the presence of telemetry doesn’t sound right regardless if it’s harmless. We should always strive for the most transparent way to collect information. The end does not justify the means.

You made a joke at the expense of an organization that helps victims of domestic violence.

Please stop. You know very well that what you are doing now is disingenuous. In no way was this at the “expense” of them (what expense did they suffer?). Anyway, for the harm, I caused them I also made a donation to their foundation. Message me if you want the receipt.

Edit: Replied to the wrong person.

It’s really getting weird. Instead of reflecting on your own count of likes and than on the validity of your position, you are attacking others because they liked a post? What you show here makes me sad.

Don’t get me wrong: your opinion is fine and it’s ok to bring it in here. But it is an opinion and it’s not you who has to decide whats wrong or right. Respect to your opinion, same to others from you.

In general about this discussion and how it went: those who argue with this highest moral standards claim to have the right position. They aren’t part of the discussion anymore, they want to decide and end the discussion, because it’s clear who is right. This isn’t working, not here, not anywhere. Please, step back, think about the real issue, the real data which is gathered and how it is done. Then think about cameras in public, google, facebook, china and social scoring. Bring everything into relation and think again. You fight at the wrong place!

The facts:

• no personal data collected
• open source, clear explanation
• early and open discussion before release
• clear goal
• nothing hidden
• absolutely minimal data
• opt-out well documented and relatively easy to do (we are software developers, even the new Julia users should be able to opt-out)

I am sure, that this is the best I have ever seen in collecting data (especially the minimal approach), but it is also the reason, why it is getting so much negative response from those who see their chance to be right. Against the holy inquisition there is no argument.

At last my position: I disagree that opt-in would not give enough data, so I am also on the opt-in side, but I would opt-in for sure. Therefore and regarding the facts I am fine with opt-out. And the handling of the IP adress should be mentioned in the data document.

@dlakelan already explained the reasons for missing the link. That being said, I think that comments like “there isn’t yet an official readable document…” and others in the same line, including your question, must be contested.

There are questions that may be debated, but in this conversation there are also many comments implying that the telemetry feature has been dealt with obscurity from the side of developers, and that is really unfair. That document, which is a prominent example of transparency, is (twice) the top link of this conversation, not buried at all. Although everything can be improved, of course, I think that developers have clearly shown that they are very sensitive to the users’ privacy rights and transparency in this issue is one of their top priorities.

ok, since I’ve been mentioned twice here, I figure I should chime in on this trainwreck.

I have no issues with respect to user privacy. My objection stems from the fact that code I freely contributed to the Julia language is now going to be used, without any prior discussion, as a way for Julia Computing – an organization that didn’t exist when my first registry PR was merged – to raise revenue. I object to this use of my code, though I realize there’s little I can do about it given its open-source license.

However legal it may be, in my opinion it’s not right to appropriate the work of volunteers who have taken time to learn and promote this language and use it for your own material benefit by changing the terms under which the work was originally submitted.

Had I known that my packages would be used to track individuals for the financial benefit of some group of other people, I never would have submitted my first PR in 2015.

This move, inasmuch as it engenders hostility from developers, is also short-sighted: You can own the painting; but you don’t own the artist.

Hi Kristoffer,

I believe you. There was no ill intention. Still, this is a serious foundation that deals with victims of domestic abuse, so, yes, please, I encourage people to make a donation. I just did

From a practical perspective, I think it is well-defined: people with commit rights to the repo. Like all most open source projects, it is not democratic, but meritocratic: people who do the work get to define where the project goes. Note the intersection between the top contributors and people participating this topic.

Since Julia is under the MIT license, note that it is super-easy to fork, so in this sense every person or group of people gets a “vote”. It just impies a lot of work if they want to make the fork viable.

Personally, I do not to mind the telemetry too much: I am not very enthusiastic about any kind of data collection, but in case there are benefits, it should be well-designed and minimal. But if I happened to disagree with the whole thing vehemently, I still would not dream of asking that I get to “vote” about this as a “member of the community”. Since my contributions to Julia are pretty sporadic, this would be tantamount to me being involved in a decision about a project that others have dreamed up and devoted a significant amount of work to.

Because I have to feel ashamed, and because I feel to be pushed to donate somewhere in a complete different context, which makes me even more ashamed, because I can’t compete with this high level of ethics and moral, I am leaving this thread (and because I have articulated my opinion already twice). The only thing I am good enough is to give away this little set of data to the maintainers of Julia and its ecosystems, so I feel, I am not good enough for the people here.

I have no issues with respect to user privacy. My objection stems from the fact that code I freely contributed to the Julia language is now going to be used, without any prior discussion, as a way for Julia Computing – an organization that didn’t exist when my first registry PR was merged – to raise revenue. I object to this use of my code, though I realize there’s little I can do about it given its open-source license.

Wait a minute – the default package server is run by Julia, the open source project, not by Julia Computing.
The idea is that the open source project may publish package usage statistics, which the package authors in turn could use to apply for funding (see e.g. the JuMP example above).

Then s/Julia Computing/any other organization that is using my package as a way to apply for funding which logically includes Julia Computing as well.

It certainly does not include me.

That can help Julia Computing to raise revenue as much as any other company that does business with Julia. Julia Computing does not have special rights with respect to the data that would be collected with Pkg:

I’m not entirely sure what scenario you’re thinking of here – that the author of some third party package would use the popularity of a package they’re not an author of to apply for funding? That seems unlikely to work, no?

In any case: You are opposed to any (public or otherwise) statistics about Julia package downloads then?

It’s not Julia Computing who will get the data, but “a limited subset of core Julia developers”

I missed this. This makes it even worse in my mind. Cui bono?

I am opposed to telemetry in principle. I am particularly opposed to this implementation of telemetry: not because users’ privacy is at risk (it is, but for most people it’s not a huge increase), but because the developers whose contributions are being tracked were not consulted, nor given an opportunity to opt out of having their packages participate in this user tracking.

Consider the situation where someone is vehemently opposed to this sort of setup, and then associates the work that I’ve done with the tracking, because s/he sees the tracking request when my package is added. I don’t want the headache of trying to explain that not only am I not a part of this tracking effort, I’m actually against it but there’s nothing I can do about it because the policies under which I originally submitted my code were changed out from under me sometime in mid 2020 and there was no way to withdraw.

Fair enough.

Do consider that GitHub already has (probably very comprehensive) stats about Julia package downloads, just by merit of them hosting something like 99% of the package ecosystem.