Are you operating under the impression that the previous solution (Google) isn't a US company?
(More generally, if you're going to be a paranoiac about these things: the US intelligence community loves it when things are provided by non-US entities. No warrants are required!)
Hacker News guidelines encourages the linked title to usually be the title of the article. That was not done in this case, and if you read the article, neither the EU nor Europe is mentioned.
From the guidelines:
> If the title includes the name of the site, please take it out, because the site name will be displayed after the link.
> If the title contains a gratuitous number or number + adjective, we'd appreciate it if you'd crop it. E.g. translate "10 Ways To Do X" to "How To Do X," and "14 Amazing Ys" to "Ys." Exception: when the number is meaningful, e.g. "The 5 Platonic Solids."
> Otherwise please use the original title, unless it is misleading or linkbait; don't editorialize.
> If you submit a video or pdf, please warn us by appending [video] or [pdf] to the title.
Which is to say the chosen title of the thread was editorialized by the submitter to emphasize what they wanted to emphasize rather than the original title that the Homebrew Project used.
If you run the `brew analytics state` command like this it shows:
InfluxDB analytics are disabled.
Google Analytics were destroyed.
Then you do `brew update`:
brew update
Warning: HOMEBREW_NO_GOOGLE_ANALYTICS is now a no-op so can be unset.
All Homebrew Google Analytics code and data was destroyed.
==> Homebrew's analytics have entirely moved to our InfluxDB instance in the EU.
We gather less data than before and have destroyed all Google Analytics data:
https://docs.brew.sh/Analytics
Please reconsider re-enabling analytics to help our volunteer maintainers with:
brew analytics on
Installing from the API is now the default behaviour!
You can save space and time by running:
brew untap homebrew/core
brew untap homebrew/cask
Homebrew keeps me on MacOS, without it I'd just use apt on Linux. Does anyone know if there's a site like brew.sh for searching apt packages? I know that ubuntu has an apt page but it's really confusing.
I'm not sure if this is the "apt page" they're referring to, but there's https://packages.ubuntu.com/ for Ubuntu. It's helpful for searching package versions across releases, especially if I don't have an Ubuntu server handy. Other distributions have similar pages too, I believe.
I’ve posted a variant of this answer on other threads about Homebrew, but to summarize:
1. Homebrew is entirely maintained by open source contributors. Keeping thousands of packages up to date is a significant task even before considering maintaining the packaging core itself, and analytics serve as both a warning system and hard data for package importance, instability, etc.
2. Homebrew is somewhat unique among package managers because of its relationship with the host OS: it has no say over how macOS behaves, and needs to adapt quickly to changes made unilaterally by Apple. Analytics help detect that kind of top-down breakage.
FD: Current member of Homebrew, former maintainer.
Homebrew is one of those tools that actually makes MacOS a decent Unix workstation for engineering (often, it feels like in spite of Apple). Without brew, MacOS would not be an OS I would even consider for my personal machines -- but I really enjoy MacOS now that it's on the M1/M2.
Although, admittedly, I use Nix-Darwin to manage my Homebrew apps.
Used to feel this way until I discovered MacPorts. So much faster than brew and prefer it placing everything in /opt and not relying on system binaries. Now I only use homebrew to manage Casks and a few esoteric binaries (really rare).
Thank you for your kind words! The maintainers deserve nearly all of the credit; these days, I mostly just do a bit of security automation stuff and defend their work when it comes up here :-)
Homebrew is provided free of charge and run entirely by volunteers in their spare time. As a result, we do not have the resources to do detailed user studies of Homebrew users to decide on how best to design future features and prioritise current work. Anonymous analytics allow us to prioritise fixes and features based on how, where and when people use Homebrew. For example:
- If a formula is widely used and is failing often it will enable us to prioritise fixing that formula over others.
- Collecting the OS version allows us to decide which versions of macOS to prioritise for support and identify build failures that occur only on single versions.
What is a product? They make something that is used by others, and if they follow a product development mindset, calling it a product is fair in my opinion.
What if a product is finished and needs no further improvements? And even if it isn't, isn't it better to talk do your users and find out their pain points with your product directly, instead of trying to guess at them from analytics data?
The only improvement I personally want for Homebrew is for library packages to never include version numbers in the dynamic library file names.
> isn't it better to talk do your users and find out their pain points with your product directly, instead of trying to guess at them from analytics data?
you're trivializing a very big and complicated issue. why not both?
what is worse - anonymous usage statistics or needing to sign up with an email address to get notified of surveys and whatnot. one is passive, one is active.
it's also about more than just feature improvements... brew runs on a ton of different platforms/environments (https://formulae.brew.sh/analytics/os-version/30d/) and having this data helps prioritize the efforts of open source developers.
There is no meaningful sense in which Homebrew is (or ever will be) "finished": it's constantly being updated with new package versions, by both demand and design.
Analytics are an essential burden-reducing component of the Homebrew maintenance workflow; the maintainers would not have time to make improvements like the one you're requesting if they spent their time on the things that analytics do for them.
If you're a company with lots of money and you can pay employees to do so, then sure.
Homebrew is an open source project solving a fairly complex problem with volunteer maintainers. Analytics are constant and measurable signal on all sorts of things and can be used both proactively and reactively to deal with an array of concerns from user experience issues to bad rollouts.
Of course, it's trivial for a system that retains very little personal data (and really shouldn't be storing any) to comply with gdpr.
Besides the obvious "less data, fewer problems" angle there's also the bureaucracy angle - last time I worked on gdpr compliance I got stuck in the middle of a fight with security (who wants to store all the data for ever), the legal team specifically in charge of figuring out what's in scope for GDPR, and another more generic legal team (this one was the worst - they had no idea what the system does and ignored any attempts at explaining it, plus they kept pushing for unrelated often contradictory retention changes)
We did had some of the talks with lawyer about security (in particular logs) and general consensus was that as long as they are stored explicitly for that purpose and only that purpose it isn't a problem, they just have to be properly secured.
Logs like that fall under 6.1.b-f, basically "making sure malicious actor can't fuck with site" overrides needing to get permission to process that. Again, if they are used ONLY for that and are stored securely.
Same reason why security footage (which also falls under GDPR) doesn't need consent, only information visible onto property entrance informing who is processing that info.
A non-profit service should be expected to have better compliance than a service which has a strong monetary motivation to exploiting users data as much as possible and thus comply with privacy requirements as little as possible.
Compliance with GDPR is extremely easy: just don't gather PII in the first place.
And if you want to gather data it's also not too hard, just ask for it and tell user exactly what you're going to do with it.
It's when you want to cajole user into agreeing for gathering way more data than they would consent to if someone explained the extent to them plainly, and to send it to a bunch of 3rd parties too, that's where the difficulty starts and you have to use the blackest of black of techniques to cheat user while still being technically compliant to law.
GDPR compliance is (IMO) very difficult. PII is defined so broadly that it’s near impossible to avoid gathering it, and there are so many stipulations and gotchas and regional requirements and changing guidance about how you must handle it that you essentially need legal help to navigate it.
For example, does your company have employees? Congrats, their HR files (and anything else with their name on it) are covered under GDPR. But you can’t just get consent to handle their data here, since they’re employees and there’s a power mismatch. Instead, you need to rely on the “legitimate interest” clause, which requires specific legal documentation on impact analysis that must be kept up-to-date.
Or another example: if your error logs contain IP addresses, that’s PII and subject to all the complexities of GDPR handling. Even in the absence of logging, I’m not sure a plain web server with all logging off isn't subject to GDPR given how broad the legislation is - after all, it has to process PII (IP address) to send responses, and GDPR covers any system that “uses” PII.
To be perfectly clear, I’m not saying this is bad, but I am saying it’s complicated and not just as simple as “just don’t gather data” or “just get consent”. It’s not easy, you probably need a lawyer’s help.
All you literally have to do is tell people what you're doing and who has access to the data. It isn't that much more complicated -- its literally just requiring you to communicate, which you should have been doing before.
No, it is more complicated. You don’t just need a consent form, you also need a later opt out form. You also need a mechanism for the person to request a copy of their data. Is the person in France or any one of the regions with enhanced GDPR legislation? If so, there are additional concerns. Is the person a child (note that the definition of child varies by region)? If so, there are additional concerns. Do you regularly analyze this data (for example, monitor your error logs)? If so, you need a DPO and all the complexity that comes with that.
No, you don't need a consent form. The GDPR does not require consent.
For example, you don't need consent to store server logs with IP addresses if all they're used is for security and auditing. You don't need consent to archive receipts and invoices if you need to do that for tax purposes, even though those are full of PII. You don't always have to let people opt out of that, either!
That's called legitimate interest, and did you know you have it?
If the person might be a child then the rules have been complex and obtuse since forever. You might need a DPO for regulatory compliance, much in the same way you might need an accountant.
> That's called legitimate interest, and did you know you have it?
You can’t just claim legitimate interest, you need specific, up-to-date legal documentation in the form of an impact assessment.
> You might need a DPO for regulatory compliance, much in the same way you might need an accountant.
Exactly! All I’m saying is (much like accounting) GDPR compliance is not easy or simple or something you can spend fifteen minutes on and be done. GDPR compliance is complicated. I’m not saying it’s bad, but I am saying that (contrary to some of the comments here) you can’t just say “Oh, I have consent or legitimate interest so GDPR is solved”.
You totally can, until someone challenges you and proves you don't; otherwise, common sense applies. A storage unit might have a legitimate interest in keeping license plate numbers but an ad company probably doesn't.
As with most things in law, there is no black-and-white. Just use your brain. If you feel like you can stand up to a judge and defend it with a straight face and no mental gymnastics, you're probably golden.
source: implemented GDPR in 2018 at a multi-national company and worked with attorneys around Europe.
While I agree with your points, I should say that for the absolute vast majority of sites and businesses out there GDPR is trivial and amounts to "don't collect PII data, and don't sell it to third parties".
A handful of businesses with their hands in multiple pots may have more trouble.
The GDPR says none of that. If it does, I'd love to read that section because I've never read it before. It just said you have to tell who you're selling it to and how you're using it.
It's basic human shit. If I lend you a book and you lend it to one of your friends, I'd expect you to let me know; _before_ I ask you for it back. This is basic human decency, (I think?). This law was enforcing basic human decency that companies seem to have forgotten along the way.
For an actual business, no, it's not 15 minutes, but for a small business it's more like a couple of days once, and for a medium business it's a few days every quarter.
Basically, you need to sit down and figure out:
1. What data are you storing,
2. What are you doing with it and who you are giving it to,
3. Is it personally identifiable information,
4. Why are you storing it and do you really have to.
Yes, the GDPR's intent is to force businesses to think about that. For a lot of businesses the answers to those questions are actually quite simple.
Do your company collect data over the sexual orientation of your employees, then check with a lawyer. If you are collecting the name, contact information, work phone number, banking information, personal identification, then all those are covered under the legitimate interest of job description, salary, and legally required insurance policies. HR policies which does not involve job description, does not involve salaries, and does not involve legally required policies such as insurance might require GDPR.
Logs containing IP addresses is exempted from GDPR for anything related to security. Processing the logs for purposes other than security require the complexity of GDPR handling. It is the purpose that define the complexity, not the logs.
PII is defined so broadly, but so is also its exceptions. Employers has to first know a bunch tax law and employment regulations related to employing people, and those do require specific legal documentation on impact analysis that must be kept up-to-date. People who do not do this can not employ people, or risk breaking the law (especially tax law).
Technically they fall under Recital 49 of the GDPR with the unofficial title of "overriding legitimate interest", and is not under the general paragraphs of legitimate interest. Security is explicit and spelled out in the regulation.
(49) The processing of personal data to the extent strictly necessary and proportionate for the purposes of ensuring network and information security, i.e. the ability of a network or an information system to resist, at a given level of confidence, accidental events or unlawful or malicious actions that compromise the availability, authenticity, integrity and confidentiality of stored or transmitted personal data, and the security of the related services offered by, or accessible via, those networks and systems, by public authorities, by computer emergency response teams (CERTs), computer security incident response teams (CSIRTs), by providers of electronic communications networks and services and by providers of security technologies and services, constitutes a legitimate interest of the data controller concerned.
This could, for example, include preventing unauthorised access to electronic communications networks and malicious code distribution and stopping 'denial of service' attacks and damage to computer and electronic communication systems.
The conflation of “spyware” ie tracking for monetization purposes with telemetry used by developers to ensure the health of production systems is foolish and harmful.
Homebrew is a complex system that can break in lots of ways, and it’s being developed on an entirely open source basis, with no company behind it.
Having some visibility into the operation of a running system is table stakes. You’re asking the developers donating their time to this very useful project to tie a hand behind their back because you are paranoid.
More often than not, if people like you got their way OSS software just wouldn’t be built, or would be taken over by a for profit entity that has much less benign ideas about spyware.
This is literally a story about the homebrew project listening to the community and migrating to privacy-preserving self-hosted analytics. People like you will never be happy, so they should be entirely ignored.
I don't understand how command line makes the distinction here. Maybe if it where just a simple tool that doesn't require an internet connection for its functionality. But since Homebrew is not just the command line tool, but also a repository and build system in constant motion. I understand that as a developer you might want to have insights into how certain changes (will) impact the user experience.
True, the open source world never before had a repository and build systems in constant motion. Homebrew is the innovation we needed to make things in software.
Cringe because it's listening to the kooks in tinfoil hats. The same sort of people who say the 5G is coming to get them, and Covid Vaccines make you magnetic.
3 days later, EU signs off on data transfer.
There's something to be said for not wasting time on changes that don't matter in the end. All these people getting worked up for nothing.
Cringe because... "Why bother?" and more so, "Why talk about it?"
If Google isn't in compliance, Google will get there... or appeal the ruling, or find some other way so that every user of GA doesn't have to migrate off it.
So I find it cringe because I see it as the tech equivalent of those people who rave about 5G making their COVID vaccines magnetic. It's just GA... use it, don't use it. But jumping to comply with a poorly written law, and saying like, "See this law that is poorly written deserves our respect!" Meh. It'll all get overturned. It's a poorly written law.
Plus there are plenty of places to go to "get your GA into compliance" without uninstalling GA.
I wear a tinfoil hat as much as the next guy, and I have studied up on GDPR rules at work, and all I can say is they are designed to basically give any country the ability to say, "We don't like you, Americans. You are bad and we don't like you."
Like it or not, we're all connected. You can look at websites in France, or Germany, or America.
Having different rules for the data makes sense at the company-level, or server-level. "Here are the rules for Norwegian companies..."
But it just doesn't make a lot of sense for French laws to apply to US-servers. Where does that end? If Alabama passes a law saying "You have to have just English on your website..." but Canada says, "You have to have your website in French and English..." who wins? What do the developers use as the source of truth for their requirements?
And if we have to have one version of the website for each and every state and country... isn't that problematic... I mean you get that's problematic, right?
I think these courts ruling against Google are small courts, I think it'll get overturned. I think it likely has more to do with finding different ways to punish Google / Apple / other tech companies for not paying more taxes inside of those countries.
EU nations set up a lot of taxes, then get upset when global companies don't choose to build offices there. All of the regulation around data just feels like another "what can we do to be petty in response for them not paying us more taxes?"
Exactly like the USB-C adapter thing.
Anyway, just my 2 cents.
Google is skeezy, I get it... but fragmenting the web into a different set of rules for viewers in every nation... that's not the answer. It really can't be the answer.
> all I can say is they are designed to basically give any country the ability to say, "We don't like you, Americans. You are bad and we don't like you."
I agree, but that boat has sailed, and now Homebrew is dealing with it.
I'm still not sure if we (here in Europe) gain anything from all this work the GDPR causes.
For myself, Google never seemed to pick up which websites I visit. At least ads never followed me around. Probably because of my surfing habits: I open websites in a new browser instance and then close the instance. So no cookies stick around. Because I have set Firefox to delete cookies when closed. They could have tracked me via fingerprinting, but I have not noticed that happening.
Others surely have other browsing habbits. Keep cookies around forever, and Google knows most of the websites they visit. So when they google for a new fridge, they see fridge ads everywhere for a week.
But is that really a problem? What are the real world negative consequences?
Tech companies now seem to geo-fence their new products and keep European users out right from the start.
Which makes us even less productive by having less and less tools available.
Is it worth it?
Or are we just shooting ourselfes in the knee, having to crawl instead of walk, and turn into a 3rd world continent?
For me having fridge ads is not bad (maybe even good). What's much worse is data brokers making money by selling everything that's known to every website about me to Cambridge Analytics/CIA/FSB.
Also, pop-ups are a bit annoying, but most of the time websites work OK if you refuse to save cookies. So, like, I'm 1 click away from stopping those political actors to have info on me - a W for me
What is fenced off for Europeans? Admittedly I've been living outside of Europe for some time, but some of my self hosted stuff is still based there, and a lot of friends, and I haven't had or heard of a problem with being "kept out" of new products.
Personal anecdote, I think I've encountered a few news/radio stations being blocked (self censored), I think I can count the instances on one hand. I browse a lot.
Certain services are blocked like Bard, and Meta Threads, but that's more common with services, even for countries outside the EU.
I think the burden of proof lies on the one who makes a claim. So you should be providing list of services that are not available to europeans. And bonus points for not using "threads by instagram" in that list.
You literally made a claim in your very first reply: "Tech companies now seem to geo-fence their new products and keep European users out right from the start."
> You name the 10 most important tech products of the year so far.
Do name them, please. And then revisit that list and ask yourself: how many of them exist because of two things:
- unlimited investor money with no expectation of profitability
- blatant disregard of data privacy, user privacy, and/or other laws.
Great example is OpenAI. They said they welcomed regulation. The moment EU proposed level-headed sensible regulation [1] that among other things required documentation on how foundational models are trained and where they get their data, Altman screamed that they would pull out of EU.
So you do remove the cookies regularly, but you also believe that removing the cookies is "shooting ourselves in the knee"?
Then overall, privacy is a much larger problem. For one, with generative AIs coming, it is very scary to realize that those big corps know almost everything about almost everybody (maybe not you, if you don't use cookies, don't have a smartphone, etc), and are technically able to train generative AIs with that data.
The second problem is that because the business model is surveillance capitalism, then big corps don't optimize for making a product that users are willing to pay for, but instead they optimize for gathering more and more data about their users so that they can make profit with it. Typically social networks play against their users in order to sell them.
Proving a counterfactual (what would have happened without gdpr) is rather difficult to impossible. I would argue
1. Morally, are we encouraging tech to go in a more human direction? Definitely.
2. Operationally, is gdpr working well? I have gotten many companies to delete my data and stop spamming me by referring to gdpr, so on that front I see a big win. Cookie banners are not essential or required by gdpr but an industry choice to bully users to accept something. So on that front, I feel gdpr falls short as it still allows companies to go this route.
3. Economy wise, have we lost anything? Are data brokers an essential service for a functional society and economy? I don't think anyone or anything except spy services and as tech lose out from gdpr.
4. Communication wise, people rarely see the benefits and only the fallout from gdpr (cookie banners) and the lobby push against it (business newspaper articles on the horror of compliance as their company needs vast amounts of data on non- customers). The benefits are much more hidden.
Which useful service have you been locked out of? We're several years into full GDPR enforcement. I've only been locked out of some US newspapers, which is trivially by-passable, and some of the worst attention economy addiction boxes, which I'm, if anything, thankful for.
> I open websites in a new browser instance and then close the instance. So no cookies stick around. Because I have set Firefox to delete cookies when closed.
You go through more effort, time and work in just this one step every day than "all this work the GDPR causes"
"I fixed problem for myself but I'd like for it to not be a problem at all for other people that are poorer or less technical than me" is perfectly reasonable stance to take.
GDPR doesn't cause this work. The industry you're busy defending is causing this work. It's almost trivially easy for most companies to comply with GDPR. Instead they want to sell your data to hundreds of trackers.
How about Homebrew's analytics move to an ethical, opt-in model (like Debian) instead of this silent surveillance of its users who have never explicitly consented to such data collection?
This thing drops a supercookie on your device that persists forever, and they close every issue raised discussing the privacy implications of same.
Anyone who runs the analytics service can see the approximate travel history over time of every Homebrew user (by geolocating the source IP).
It's not a for-profit project. There is no legitimate purpose for tracking installs.
> It's not a for-profit project. There is no legitimate purpose for tracking installs.
From the very top of the linked page:
> Homebrew is provided free of charge and run entirely by volunteers in their spare time.
> As a result, we do not have the resources to do detailed user studies of Homebrew users to decide on how best to design future features and prioritise current work.
> Anonymous analytics allow us to prioritise fixes and features based on how, where and when people use Homebrew
It then goes on to list some examples. Opt in renders this useless.
If opt in renders it useless then I dare question whether modern open source as a mode of development and operation is feasible at all, if the underlying foundation is snooping based on uninformed consent.
Yes, many tools give you an option to opt out nowadays, but then again do you want to learn how to do that dance every single time? It’s almost like we need some kind of… DNT, but for the console.
And even that misses the point: with the German concept of Datensparsamkeit, there shouldn’t be any data collected at all, unless it is absolutely necessary to conduct your business. Popularity contest in Debian comes to mind when talking about informed consent.
The point is not InfluxDB or GA. That just sounds like good guy with a gun/analytics vs. bad guy with a gun/analytics logic. The point is: the combined genius of the computing world, and all we could come up with even after the 100th iteration is “Analytics go brrr”.
I'm inclined to agree in principle that such tracking should be opt in.
In practice, I'd expect the behaviour of the modal complainer to be: 1. to complain about any broken/removed functionality 2. refuse to fix it themselves (or fund the fixing) 3. refuse to opt-in to tracking so as to give impartial of usage.
So I think the trade-off of default analytics where the volunteer contributors make a best-effort to keep things working for as many people as possible is beneficial to most users. (And for those who disagree, they can opt out).
If you wanted to work out how many people are buying flowers at your shop, rather than putting up a poster asking customers to mail in their receipts after every purchase you’d look at the anonymous sales data.
Opt in is renders the data statistically useless in the same way.
This data is required to allow Homebrew to continue to operate and make decisions.
They go out of their way to inform you before sending any data. First sentence of the article:
>You will be notified the first time you run brew update or install Homebrew. Analytics are not enabled until after this notice is shown, to ensure that you can opt out without ever sending analytics data.
I think it goes along with some personal responsibility to know what you're installing if you're extremely privacy conscience. No judgement on that, I do as much as seems reasonable to myself, however it's still their hard work and binaries and terms, or you can move to something else. There are several other packaging systems available for mac that do what brew does.
I'm not exactly sure I trust EU either tbf. They haven't really shown themselves to be good stewards of understanding how internet works with their previous resolutions.
I can say the same about the US though, and at least the EU gives hundreds of millions of people far more rights in relation to their data than anything available in the US; a few US states like California give a limited form of this, but by far not most.
So, while you’re right that the EU and the US both have flaws in this area, this move is still an improvement.
Directive (EU) 2019/790 of the European Parliament and of the Council of 17 April 2019 on copyright and related rights in the Digital Single Market and amending Directives 96/9/EC and 2001/29/EC
>Directive (EU) 2019/790 of the European Parliament and of the Council of 17 April 2019 on copyright and related rights in the Digital Single Market and amending Directives 96/9/EC and 2001/29/EC
> We gather less data than before and have destroyed all Google Analytics data:
> https://docs.brew.sh/Analytics
just noticed this morning, running some updates