
Brew commands send data to Google Analytics - jeena
https://tobiastom.name/notes/7a79eed0
======
pvinis
Yes we know. brew tells you that. And you can disable it. Data is being sent
to Google everytime you do almost anything in almost all websites, using the
same technology. So what?

Some of the times it's to make the product better, or better targeted. Some
other times it's just for spying on the users.

Let's stop complaining about stuff that someone does and tell you they do it.
There are many more that do the same things without telling you.

Furthermore, now that you know, for brew specifically, will you opt out? Is
your brew command history so secret that you care more about noone looking at
it than helping making brew better? Chances are you use brew quite often.
Chances are brew is not perfect. Will you choose to make its progress slower
because of no real security reason?

How do we expect open source to become better if everyone is being a crybaby
because brew got a history of how often they do brew update?

~~~
blub
The US approach to privacy is "let the market sort it out". It has sorted it
out by transforming the internet into a giant spying machine sucking up
contacts, photos, documents, videos, metadata, what packages you use, when
where and how you exercise, everything

The EU approach to privacy (eroded by lobbying and lack of control over US
companies) is that citizens have a right over their information. They can ask
what personal information a company has on them, ask that it be corrected or
deleted. This has resulted in companies that are more careful with data.

Whenever I read a post like yours I immediately think of so-called "useful
innocents", to put it euphemistically [1]. Fighting for a non-goal of better
open source through analytics (get real), corporate dominance and fewer rights
for individuals.

Companies don't need analytics to improve software. They certainly don't need
analytics from Google, the leading spyware-as-a-service company in the world.

I expect open source to become better through writing quality software,
engaging with users and if need be doing some surveys or organsising other
reach-out initiatives in the open. Not analytics turned on by default but
it's-ok-cause-we-tell-you-we're-fucking-you.

[1]:
[https://en.m.wikipedia.org/wiki/Useful_idiot](https://en.m.wikipedia.org/wiki/Useful_idiot)

~~~
pvinis
Do you use brew? Have you contributed code to it? Have you installed something
using brew, before updating brew for a while?

For me, my answers are yes no yes. A while ago, you did that, and you get an
old version of the thing you just installed. With analytics, they saw that
many people forget to update before installing after a while, so they added an
update step in that case.

I call that progress, no matter how small. I didn't change that and to you
didn't change that. The brew devs changed that. Maybe they would have changed
it anyway later.. Who knows. But the fact that brew because a tiny tiny bit
better because of analytics, in part from me, makes me a happier user. Now I
don't need to remember to update before installing.

Of course it's not the best way to "contribute", but it's something.
Definitely better than "contributing" your data to companies, like you said.

~~~
majewsky
I can totally see the benefits of telemetry. But it would be way less phishy
if it were opt-in, or at least opt-out with a very visible information
message.

~~~
CJefferson
The problem with this is, do you want every program you ever use, to start
prompting you with a series of questions about various opt-in / opt-out
questions? I get annoyed enough that gnu parallel keeps asking me about citing
it, and that's one program.

    
    
        Bash would like to record analyitics. y/n/more information
        > y
        > ls *.c
        ls would like to record information about how you use it.
        y/n/more information.
        > y
        file1.c file2.c file3.c
        > grep 'string' *.c
        grep would like to record some information about your
        usage. y/n/more information.
        > y
        file1.c:8: string
        > vim file1.c
        vim would like to record information usage, to help
        improve vim in future. y/n/more information.
        > y
        The 'C' package in vim would like to ...

~~~
codedokode
Opt-in can be implemented other way without questions. For example, user could
set an environment variable or type a command.

~~~
CJefferson
Then we hit the problem that if we don't push that request at users, probably
a tiny fraction will turn it on.

Worse, that fraction will be the statistically unusual people who bother
reading and finding such options, meaning we can't derive any statistically
useful results about the user base from them!

~~~
codedokode
Maybe you should ask them better. For example you could ask for help on the
home page of your project or in the beginning of a tutorial. Or maybe they do
not want to paticipate. Is it right to ignore this and turn analytics on by
default?

~~~
lewiseason
The Debian installer gets this right: it prompts you during the install
whether it can collect information about installed packages for popcon[1]

[1] [http://popcon.debian.org/](http://popcon.debian.org/)

~~~
majewsky
I never understood why popcon is necessary. Couldn't you achieve about the
same result by just counting downloads on the package mirrors?

------
CJefferson
I knew, and I was prompted.

I can understand why this might upset people, but for me I hope it will make
brew a better product. I'm sure we all know as developers how annoying it can
be to not know the problems users have, and what they are using your software
for -- that's why most websites have analytics.

I'm hoping to add something similar to software I work on, with an opt-out of
course. I believe it will help me serve my users better.

~~~
hueving
Please make it opt in. If you truly believe people closely read the prompts
for having their data harvested, a default to "No" should not impact you at
all.

If you don't believe they read the prompts closely, you're an asshole for
stealing data by default.

~~~
CJefferson
Is it "stealing data" to record that certain options in my program are never
used, or used frequently, or whenever a user clicks on options A,B and C in
sequence the app crashes?

My problem is that I believe that 90% of the users of my app won't care one
way or the other if I record these stats. If I default opt-out these people,
then I lose all that useful data and in the process, I believe, make my app
worse for everyone.

I won't deny this is not an obvious choice, but I think personally on balance
it's better to opt-in. Especially when the data is anonymised and doesn't
contain any private/identifying information. But I understand how others would
disagree. If there was some kind of OS-wide "don't record what I do" option I
could hook into, I would use it.

~~~
stan_rogers
You should, perhaps, question your beliefs. When I get "do you want to
send...", I only _very_ rarely click "yes/OK", and then _only_ if that and the
OS were the only things running and the problem is locally reproducible. The
state of my machine is none of your damned business.

~~~
CJefferson
You could be right. I could pop up a message early on, saying I'm doing
analytics.

I think, based on the conversation here, I'm going to make it very clear there
is analytics, but not allow turning them off. This is (I think, you are
welcome to disagree of course) the best situation:

* Everyone knows there is analytics going on, no hiding. * I get good quality analytics from my actual users, as no-one can opt out (well, you could start port blocking, I'm not going to make the program stop working in that situation).

------
izacus
If you listen to Changelog #223 podcast[0], both Mike and the podcast author
showed quite a lot of derision and condescension to the people caring about
analytics upload, so I don't think it's getting fixed.

[0]: [https://changelog.com/podcast/223](https://changelog.com/podcast/223)

~~~
hueving
Awesome, so not only does he not care about privacy, he feels the need to
deride people that do?

Maybe the reason they needed analytics in the first place is because of this
myopic perspective. If you assume everyone who disagrees with you is an idiot,
you're going to stall really quickly.

------
tfeldmann
To disable this, execute

    
    
      brew analytics off

~~~
opk
Any idea what to block if I want to just completely block google analytics at
the firewall level?

~~~
jbg_
Little Snitch is excellent for this. I remember running brew at some point and
being asked by Little Snitch if it could connect to Google. I said "deny
forever" and have never worried about it since.

------
dictum
From
[https://github.com/Homebrew/brew/blob/master/docs/Analytics....](https://github.com/Homebrew/brew/blob/master/docs/Analytics.md):

> As far as we can tell it would be impossible for Google to match the
> randomly generated Homebrew-only analytics user ID to any other Google
> Analytics user ID. If Google turned evil the only thing they could do would
> be to lie about anonymising IP addresses and attempt to match users based on
> IP addresses.

Look, by now Google knows my whole stack and what I'm doing with each project,
and Homebrew using Google Analytics doesn't bother me much. I still disabled
it a while ago and after reading "if Google turned evil" put like a remote
possibility I won't turn it back on. There are two extremes in tech — paranoia
about everything and magical optimism about everything. This is an example of
the latter.

A corporation of Google's scale and relevance to different industries simply
cannot afford to not be evil.

Doesn't mean they're _absolutely evil_ and just waiting for an opportunity to
partner with a hypothetical fascist government — just that you can't assume
the best.

------
lispm
In German we have a word called 'Datensparsamkeit':

[http://martinfowler.com/bliki/Datensparsamkeit.html](http://martinfowler.com/bliki/Datensparsamkeit.html)

It's a principle for good software design. This principle is also written down
in German law:

[https://de.wikipedia.org/wiki/Datenvermeidung_und_Datenspars...](https://de.wikipedia.org/wiki/Datenvermeidung_und_Datensparsamkeit)

>Damit gilt in Deutschland der Grundsatz, dass die Erhebung, Verarbeitung und
Nutzung personenbezogener Daten und die Auswahl und Gestaltung von
Datenverarbeitungssystemen an dem Ziel auszurichten sind, so wenig
personenbezogene Daten wie möglich zu erheben, zu verarbeiten oder zu nutzen.

Rough translation: Thus in Germany we have there principle, that the
collection, processing and using of person related data and the selection and
design of data processing systems have to be guided by the aim to collect,
process or use as few as possible person related data as possible.

Here, now someone has a list of software installed on various machines and the
versions of that software, and whatever else information. It may be enough
data to identify me or other users, the computers and the installed software.
It may also allow other uses, which I have no idea of.

It's likely that this information spreads to unintended places.

I don't think this is a good idea.

I never liked the idea of using Homebrew, and this makes it even more
suspicious.

~~~
majewsky
For example, data about installed software versions can be used to
automatically find systems that are vulnerable to certain exploits.

~~~
TeMPOraL
Data about installed software can also be used to profile you for headhunters
or marketers in general.

------
rkachowski
This is google analytics. It's a bit different than google directly taking the
data and using it for google purposes (e.g. streetview cars gathering SSID
information for location pinpointing). The data (afaik) is used only by the
homebrew team instead of Google.

A more accurate summary would be "Brew is sending usage data to a google owned
analytics service".

~~~
opk
The data still goes to google. While the expectation would be that the data is
only used by homebrew, there's no actual way of knowing that google isn't
gratefully helping itself. And given the entire way Google's business works,
they probably are.

~~~
pbiggar
Given the number of people who work for Google, and Google's internal culture
of openness, I find it extremely unlikely that Google is violating its
customers' privacy. That would almost certainly get whistleblown.

~~~
wingless
Like how the PRISM program got whistleblown by Googlers? Oh wait, that never
happened.

~~~
rocqua
Threat of jail / treason conviction is _a lot_ stronger than the threat of
being fired by google.

I can totally see someone caving for the one and not the other.

------
tbarbugli
Sounds quite reasonable to me when you read it:
[https://github.com/Homebrew/brew/blob/master/docs/Analytics....](https://github.com/Homebrew/brew/blob/master/docs/Analytics.md)

------
antouank

        Opting out [0]
    
        Homebrew analytics helps us maintainers and leaving it on is appreciated. However, if you want to opt out of Homebrew's analytics, you can set this variable in your environment:
    
        export HOMEBREW_NO_ANALYTICS=1
    
        Alternatively, this will prevent analytics from ever being sent:
    
        brew analytics off
    

[0]:
[https://github.com/Homebrew/brew/blob/master/docs/Analytics....](https://github.com/Homebrew/brew/blob/master/docs/Analytics.md#opting-
out)

------
STRiDEX
I've seen this crop up a few times recently and a vocal minority seems to
panic every time. I ran into it the other day installing pm2 w/ npm which
downloads an optional package that they use for analytics
[https://github.com/Unitech/pm2/blob/master/package.json#L184](https://github.com/Unitech/pm2/blob/master/package.json#L184)

Is the problem that they are using google's service? Is it the tracking that
people don't like? Is it the messaging/copy to the users? I'm sure there's
plenty of people on hacker news that build analytics software for a living.
I've worked on email click and open tracking. Doesn't seem terrible if it
helps them build their product.

~~~
djsumdog
You know...you can already get analytics if your mirrors just agree to share
logs. It may not be as detailed or complete, for sure, but using another
analytical tools does feel a little superfluous.

> Is the problem that they are using google's service?

This is part of it I think. The brew devs get stats, but so does Google which
they can aggregate across everything. Standing up your own analytics
server/cluster, especially for a project the size of brew, wouldn't be trivial
and I can see why they leverage Google's service.

But I can understand people not wanting to have data sent to Google. I moved
everything off Gmail to my own E-mail server back in 2013 and moved search to
DuckDuckGo.

~~~
true_religion
Does google simply have access to you analytics data to do whatever they want?
I was under the impression that they could only use it in ways that you the
account holder defines.

~~~
skylark
It depends on what you mean by "access to your analytics data." Anonymized,
aggregated data is being used to inform product decisions, but engineers don't
have direct access to the production database to query whatever they want.
There are almost no cases where you'll be granted approval to look at real
user data, and if you are granted access, 100% of your activity is monitored.

As a side note, this has been the case at every big company I've worked at,
not just Google.

------
jakebasile
This really doesn't concern me at all. I don't feel I am harmed by Google
possibly knowing what software I install, because if anyone wants to look I
keep the script that installs it in my public dotfile repo on GitHub.

Can anyone explain to me how this could be used against someone? I'm asking
completely seriously as I don't see any harm in this no matter how hard I try.

Edit: I do agree that the notice should be more visible for those that are
concerned about this. It should require user input even if it is just waiting
for a key press to give you a chance to read it along with info on how to opt
out.

~~~
yoo1I
> Can anyone explain to me how this could be used against someone? I'm asking
> completely seriously as I don't see any harm in this no matter how hard I
> try.

This is called the "nothing to hide" argument. If you currently have no foes
and are generally closer to the elite of a society than to the margins, then
these few little data points collected on you (pseudo-anonymously or not)
cannot really hurt your.

But as your digital shadow grows (and with google analytics et al being used
to extensively, it certainly is) and you drift to the margins of society,
possibly developing some foes in the elites in the process, the information
about you that is now available to people in power becomes more threatening
for you.

Say, you're now a black, female, delivery driver in Detroit instead of a
Silicon Valley software engineer. Once you give cause for scrutiny, say, a
conflict with your employer, the digital shadow of data-points can be searched
to find anything that, taken out of context or not, can be used against you.

Or, put differently in famous exaggeration by Cardinal Richelieu:

    
    
      If you give me six lines written by the hand of the most honest of men, I will find something in them which will hang him.

------
pimpek
I agree that it should be opt-in instead of opt-out but worrying what they do
else behind the scenes is paranoid.

You can check it out:
[https://github.com/Homebrew/brew](https://github.com/Homebrew/brew)

------
mrmondo
Quite honestly, I don't remember brew asking me this on any of my 3 macOS
machines, I'm not saying it didn't, but the fact that I'm a 'techie' person
and didn't notice or forgot about it worries me greatly.

~~~
ProbabilityMoon
It probably didn't. I run brew regularly on my machine, and I did not get any
prompt asking me to enable analytics. From reading other comments, I see lots
of users are in the same position, and homebrew sneaked this in with just a
two line notice buried in the verbose output. This worries me deeply, to the
point where I'm considering removing this software from my machine.

~~~
mrmondo
While I obviously feel the same way, I'd take a step back and see what Brew's
response is to this thread / the backlash of what people want / don't want,
because it has, overall been a good thing of macOS.

------
peteretep
I was aware, because I run Little Snitch. If you care, you should be too.

~~~
aorth
You're right, we probably should be using Little Snitch — just know that it's
not a golden ticket! There has been some research about bypassing Little
Snitch, for example this one from 2016:

[https://speakerdeck.com/patrickwardle/defcon-2016-i-got-99-p...](https://speakerdeck.com/patrickwardle/defcon-2016-i-got-99-problems-
but-little-snitch-aint-one)

~~~
JoachimS
And that has been fixed. It could have been announced in a better way, but is
fixed. Are you suggesting people should not use Little Snitch at all? Has the
tool lost all credibility forever?

------
andrewvijay
Its looking a bit hyprocitical here to be honest. If you use websites in the
web today, you are sending data for sure unless you use a adblocker that
blocks analytics as well. Brew collecting data this way is unethical but
complaining about these things these days is not going to do any change to be
honest. I would be glad if the people who complain about this dont use any
websites that collect data without giving any control to the user. But we all
know the real deal.

~~~
blub
Sure, let's not complain. Because being a pushover is the secret to success in
life.

All the benefits and rights we have today were gained because our ancestors
didn't fight for them and shrug their shoulders.

~~~
andrewvijay
No dont take it the wrong way. But what are you fighting against? The entire
web? You can but you have to understand that the scale is so massive that we
can't do anything unless its becomes a massive movement throughout the world.
But really? A movement for privacy? No chance. Its simply a first world
problem. In my country we have around 22,000 people dying everyday in hunger.
Privacy wont even be heard here. So its near impossible.

------
mcgirr
There are many good reasons to run macOS. _But_ if you run Linux, instead of
macOS, you will get a package manager (one supported by your distro) that
performs most (if not all) of the functionality of brew. I find it frustrating
to see people use macOS _and_ rely/complain about brew.

------
tomlong
I distinctly remember being asked about this ages ago, and finding it easy to
disable, or is this something else? Is it still using google analytics when
you've asked it not to?

~~~
andromeduck
No

------
libeclipse
With companies like Google having their fingers in every pie, we're losing the
privacy war.

~~~
MawNicker
People just get ratfucked by whoever controls the media.

~~~
unixhero
Better become they then.

------
andrewguenther
While factual, the title is a bit misleading. Brew uses Google Analytics and
prompts you to inform you that it does so.

~~~
lispm
What does it send? What does it use it for?

~~~
andrewguenther
[https://github.com/Homebrew/brew/blob/master/docs/Analytics....](https://github.com/Homebrew/brew/blob/master/docs/Analytics.md)

(This link is provided in the initial notification)

~~~
lispm
Notification or prompt?

There is no way that I would want to have this data and this amount of data,
recorded and transferred to google. Especially not about software installation
on my computers or computers of friends or clients.

~~~
andrewguenther
I recall it being a prompt when I saw it, but others are saying it was a
notification.

------
rcarmo
There has been a prominent warning for this (that sadly most people miss) for
months now.

~~~
joosters
Obviously it's not prominent enough then.

~~~
rcarmo
Or people simply don't pay attention to a change of color in terminal output
anymore :)

~~~
mrmondo
Thanks to craplications like NPM etc... I'm sure that certainly has been the
case. As I mentioned elsewhere, I can't remember being prompted for this on
any of my three machines, but I bet I was and forgot.

------
mook
Relevant previous discussion, in case people want more details:

[https://news.ycombinator.com/item?id=11566720](https://news.ycombinator.com/item?id=11566720)

------
kinkdr
Try "Little snitch", apart from sublime, it is the best $40 I ever spent.

Edit: the _best_ $40..

~~~
Tepix
"best"?

~~~
kinkdr
Ooops. Thanks :D

------
andrewguenther
People advocate so fervently for privacy, but can't be bothered to read a
prompt...

~~~
TeMPOraL
Privacy-respecting defaults should be there so that you don't have to spend
your whole day reading prompts and ToS looking for that one sentence that
fucks you over.

~~~
andrewguenther
Genuine curiosity question: Are all analytics a violation of privacy? If brew
simply sent a message that said "brew was used" with no PII, would that
matter? At what point is it an issue?

~~~
tremon
_Are all analytics a violation of privacy?_

No, only the ones without active informed consent. Privacy is the embodiment
of personal choice, after all.

------
cygned
This topic has been discussed on The Changelog recently:
[https://changelog.com/podcast/223](https://changelog.com/podcast/223)

If I recall correctly, opt-out was chosen because they really want/need some
analytics data and most of the users would not opt-in.

~~~
anc84
What would they _need_ it for?

~~~
cygned
It's outlined here:
[https://github.com/Homebrew/brew/blob/master/docs/Analytics....](https://github.com/Homebrew/brew/blob/master/docs/Analytics.md)

------
tobiastom
For what it's worth: I don't think Homebrew is evil. It's all about a
technical decision they made, which I'm not ok with.

I wrote a follow up here:
[https://tobiastom.name/notes/4cda7d7b](https://tobiastom.name/notes/4cda7d7b)

------
agounaris
OMG grow up, you use google every day, you have facebook, twitter and maps on
your phone but suddenly you worry because the developer of brew who needs some
metrics! The only thing missing now is the Snowden guy to make a blog post
about it.

~~~
arm
I think you should grow up and realize that not everyone conforms to your
worldview. As an example, I _don’t_ use Google every day (I use DuckDuckGo), I
_don’t_ use Facebook, Twitter, or Google Maps, nor do I have a phone (can’t
justify the expense when I have Wi-Fi access most of the times I need it).

As echoed by many others above, I never gave Homebrew consent to send any
information to Google; it should be opt-in. Frankly, I was quite annoyed after
updating Homebrew and found it already trying to connect to Google Analytics
immediately after. Thankfully, I was able to block the request with Little
Snitch and then opt-out of the analytics, but it certainly left a bad taste in
my mouth that they’d start collecting data before even letting me opt-out
first!

------
draw_down
You know... not everyone is spying on you all the time. People do use data
like this for non-nefarious purposes.

------
hmans
"brew install" installs executable code on your system

------
thinkindie
this blog post is pretty naive, it was well advertised few months ago

~~~
froh42
“But the plans were on display…” “On display? I eventually had to go down to
the cellar to find them.” “That’s the display department.” “With a
flashlight.” “Ah, well, the lights had probably gone.” “So had the stairs.”
“But look, you found the notice, didn’t you?” “Yes,” said Arthur, “yes I did.
It was on display in the bottom of a locked filing cabinet stuck in a disused
lavatory with a sign on the door saying ‘Beware of the Leopard.”

------
ciraci_nicolo
You can disable it by setting the ENV variable HOMEBREW_NO_ANALYTICS.

[https://github.com/Homebrew/brew/blob/master/Library/Homebre...](https://github.com/Homebrew/brew/blob/master/Library/Homebrew/utils/analytics.rb#L16)

------
Lazare
This seems like a somewhat extreme reaction to google analytics.

~~~
froh42
Im extremely pissed off by the way they snuck the prompt in between several
hundred lines of shell output on update. This is NOT being prompted.

I can live with the analytics. I'd might even consider to leave it on IF BEING
ASKED PROPERLY.

All previous discussion says "oh you get notified". The point is, you don't
get properly notified. And this is, why this is news again over the old
discussion on HN.

------
Nursie
The point here is that, like that Ubuntu search we all hated, this is not
behaviour we expect from well behaved FOSS application, notice or otherwise.

Google collect obscene amounts of info on everything from government
interactions to software preferences. So far it's largely been confined to the
web and could be blocked by using an ad or tracker blocker.

Now that software may or may not do this stuff too... it ups the game and the
threat.

This will make me less likely to use Brew. Likely no great loss to the team
I'm sure.

------
lorenzfx
pkg.src is available for Mac OS X and might be a good alternative (disclaimer:
I have never seriously used it, certainly not on OS X).

[https://www.pkgsrc.org/](https://www.pkgsrc.org/)
[http://pkgsrc.joyent.com/install-on-osx/](http://pkgsrc.joyent.com/install-
on-osx/)

------
golanggeek
Unbelievable.. anyway, you can look up your current settings using

# brew analytics state

and switch it off

# brew analytics off

More info -
[https://github.com/Homebrew/brew/blob/master/docs/Analytics....](https://github.com/Homebrew/brew/blob/master/docs/Analytics.md)

------
hashhar
They do prompt for this. And the document that details this if very
descriptive. They have also specifically called out the files used for
analytics and even have an environment variable to echo the analytics
information.

I think this is paranoia.

And thanks a lot to Max for making this great piece of software.

------
TeMPOraL
"It's easier to ask forgiveness than it is to get permission."

I feel I need something like uMatrix, but for the entire OS. Is it time to
familiarize myself with netstat and firewall rules?

~~~
cdubzzz
I had a spare Pi lying around and installed pi-hole[0] on it a while back. It
has worked like a charm with almost no up keep for months now.

[0] [https://pi-hole.net/](https://pi-hole.net/)

------
ttflee
How would it go in China, where Google IP ranges are totally blocked?

------
cs02rm0
I didn't know about this.

Serves me right for running it via cron I guess.

------
appelza
Being sent _

------
eternalban
Time to break up Google.

------
rurban
Switch to macports. This is a professional ports system, not the spying
amateurism of brew.

------
ainiriand
As far as I know, Brew can be cloned, right? Can we mantain a fork? Is this
reasonable? Thanks.

~~~
andrewguenther
Maintain a fork that no one will use? Sure. Or just turn off analytics.

------
ronreiter
Data is being sent to Google on probably every page you browse over the
internet. And to 50 other data websites as well.

~~~
hueving
Data isn't being sent when I use most of my developer tooling. When I visit a
website, I expect it's going to be inundated with garbage analytics so I use
things like ublock and noscript.

What I don't expect is a package manager siphoning off data to Google.

~~~
a3n
It's the new frontier.

------
mrmondo
I went to log a bug for this and was given "You can't perform that action at
this time."

~~~
moonbug
github pitches that error all the damn time. Wish I knew why.

------
KKKKkkkk1
A bit offtopic: I'm a recent convert to Brew and I was a bit surprised that it
is missing two features that I am used to seeing in a package manager. The
first is that there is no way to upgrade casks, and the other one is that
there's no way to autoremove dependencies when a package is uninstalled. Since
Brew is at this point a mature project, I am guessing these features are not
in the plans, which is too bad.

