
Gitlab ‘rethinking’ third-party telemetry - eternalny1
https://gitlab.com/gitlab-org/gitaly/issues/2113
======
dang
This thread follows on yesterday's:
[https://news.ycombinator.com/item?id=21337594](https://news.ycombinator.com/item?id=21337594)

------
amluto
The negative comments seem largely focused on issues with telemetry per se
(which is a big deal, especially in the enterprise), but, for my company, I
see an even bigger problem. There is no way that I would host a solution that
includes third-party scripts. This is simply not negotiable. I don't care how
good that third party's "data protection" is -- the ability to serve up that
script means that anyone who compromises the third party, even just a
temporary compromise of their front end, has the keys to the kingdom.

If you want to collect telemetry, fine. Do it on a first-party basis, distill
it down into one file a month, and let admins upload it if they like. But the
third-party script is a complete nonstarter.

~~~
chrisseaton
What's the difference to you between a second-party script, and a third-party
script?

~~~
etatoby
With the second party (Gitlab in this case) I have a contact, give them money
regularly, and have other such leverage in case they screw up. Third parties
generally could not case less what damage they may cause.

~~~
GetOutOfBed
But what's the difference? You PAY gitlab in both instances and your leverage
is the same. Do you want to be involved in reviewing their motherboards for
spyware chips as well?

------
staz
> So, for users who have integrations with our API this will cause a brief
> pause in service via our API until the terms have been accepted by signing
> in to the web interface.

What a fucking botched way to do this. Breaking all automation at a moment
notice. They should have announced the change long ago. Make an advance clear
deadline for accepting the ToS and then after the deadline blocked the API.

~~~
Frost1x
These are the sort of stunts that happen when you relinquish more and more
control of your technology and its ownership to external sources that also
happen to be for-profit businesses. All hail EaaS (Everything-as-a-Service)
models.

I entirely agree with you and your sentiments, but I'm not sure why many are
even remotely surprised by these sort of escapades. The more dependent you are
on an external business for some function and the more that business realizes
it, the more they're going to use their leverage against you to their
advantage to achieve their goals (not yours).

That's exactly what we see happening here. When businesses (or any entities)
buy-in to external resources like this, always consider: how much leverage
those managing that resource have against you, how critical the function is
for you, and how many resources it will take to migrate away from that
external resource at a moment's notice if you need to. This is a continuous
iterative process that should be going through every developer's head with
every design choice, external license, "cloud" service, proprietary internally
hosted licenses, etc.

~~~
BurningFrog
> . _...external sources that also happen to be for-profit businesses._

Pretty sure a not for profit organization would have even less interest in
pleasing their users.

~~~
tinus_hn
What interest do they have other than that?

~~~
kortilla
Depends, it could be just to disrupt all other competitors on cost and not
care how miserable the actual experience is for the customers.

Many not for profits exist mainly to stroke the directors’ egos and pay them a
fat salary without doing much actual good (e.g. most political non-profits
like the Clinton foundation).

------
hn_throwaway_99
Decided to post a top-level comment because I think it's very important that
Gitlab do a "root cause analysis" of why they made such a poor decision. Just
saying "we're holding off for now" is not going to convince me that you guys
have not lost your compass.

For reference, there was a very telling comment by user jahlove about how
Gitlab could be so out of touch
([https://news.ycombinator.com/item?id=21349591](https://news.ycombinator.com/item?id=21349591)):

\--------

> But someone up the chain of command thought we could get away with it

That person is Paul Machle (CFO):

"I don’t understand. This should not be an opt in or an opt out. It is a
condition of using our product. There is an acceptance of terms and the use of
this data should be included in that." [1]

[1][https://gitlab.com/gitlab-
org/gitlab/merge_requests/14182#no...](https://gitlab.com/gitlab-
org/gitlab/merge_requests/14182#note_203849107)

\--------

That GitLab comment thread is very telling. Basically, here is what happened:

1\. It's clear engineers had concerns about the feature, wanting it to at
least have an opt-in.

2\. But then the CFO, who clearly does not anticipate the backlash this will
cause, basically just gives an "tough shit" response.

3\. What's scariest IMO, though, is that the Scott Williamson, VP of Product,
then replies "@cciresi if we follow Paul's guidance and just make this part of
our terms and conditions, are we covered legally?"

I've seen this at many organizations in the past. It's generally called the
HiPPO problem - the Highest Paid Person's Opinion. The CFO wanted this done
(obviously for financial reasons, he's the CFO after all), but the VP of
Product, who should be more "in the weeds" in terms of having the pulse of the
customer, instead deferred to the CFO and tried to appease his desire.

Gitlab, I think your organization is off track. You need to make a broader
statement that shows you have a real understanding of the problem than just
"Oops".

~~~
semiotagonal
It might have been better to simply reference the discussion without singling
out the person involved. At the end of the day it was an organizational
decision. It's to GitLab's credit that there's enough transparency to even see
this; I don't think it's too cool to turn that into a finger-pointing tool. As
a developer, we don't do this with bugs. Perhaps bad business decisions are
not any different.

(For the record: I don't know this person, I am not this person, I'm pretty
sure I don't know anyone at GitLab at all.)

~~~
root_axis
The whole point of transparency is to facilitate accountability, so it does
not help to shy away from accountability in service of encouraging
transparency. Of course, transparency is definitely something to laud, but
it's only half of the ideal.

~~~
jefftk
You're putting pressure on the norm that organizations should be sharing this
sort of thing. If the norm were strong, the pressure wouldn't keep people from
sharing similar things in the future. But since the norm is weaker we need to
be careful to nourish it, not pushing it harder than it can stand.

(I wrote more about this: [https://www.jefftk.com/p/responsible-transparency-
consumptio...](https://www.jefftk.com/p/responsible-transparency-consumption))

------
esotericn
"Trust takes years to build, seconds to break, and forever to repair".

Why is this so important? It's important because a lot of that trust is
ideological. I trust that the developers of 'git' itself won't be adding
telemetry behind the scenes. I trust that the developers of 'cgit' won't be
adding this stuff.

Because we're on the same page; despite the fact that theoretically the next
commit that hits the repo could be the one that sends my keystrokes.

The first time you pull this sort of stunt you've instantly erased all of that
good will and now you're forcing people to comb through your releases and
conditions with fine teeth because you've shown yourself to act against user
interests.

This doesn't scale.

That's why the backlash is bigger than you expect, not necessarily because of
the magnitude of the change, but because you've positioned yourself as a
threat.

------
0vermorrow
The pushback from users made them rethink this change, here's a pending merge
request to the blogpost: [https://gitlab.com/gitlab-com/www-gitlab-
com/merge_requests/...](https://gitlab.com/gitlab-com/www-gitlab-
com/merge_requests/33289/diffs)

""" UPDATE: Thanks for the feedback. There were many more concerns than we
expected. We’re going to process the feedback and rethink our plan. We will
not activate product usage tracking on GitLab.com or GitLab self-managed for
now. We'll make sure to communicate in advance on our blog when we do have a
new plan. """

~~~
ianamartin
You can tell a company has totally lost their heads up their asses when you
get the, "Whoa! We totally weren't expecting <product decision> to upset so
many people!"

Like really? Considering what people use your product for, you honestly didn't
expect this to upset people? Great. Your product team is hopelessly out of
touch.

~~~
Kalium
As a rule, the structures around product teams tend to discourage asking if
it's better to not ship a thing. When you measure a team by what (and how many
things) they ship, they are always going to default to shipping things.

~~~
kevas
This is hitting too close to home. Currently on a team that does what’s on the
task list without questioning anything—driving me up the wall.

~~~
Aeolun
This is a function of the organization, not the team.

If you hear ‘do it anyway’ after raising concerns one too many times,
eventually you just do it.

~~~
JohnFen
Not necessarily. It depends on exactly what "it" is. I have quit jobs before
because I was required to implement something that I considered an egregiously
terrible idea.

------
danielovichdk
Hahahahaha. I remember all the fuzz about MS buying github and perhaps forcing
telemetry. Something along those lines.

People were so fast to live their stuff to Gitlab without bothering thinking
about that business is business.

These fucking corporations or wannabe corporations doesn't give a fuck about
you or your data. That's the fundamental mindset you need to have when sending
them money for services.

Ain't no such thing as halfway crooks.

~~~
sciurus
Github is already collecting limited client-side telemetry. Open the network
tab in your developer tools and you'll see a request to
collector.githubapp.com on every page load that includes details like your
screen resolution.

~~~
frenchman99
If they collect it themselves, without 3rd party script, it's more secure than
including 3rd party scripts in the page, which is what Gitlab seems to want to
do.

------
seabird
Somebody at GitLab thought it was a bright idea to add telemetry to their
cloud AND self-hosted enterprise versions. Needless to say, it's not about to
go over well.

I currently use GitLab where I work; we chose it because our data is sensitive
and a cloud service was not an option. This telemetry means that I won't be
updating until this blows over. Frankly, whoever thought this was a good idea
is a moron that doesn't seem to understand that users like my company chose
GitLab _because_ we didn't want this shit.

~~~
caseyf7
Engineers tried to resist, CFO insisted...

[https://gitlab.com/gitlab-
org/gitlab/merge_requests/14182#no...](https://gitlab.com/gitlab-
org/gitlab/merge_requests/14182#note_203849107)

~~~
dredmorbius
Sounds to me as if the CFO is carrying water for investors.

Which points to where the problem might lie.

Why the _CFO_ is calling the shots on critical architectural issues is a whole
'nother question.

~~~
txcwpalpha
It doesn't seem to me like he is calling shots on critical architecture. He
asserted an opinion on something that would affect the revenue stream, which
as CFO, is exactly his job.

Reading through the MR comments, it seems to me like that's the case with
everyone. The CFO is pursuing profitable options, the legal & compliance teams
are making sure everything stays in compliance, the engineers are building
what is asked of them, the data analysts and product managers are asking for
the data they need to get insights on product enhancement...

The big issue seems to be that everyone is so narrowly focused on just their
job function that they are missing the forest for the trees. I also noticed a
distinct lack of anyone from any type of customer advocacy teams (does GitLab
have anything like that? Account managers, evangelists, developer relations,
etc?) that probably would have been able to put forth actual data about if
customers would be for/against this change.

~~~
saghm
> It doesn't seem to me like he is calling shots on critical architecture. He
> asserted an opinion on something that would affect the revenue stream, which
> as CFO, is exactly his job.

> Reading through the MR comments, it seems to me like that's the case with
> everyone. The CFO is pursuing profitable options, the legal & compliance
> teams are making sure everything stays in compliance, the engineers are
> building what is asked of them, the data analysts and product managers are
> asking for the data they need to get insights on product enhancement...

Ideally everyone should be would also be thinking about whether the feature is
ethical, even if it's not "exactly their job", because there generally isn't
anyone whose job is specifically to decide that.

~~~
txcwpalpha
That's precisely what I meant when I said they missed the forest for the
trees.

------
olafure
Just wanted to point out Gogs: [https://gogs.io/](https://gogs.io/)

It's a very light weight, self-hosted git server, the UI is very GitHub like.

It's not a replacement for all the features of a self-hosted GitLab.

But I've seen people battling a self-hosted GitLab instance when all they
needed was something like Gogs.

~~~
raxxorrax
Looks interesting. As if they had stolen all the CSS files from GitHub.

Gitea is also nice self-host option, but also not a complete ALM solution. We
often use trac in conjunction with different source control providers, which
might be ancient by now, but it always delivers and everyone seems to like it.

~~~
jawngee
Can you really steal CSS though?

~~~
weaksauce
i mean the design of it is almost a carbon copy of the github design down to
the layout, design, and colors.

[https://i.imgur.com/rFbaEkL.png](https://i.imgur.com/rFbaEkL.png)

if i replaced just the logo in the upper left hand corner to the github logo
instead of the googs logo would you be able to tell the difference between
this screenshot and github proper?

~~~
eitland
> if i replaced just the logo in the upper left hand corner to the github logo
> instead of the googs logo would you be able to tell the difference between
> this screenshot and github proper?

I think I could easily do that.

And I'm a backender-at-heart who doesn't even have full colour vision.

So, not a copy I think.

------
sytse
The feedback to this change is very negative. And some of the things we
thought would help (respecting DNT) don't seems to matter much. We'll have a
look at all the feedback and see what we can learn and adjust. First change to
the blog post is in [https://gitlab.com/gitlab-com/www-gitlab-
com/merge_requests/...](https://gitlab.com/gitlab-com/www-gitlab-
com/merge_requests/33278/diffs) and we're discussing more changes.

~~~
kstenerud
How is it that you even considered DNT a viable option when it's been common
knowledge for years that DNT is a failed technology? Even Wikipedia knows
that, and yet you, an expert in the field, don't?

~~~
wlll
Cynical me could imagine the conversation might go something along these
lines:

Alice> We want to do a thing, and we want everyone to do it without being able
to realistically avoid it while still saying "we gave them an option"

Bob> Let's use DNT, it's used by almost no-one and is largely obsolete.

Alice> Perfect!

It's a bit like web sites that allow you to opt out of tracking and targetted
advertising by directing you at the cookie config settings in your web
browser. A token gesture.

~~~
heavyset_go
There's no need to be cynical, the situation you posed is 100% within the
realm of possibility when you consider that the actions Gitlab took benefit
Gitlab greatly.

------
antoineMoPa
You can't measure something without impacting it. Adding spyware to products
make them slower.

Here is an alternative solution I begun using for one of my projects:

There is no telemetry like grep in nginx logs with carefully fetch()'ed paths.

Put this in JS code:

    
    
        fetch("/stats/user_used_feature_x") 
        fetch("/stats/user_reached_checkout_step_3") 
        etc.
    

Then you can find the information you need with:

    
    
        grep -o ".*/stats/[a-z_]*" /var/log/nginx/access.log
    

Now you can count how many users reach features and checkout steps.

That is dozens of time more performant than using third party scripts. No
extra library.

~~~
ComodoHacker
Yeah, but they want heatmaps and attention spans. Optionally eye tracking, if
camera is available.

------
altfredd
I don't like the stated justifications for enforcing telemetry — even if it is
genuine, it is basically self-deception.

In my experience, access to analytics is a quality of life improvement for
programmer, that does not actually result in better products. Having a
thousand times more crash-reports wont's cause your employees to grow extra
hands and brain-cells to act on all of them. Having a great insight in user
behavior does not automatically translate in great managerial decisions.

Personally I would love Gitlab to stop overusing Javascript and fix
performance of their backend instead of trying to conceal issues by refusing
to show big files and abusing lazy-loading. But judging by their recent
actions, they are more likely to copy more anti-features from Github than work
on actual hard problems.

------
onli
There are so many issues in play here. Some plain legal, others based on
expectations.

1\. DSGVO means opt-in when collecting private information not necessary for
the usage of the product (and even then it's dicey). Making the use of your
product dependent on accepting private information gathering is illegal. DNT
is logically a valid way to opt-out (apart from browsers dropping the feature
and users not knowing about it), but that's not enough here. It would be
different if DNT was enabled by default (I assume), but all browser makers
dropped the ball here years ago.

2\. You built a reputation of the people's git provider, albeit in conflict
with the completely free alternatives. And now you make a post "we will change
it, you have to accept the new TOS, and there will be a service interruption",
like a generic US company might do. It's unfitting to you. It does not matter
that the products concerned are not free.

3\. The right solution exists and would not hurt you. I assume you want
telemetry data to improve the product (if not the issue is even bigger). So
you add that option and ask them whether he would be okay to activate it, like
Mozilla is doing in products like Firefox. This scheme works and data gets
collected anyway, a bit less, but that should not be an issue. Careful: Admins
must be able to remove the prompt for all their users if it arrives in the
self-hosted products.

4\. Pick a data collection destination that is the least controversial. In
your case that should be inhouse. Alternative might be a privacy focused
organization in Europe, but it has to be known to your customers.

5\. If you think DSGVO does not apply to you realize that it does not really
matter since the sensible parts of it are also the ethical correct way. So in
any case it is good to follow the spirit of it.

6\. Note also how matter of fact and corporate the language used in the blog
post is. That can only worsen the impact on those that care about you and the
topic.

~~~
marcinzm
>It would be different if DNT was enabled by default (I assume), but all
browser makers dropped the ball here years ago.

Browser makers did the logical decision as they have no control over websites
adhering to DNT. If they made it default, every site would promptly ignore it
as it'd impact their business too much to follow it. On the other hand, if
they made it opt-in then sites might follow it for the minority of users who
used DHT. In the end, it was a bad idea as it had no teeth at all to force
adherence on websites.

------
CameronBanga
I've been a huge Gitlab supporter for the past 5 years, and we have all of our
repos there. Have had their paid service for a while.

This feels gross, and I'm going to look at moving.

~~~
Aeolun
Yeah, that was my feeling as well. I can forgive them for being careless
enough to delete their production database (2 years ago?), but not for the
dysfunction in the company that was necessary for this debacle to happen.

------
paglia_s
Something I have noticed several times and I can’t understand from an EU
perspective is this: in the US a company you have a contract with (ie a
company you are paying for a service for a certain amount of time) can change
their tos / contract with you without prior notice and without having to at
least honor the previous agreement until your current billing period expires?

For example if I paid for 1 year, I would expect the contract available at the
time of payment should apply for the entire year or offer a refund if you
don’t want to accept the changes. And always with at least two weeks of notice

~~~
Mathnerd314
Usually they have a clause in the contract stating that they can change the
terms. Github provides 30 days notice, Gitlab has an email with instant effect
and a vague thing about checking their website. I've seen sketchier companies
who have instant changes w/ no notice and that state their published TOS is
inaccurate.

------
rz2k
According to my, possibly incorrect, take on the situation this does not
really make that much sense.

As I understand it, like GitHub, GitLab offers relatively permissive free
plans to individuals and projects in their early stages. Both also offer
pathways to graduate to commercial plans that are also enterprise friendly.

It sounds like GitLab planned telemetry for the enterprise-managed plans (not
the individual-managed plans). If GitLab was seen as an alternative to
Microsoft-owned GitHub, the plans for telemetry undermined this reason for
developers to start their projects with GitLab instead of GitHub and advocate
its use to managers, investors, and legal departments.

If that is the situation, where does SourceHut stand? The site makes little
sense to me. The URL is sourcehut.org, but there is no statement about it
being a non-profit, or any discussion about a board that manages it. There is
a pricing page, but no contact us page. I don't know where it is based, and I
can't find a reference on Crunchbase to get any idea of who owns the company.

If it is a competitor to GitLab, maybe it is a competitor in the space for
individual developers, but there wasn't a significant problem for individual
developers when it comes to GitLab (or Github). If the problem with GitLab's
announcement was that it made the upgrade path less enterprise friendly, how
is SourceHub an improvement if by all appearances it is incompatible with any
sane enterprise.

~~~
Sir_Cmpwn
I don't have a reply for most of your comment, but with respect to this part:

>If that is the situation, where does SourceHut stand? The site makes little
sense to me. The URL is sourcehut.org, but there is no statement about it
being a non-profit, or any discussion about a board that manages it. There is
a pricing page, but no contact us page. I don't know where it is based, and I
can't find a reference on Crunchbase to get any idea of who owns the company.

I own SourceHut as a sole proprietor, you can reach me at sir@cmpwn.com with
private questions or ~sircmpwn/public-inbox@lists.sr.ht with public questions.
Archives here:

[https://lists.sr.ht/~sircmpwn/public-
inbox](https://lists.sr.ht/~sircmpwn/public-inbox)

The business is operated transparently, here's the latest quarterly financial
report:

[https://sourcehut.org/blog/2019-10-21-sourcehut-q3-2019-fina...](https://sourcehut.org/blog/2019-10-21-sourcehut-q3-2019-financial-
report/)

~~~
stock_toaster
This whole mess (gitlab really fumbling the ball) seems like a great
opportunity for sourcehut.

Even though I may not especially enjoy email-patch workflows, I still wish you
success, because of your user centric ethos.

------
tannhaeuser
Going to github isn't better I guess, or has a bad outlook at least with MS's
lust for "telemetry". Last I checked, they blocked indie search crawlers.

~~~
rvz
The recent Github repository exodus has now been in vain since GitLab is
taking action similar to how MS is famous in developer circles for telemetry
and not respecting your privacy. Whenever VCs are involved, the community
always finishes last.

For individuals sourcehut[0] may seem to be an alternative. Open source orgs
might be better of self-hosting. In either scenario I would rather go with the
community than to be in the mercy of a VC-backed corporation for hosting my
work in this case.

[0] [https://sr.ht](https://sr.ht)

------
atonse
Do Not Track was removed from Safari. Nobody really honored it so it's become
one of those features that just died on the vine.

So what are Safari users supposed to do, to opt out?

~~~
_-___________-_
Honestly, use something that actually blocks the trackers, rather than just
asking the trackers nicely not to track you. Switch browsers if you have to.

Turning on DNT is like walking around a big city wearing a cap that says
"Please don't record CCTV pictures of me."

~~~
antisemiotic
DNT is pretty much the reverse of the evil bit (RFC 3514), but supposedly not
meant as a joke.

------
emilycook
Work at GitLab, we've halted any movement on adding telemetry and are
reconsidering our approach. More info is on this issue:
[https://gitlab.com/gitlab-
org/growth/product/issues/164](https://gitlab.com/gitlab-
org/growth/product/issues/164)

~~~
packetlost
Can you provide some insight onto what 'telemetry data' is being collected and
what the data is being used for?

Edit: I don't think telemetry is always bad. Obfuscated telemetry tells me
you're potentially collecting stuff that you don't want me to know about, but
things like clicks, mouse-movements, etc. are important for understanding how
users use a service and not inherently bad.

~~~
circuitswan
Hello - what we currently collect is here -
[https://about.gitlab.com/handbook/product/feature-
instrument...](https://about.gitlab.com/handbook/product/feature-
instrumentation/) and we of course will update that in the future to reflect
the details of any telemetry we use - however as noted the team is circling
back to evaluate all the feedback and concerns before considering how to
improve our existing telemetry (which was the goal).

------
btasovac
Hello all, GitLabber here!

We opened an issue for gathering feedback at [https://gitlab.com/gitlab-
org/growth/product/issues/164](https://gitlab.com/gitlab-
org/growth/product/issues/164) and you can find the most up to date
information regarding this topic there. Please join the discussion and let us
know what you think.

~~~
teraflop
You say "discussion", but many of the Gitlab developer comments in that thread
consist of the same response copy-and-pasted verbatim in response to multiple
different people, which comes across more as PR spin than as a good-faith
attempt to engage in a discussion.

~~~
jrcii
Why would there be a “discussion”? They knew their users didn’t want this
anti-feature before they implemented it and they did it anyway.

Then they add insult to injury by pretending to “discuss” it as if user
consent or participation has anything to do with this.

~~~
emilycook
We have been taking the feedback seriously, we rolled back our ToS changes and
are reconsidering our approach here. More info can be found on the issue

------
zygimantasdev
Gitlab reputation went down quite a bit from my perspective. No time given to
migrate.

------
thayne
I've seen a lot of negativity about gitlab, and personally, I think that any
third party telemetry should be opt-in, not opt-out. However, I do think they
should be applauded on what they did right.

First, they have been very transparent about the whole thing. While many
companies would try to hide it in the ToS in vague legalese, Gitlab published
a blog post explaining what they were doing and why, and opened public issues
about the topic.

Secondly, they listened to feedback from customers (and the internet at
large). Even though the backlash shouldn't have been surprising, at least
GitLab responded quickly by pulling back when it was clear the community
disapproved.

And finally, even though it was supposed to be opt-out instead of opt-in, at
least they clearly communicated _how_ to opt-out. Which is more than can be
said of most companies, which make opting out as difficult as possible.

Yes, GitLab messed up. But at least they acknowledge that, and were
transparent about the whole thing.

~~~
Rapzid
The backlash hasn't finished. The negativity in on here is part of the
backlash.

------
0xffff2
I just deleted my Gitlab account. I'll be self-hosting personal projects from
now on. It's clear that as an individual user of a third-party service you
have virtually no control. No matter who you choose, the odds are that the
owners of the service will eventually succumb to the siren song of VC money
and sell their users' souls as a result.

------
vezycash
This is one of the "perks" of VC money.

~~~
umvi
Any company that accepts VC, goes public, etc, eventually resorts to
aggressive telemetry and doing business with China. It's practically
guaranteed at this point.

------
parliament32
After Github started being kinda gross, we were trying to decide between
switching to Gitlab hosted or going self-hosted. Self-hosted was a pain but
turns out it was a good choice. I'm sad to see Gitlab going down downhill like
their predecessors.

Is it really that hard to provide a no-bullshit hosted Git?

~~~
angry_octet
VCs, like drug cartels, are not satisfied with standard returns. There has to
be new ideas for revenue growth and poisoning the ecosystem with advertising
surveillance tooling is standard. For pseudo open source, code maturity and
diverse contributors means a loss of control, so it always about adding code
and making it more spaghetti.

------
deaps
We were talking for a while at work of going to gitlab (mainly my idea after
using self-hosted for my own side projects) - but after this, there isn't a
chance I'd be the one recommending it. In fact, I'd strongly recommend against
it.

------
pjmlp
The irony is that this is the company everyone jumped into because big bad
Microsoft acquired GitHub.

When will people learn that corporations are about money?

~~~
umvi
Corporations beholden to VC, shareholders, etc. are all about growth at any
cost (ethical or otherwise). Private companies don't have this problem.

~~~
pjmlp
Private companies also need to be profitable, otherwise they would be
charities.

~~~
umvi
Right, but you can stay profitable without the need for hockey stick growth

------
phreack
So Gitlab basically became huge from nothing simply by strictly adhering to
'Github but better'. Now it's time for something else to do the same and pick
up the ones who'll leave because of these policies with 'Gitlab but respects
you'

------
ehutch79
I don't really see the issue. If you're already storing all your code on a
third party service, why is it suddenly horrible that they're doing event
tracking on the use of the service?

If you REALLY cared, wouldn't you be self hosting anyways?

~~~
luckylion
> If you REALLY cared, wouldn't you be self hosting anyways?

Initially, they said they'd infect the self-hosted EE versions too.

I'm pretty sure that server-side analytics ("there were 1000 calls to this API
endpoint") is considered very different from client-side analytics via
marketing/ad-tech tracking companies.

------
atonse
If these trackers are blocked by our content blockers or PiHole, will Gitlab
stop working?

~~~
crdrost
Apparently not, but the linked page does mention that this necessitated a
change to their ToS and until you accept the ToS the API stops working.

I don’t think they’re trying to associate your identity with other web traffic
the way normal “trackers” do, but just to have a client-side view of a browser
session: what did you click on in which order in a typical session, what
features are unused and what needs to be boosted to the dashboard pages of
your repository, etc. Especially when backend calls can be triggered from
multiple frontend locations, this sort of information can be really helpful.

~~~
atonse
I agree that they just want telemetry on how we use the apps. As a developer,
I'd love that kind of telemetry too.

I think what most people are complaining about is the third-party. If, say,
Gitlab hosted their own telemetry services (on their servers, accessible to
their product managers, etc), I doubt there would be so much backlash.

~~~
emilycook
GitLab employee, some employees have proposed this idea and (speaking
personally) I think it would be a better approach. We've halted movement on
using telemetry and are reconsidering. More info is on this issue:
[https://gitlab.com/gitlab-
org/growth/product/issues/164](https://gitlab.com/gitlab-
org/growth/product/issues/164)

------
jagged-chisel
Based on a comment on the other thread, the CFO insisted on this originally.
I'd love to hear specifically from the executive team about the CFO's
instructions, and this 'rethinking.'

------
yk
Between this and their new moderation policy, I suspect they will announce
classic coke soon.

------
annoyingnoob
Gitlab just posted an update that they are going to process the feedback and
rethink the feature here. Nice to see a heads-up move like that - I was ready
to drop Gitlab like a hot rock.

~~~
paintstripper
They won't rethink it, they'll just wait until this blows over then implement
it silently. They haven't changed the TOS back yet.

------
miki123211
I think the main problem with Git Lab and similar services is Git's inability
to store anything other than code. If issues, wikis etc. would be stored in a
Git repo itself, with the services potentially offering conveniences like
web/email access etc. switching would be trivial. Git hosters would then need
to be very, very careful and extremely competitive, as moving somewhere else
would be a matter of minutes. There are some effords on this front[1], but I
don't really know if anything will come of it.

[1] [https://github.com/sit-fyi/sit](https://github.com/sit-fyi/sit)

------
ianamartin
[https://sourcehut.org](https://sourcehut.org) is looking better and better
all the time.

------
throwaway5752
Honestly, if you gave me a thoughtfully worded rationale (improving product
and support, all data anonymized, etc) and defaulted it on, I probably
wouldn't have given it a 2nd thought. The way this was presented created a lot
of the problems. Some people would be upset regardless, and you need an opt-
out for commercial customers. There are cases where collection is a nonstarter
for security and compliance reasons. Some people are upset on philosphical
grounds, and for those using Gitlab for free, I think you are perfectly within
your limits to tell them to pound sand (or host it on their own/fork).

------
atonse
It’s difficult for some of us that host 20+ Repos and use all the related
tools. I’m going to try the ad blocker route first.

------
whalesalad
Gitlab is so incredibly reactionary. Competitor does something, let’s blog
about how we do it too. We roll out new changes we’ve identified as being
vital to our growth moving forward and users complain: okay nevermind let’s
undo that.

All this herky jerky stuff is mind blowing. They have a product people seem to
like a lot but I don’t think they have the right core values and beliefs to
sustain it long term. If they did, this would have been executed much better
and there wouldn’t be this knee-jerk reaction to random gripes on the
internet.

Chasing shiny objects and the noisiest users is gonna get ya killed.

~~~
emilycook
(GitLab employee however these are my personal views) I agree that our blog
posts about competitors aren't great (and thankfully have been happening
less), but for this issue I'm glad to see that the backlash has been taken
seriously because I had my own concerns. It'd be much more worrying if this
went forward despite all of the imo justified backlash.

------
SifJar
[https://sourcehut.org/blog/2019-10-23-srht-puts-users-
first/](https://sourcehut.org/blog/2019-10-23-srht-puts-users-first/)

------
reilly3000
I'm a data guy, I'm all for data gathering when there is a business case,
permission, disclosure, and strong PII protection. However this is just silly.
GitLab, on the doorstep of GitHub actions rolling out globally, shooting their
leg off by forcing a 3rd party script into a business system.

The thing that is utter shit is that they could really achieve any reasonable
analytics needed from their server logs on their hosted systems.

Pendo is the same as Heap analytics in that it logs EVERYTHING the user does,
including things like scroll depth, time on page, form element selects, even
clicks on non-clickable elements. You could just ask me how to make the UX
better, GitLab; there is no need to do indiscriminate bulk collection.

Or here's a novel idea: maybe actually give the users who choose to give you
their behavior some kind of reward. A pro feature for free, some build runner
priority, or even just a icon that glimmers with some gratitude. And an
incognito switch for times when I don't want be seen.

And a 3rd party? Its not that hard to put a pixel on a page and stand up an
endpoint. What's to stop that 3rd party from injecting a keylogger and start
harvesting secrets? Trust?

If I were owning analytics at GitLab, I would:

1\. Develop a way to get cleaned up server access logs in front of the UX
team. This should get 85% of the work done.

2\. Provide a 1st party controlled, open source client analytics tool that
users can inspect.

3\. Make it optional, off by default, and most importantly, fully accessible
to the user. When its active it should provide a visual indication. Give opted
in users a reward for participating. Give them the ability to see the data
that has been gathered on them. Personally, I could find that log of my own
activities quite useful if it were shared with me.

4\. Prove the value of client side-tracking and share the wins with all
stakeholders. Like, build a step in issue triage to gather metrics and share
the results on the ticket to inform the decision making process. If the data
doesn't does add double digit value to the company, kill the whole thing off.

This was a brutal blunder for a company that's on Series E, and shows that
leadership is not in touch with their customers. More actual face time with
developers by leadership could have stopped this from happening.

~~~
donmcronald
We all have these analytics companies ranking our credit scores, social
interactions, education levels, etc.. Just think of the data you could harvest
from something like GitLab. The average developer does X merge requests per
week. The average developer closes X bugs per week. The average developer
makes X commits per week.

What's your Pendo Developer Score?

------
scottfr
I am a bit surprised at the extreme negativity here. Obviously, this was
mismanaged on many fronts [1], however the idea of tracking product usage in
order to improve the product is generally a good thing, not a bad thing.

Hacker News likes to complain about how bad the Gitlab UI is compared to
Github, or how slow things are on Gitlab, or how they are doing too many
things and need to focus their product better. Well, knowing how their users
are using the product is one key part to improving all these things and
delivering a better product.

As a paid user of the Gitlab.com product, I am fine having them carry out
analytics on user behavior like my own. That said, I do use an ad blocker and
if they use 3rd party trackers I'll definitely be blocking those trackers.

[1] E.g. the use of third parties for the telemetry. They should definitely be
using in house systems for something like this not 3rd parties in order to
protect their user data. Also, they should not be rolling this out to self-
hosted versions.

~~~
0xffff2
>Obviously, this was mismanaged on many fronts [1], however the idea of
tracking product usage in order to improve the product is generally a good
thing, not a bad thing.

Disagree. The kind of client-side hyper granular tracking being discussed here
is not a good thing. It encourages micro optimization for metrics over
maintaining a good big-picture architecture. I've seen no evidence whatsoever
that software is any better now than it was in the days when applications were
off-line only.

------
JohnFen
Well, Gitlab is now unacceptable for my use.

It also appears that Gitlab really is all-in on this telemetry stuff, as they
envision "telemetry-as-a-service":
[https://about.gitlab.com/direction/telemetry/collection/](https://about.gitlab.com/direction/telemetry/collection/)

~~~
emilycook
We're halting any movement on this and reconsidering our decision on
telemetry, you can find more information here: [https://gitlab.com/gitlab-
org/growth/product/issues/164](https://gitlab.com/gitlab-
org/growth/product/issues/164)

~~~
JohnFen
Yes, I'm well aware of that, and I give credit to Gitlab for being willing to
back-peddle in the face of user outcry.

But the way that this was rolled out was egregious enough that I don't have
much trust in Gitlab at the moment.

------
breadandcrumbel
From their related blog post: “In order to service the needs of GitLab.com and
GitLab Self-Managed users who do not want to be tracked, both GitLab.com and
GitLab Self-Managed will honor the Do Not Track (DNT) mechanism in web
browsers. This means that, if you turn on Do Not Track in your browser, GitLab
will not load the JavaScript snippet.”

------
tombert
It's disappointing that Gitlab seems to be embracing the dark side; I've been
recommending people use Gitlab if they're uneasy about Microsoft's purchase,
but now it's giving me pause.

I suppose I could run me own Gitlab CE, and maybe I'll have to. That or I
finally have an excuse to build a competitor :)

------
jiveturkey
This is on .com only (for now).

I'm at a loss as to why they'd need 3rd party telemetry for this. It's a
service that _they host_. They have the data directly. It's not something that
runs in the cloud (ie, on someone else's server) where they don't have first
party access to the underlying data. Even if they want to visualize or analyze
the data with someone else's tools that don't have import functionality, they
can just "project" the data there without the user (client) being involved at
all.

The only reason they'd need to do this is for EE deployment where they don't
in fact have the direct data. But certainly that's such a small part of their
business. And, can't they just use what they know from .com usage data?

------
JohnCClarke
Honest question for the people who feel strongly about telemetry: What is/are
your concern/s?

~~~
vpEfljFL
You are welcome. Send your browsing history for the last 24h please as a reply
and we can talk why users (especially tech savvy) don't like telemetry.

------
ajnin
One of the very first comments below the original announcement post was
someone wondering about the RGPD implications of that change, and mentioning
that locking features behind a mandatory opt-in to tracking might be illegal.
That comment is now gone. I wonder why.

------
sytse
Further follow-up
[https://news.ycombinator.com/item?id=21390563](https://news.ycombinator.com/item?id=21390563)

------
whalesalad
Absolutely hilarious. The folks running this ship (the company, not this
endeavor) need to pause and reflect on the way they’re going about it. You’ve
got a good product and great engagement. These decisions shouldn’t be so hard.
Methinks this is due to their tendency to be overly transparent and design-by-
committee oriented. Ya need a leader who has values and a vision for the
future. If you need data, collect data. Stop walking on eggshells with your
users. If they don’t like it let them leave and go elsewhere. The people
complaining are likely the minority anyway.

------
throwaway5752
Between some recent behavior like this, some recent hires, some questionable
issue triage judgement, and product quality issues.. as a paying customer I am
beginning to question what's up at Gitlab.

------
jefurii
IIRC sourcehut/srht uses either JavaScript at all or very minimal non-third-
party JS.

Sourcehut came to my attention due to similar concerns with GitHub. Didn't
take GitLab long to go from alternative to this.

------
tyfon
Anyone figure out how to delete the account without accepting these terms? I
can't even log in without getting the "Concent or logout" bullshit.

What they do here is highly questionable in regards to GDPR, I'm reporting
this to my local authorities.

~~~
JohnFen
Honestly, if what you want to do is delete your account, I don't see a problem
with going ahead and accepting the new terms. Then they'll have telemetry
covering what you did during the account deletion process. Once your account
is deleted, that consent becomes a total nonissue.

~~~
rossmohax
it is more complicated than that, data without user_ids was already collected,
but it wasn't possible to link them to accounts on gitlab side. the moment you
accept new terms, single telemetry event sent allows to links all past events
to your gitlab account. Source: [https://gitlab.com/gitlab-
org/gitlab/merge_requests/14182#no...](https://gitlab.com/gitlab-
org/gitlab/merge_requests/14182#note_182299396)

~~~
JohnFen
True enough. But (assuming they actually implement this in this way), there's
nothing much that can be done about it aside from acknowledge that trusting
them was a mistake.

You could always just abandon the account and never use it again, I suppose.

------
ljm
This is the same Gitlab that recently banned politics at work and said they’d
take anybody’s money, right?

Gitlab is not an underdog, stop fighting for them.

------
chrisweekly
What a cluster. On a related but brighter note, third-party cookies are
finally getting some long-overdue meaningful attention:
[https://blog.chromium.org/2019/10/developers-get-ready-
for-n...](https://blog.chromium.org/2019/10/developers-get-ready-for-
new.html?m=1)

------
gexla
Thanks Gitlab for providing the opportunity to create a statement on something
which will likely become increasingly common. That they would consider doing
this will force me to re-evaluate my decision to ever use Gitlab or recommend
it to others.

------
teekert
I think Ubuntu does this well. If you listen to Canonical employees explaining
their telemetry, it's a one time transmission, it's opt-out, you can inspect
the json file that is being sent (inside the installer) and it will help them
focus on what issues to address first. I don't see anything wrong with it.

------
CM30
Probably a silly question, but isn't at least the community edition of GitLab
open source?

So wouldn't it be a possibility to just fork the project outright and remove
the telemetry from there? Or is there something in GitLab's licensing that
makes that impossible despite it being 'open core' or whatever it is?

------
BurningFrog
I'll be uncool one who asks:

What does "telemetry" mean in this context?

What is GL actually demanding of its users, and why?

~~~
overgard
For gitlab it probably means getting information on what buttons are pressed,
how long users stay on a page, etc. For users, it means running proprietary
javascript snippets from 3rd party tracking services. How much should you
trust that code? You may trust gitlab, but do you trust the vendors they work
with? How much visibility do you have into that?

As you can imagine, a lot of businesses are not willing to take that risk with
trade secrets like source code and internal bug tracking -- especially when
there's no upside to them.

I think the furor is probably less about the data being collected (although
people aren't happy about that), and more that Gitlab just offloaded a lot of
risk on their users for purely selfish reasons. (And it _is_ selfish. They can
get the data in other ways, or, make decisions based on expertise and customer
feedback instead. You don't _need_ a mountain of data to drive a product).

~~~
BurningFrog
Thanks. I genuinely didn't know.

Looks like the anger is also a lot about this being sprung overnight with no
warning.

> _trade secrets like source code_

Don't Gitlab already have their source code?

~~~
bdcravens
> Don't Gitlab already have their source code?

Yes. The point is third-parties now can.

------
chris_wot
That’s the wrong bug report now - try [https://gitlab.com/gitlab-
org/gitlab/issues/34833](https://gitlab.com/gitlab-org/gitlab/issues/34833)

------
sysashi
What is this censorship by marking this entry as 'dupe' and hiding it from
front page?

Also, I guess it was a mistake to add middle-finger emoji to gitlab's
interface. It looks hilarious seeing all those fingers!

------
SergeAx
Modern problems require modern solutions. The moment I see telemetry URLs in
my browser - I will add it to uBlock Origin filters and submit a pull request
into EasyList PrivacyList. Boom, like that.

------
jancsika
> Again, there will be no changes to GitLab CE.

So it doesn't affect me directly.

Someone who is affected-- tell me what change this company is making that you
don't like.

No theorizing, please. Only bona fide gitlab.com users need reply.

~~~
CrazyStat
Gitlab plans (planned, as of this writing) to load third-party telemetry
scripts which will necessarily have access to all the content of any page they
are used on.

This opens an additional attack vector that anyone hosting valuable IP on
gitlab.com or the self-hosted enterprise edition needs to worry about.

------
Wowfunhappy
The submission title should be "Important Updates to our Terms of Service and
Telemetry Services".

As important as this is, the editorialization is quite clearly against HN
guidelines.

~~~
ralmeida
Not sure this would be fully editorializing, since the updated title
(currently "Gitlab mandating third-party telemetry, locks out user access
until accepted") is objectively factual and true.

~~~
emilycook
The ToS was the only thing that had changed, telemetry had not been
implemented yet. We've rolled the ToS changes back and are reconsidering our
approach based on the feedback: [https://gitlab.com/gitlab-
org/growth/product/issues/164](https://gitlab.com/gitlab-
org/growth/product/issues/164)

~~~
ralmeida
It's a good thing you are reconsidering the approach, but I don't see how this
is related to this "title subthread". At the time this subthread started, the
title was _" Gitlab mandating third-party telemetry, locks out user access
until accepted"_ and these things were, in fact, true at that time. The fact
that telemetry had not _yet_ implemented did not change the fact that it was
being _mandated_.

I would like to also note that my stance that the non-original title (at the
time) was fine does _not_ have anything to do with that title "looking bad"
for GitLab. For example, the title now is _" Gitlab ‘rethinking’ third-party
telemetry"_, which is also _not_ the original title, looks _somewhat_ good for
GitLab and I think it's fine.

~~~
emilycook
Sorry for being unclear I wasn't trying to refute the accuracy of the title,
only to provide additional context that was missed by us in the first place. I
think if anything it's really _not_ my place to have a say in what the title
says.

------
alangibson
This is incredible seeing how people were moving to Gitlab as a not-owned-by-
Microsoft alternative to GitHub.

I remember when Microsoft was just M$, and now the look like the good guys.

------
dajohnson89
Sorry if this is an ignorant question, but:

Why is the term "telemetry" used, instead of "logs" these days. Is there a
substantial difference?

~~~
colechristensen
"telemetry" has been used for quite a while for information sent home. Usually
a bit less log-like and is used for more metrics and status sorts of things.

 _Logs_ are _telemetry_ when they're sent to third party consumers who don't
ordinarily have access to your systems.

 _Telemetry_ is literally just remote metrics.

 _Logs_ comes from ships throwing a piece of wood attached to a knotted rope
over the stern and writing down the results in a _log book_ to record speed at
intervals as a part of normal navigation. Telemetry makes more sense :)

------
thrownaway954
Yep... and everyone was bashing Github last month and praising Gitlab. My
my... how quickly the tides have changed.

~~~
eeZah7Ux
everyone praising Gitlab? No, not at all.

------
StavrosK
As others have noted in the thread, this is quite illegal in the EU (telemetry
should be opt-in, not opt-out). I'd like to see how they tackle that one.

~~~
Wowfunhappy
Is _basically anyone_ actually doing this? Legitimate question.

It doesn't make it okay, but as far as I can tell almost no one is actually
following GDPR, despite the large theoretical penalties. They've all decided
to just put up cookie notices (with dark patterns to elicit agreement),
because it's easy and doesn't force fundamental changes to business practices.

~~~
vector_spaces
The penalties aren't just theoretical -- see this list of actual enforcements
[http://enforcementtracker.com/](http://enforcementtracker.com/)

~~~
Wowfunhappy
Well, something isn't working if Amazon, Google, Microsoft, and now Gitlab are
all still breaking the law.

~~~
vector_spaces
Yeah -- Google was fined too, but the sum is effectively peanuts for them

[https://www.nytimes.com/2019/01/21/technology/google-
europe-...](https://www.nytimes.com/2019/01/21/technology/google-europe-gdpr-
fine.html)

------
EGreg
Can someone explain what this telemetry does and what its role is supposed to
be?

~~~
bdcravens
Likely to capture user behavior (click this button, type in this field, hover
over that link, etc). Can influence changes to UX.

------
AcerbicZero
I'm re-thinking putting up with Gitlabs shit CI/CD system personally.

------
TipiKoivisto
Is there an explanation WHY ja WHAT information is collected?

------
chris_wot
I’m actually curious how the Gnome project will react to this.

------
layoutIfNeeded
* for now

Privacy conscious orgs should work on migrating off GitLab.

------
kimjongtrill
what the fuck are Gitlab doing recently?! smh.

------
ptah
Can brave block these js calls

------
ngcc_hk
wow what a mess

------
crb002
ICE ops says what?

------
bryanlarsen
dupe:
[https://news.ycombinator.com/item?id=21337594](https://news.ycombinator.com/item?id=21337594)

~~~
falcolas
/feedbackhn It really sucks when an active discussion on the front page is
nuked in favor of a dead discussion on an article that's ready to fall off the
second page.

~~~
bryanlarsen
I pointed out the dupe when there was only a single comment on this story. I
thought I was being helpful, giving a link to a bunch of great discussion. Now
I regret it.

~~~
falcolas
My apologies if it seemed targeted at you; your comment was at the top and the
post was marked as a dupe. The feedback is not against you.

------
colejohnson66
Can we fix the title? The use of scare quotes on “rethinking” specifically.

~~~
hnarn
Scare quotes? They literally say:

>We're going to process the feedback and rethink our approach.

------
kissgyorgy
Adding telemetry is the worst decision they made in years, and it was really
sneaky (without previous notice). However if they reconsider and don't do
this, it shows they care about customers. Would be nice.

