
Homebrew now sends usage information to Google Analytics - aorth
https://github.com/Homebrew/brew/blob/master/share/doc/homebrew/Analytics.md
======
mikemcquaid
I'm the maintainer who added this. I apologise for the poor communication. I
would have responded sooner but I've been on a plane for the last 10 hours.
I'd hoped the documentation would have made clear our reasons for doing this
but I feel the discomfort so since getting off my flight I've opened and
merged three PRs
([https://github.com/Homebrew/install/pull/42](https://github.com/Homebrew/install/pull/42)
[https://github.com/Homebrew/brew/pull/143](https://github.com/Homebrew/brew/pull/143)
[https://github.com/Homebrew/brew/pull/146](https://github.com/Homebrew/brew/pull/146))
to better communicate this to our users on installation and `brew update`
before any information is sent and ease the opt-out process.

~~~
javajosh
It should be opt-in, not opt-out.

~~~
developer2
Man, the privacy critics really come out of the woodwork every single time
"opt-out" is mentioned, regardless of the actual facts for a specific
situation. The developers explicitly state they set the anonymous IP address
flag. There is nothing that links back to you as a person. Are you really
concerned that the developers know which packages a random, unknown person has
installed?

Crying "opt-in" to every single little thing that has ever tracked you for
_non-nefarious reasons_ completely detracts from the cases where tracking _is_
nefarious. Homebrew is not tracking for ads. They are not tracking for
anything worth selling to a 3rd party. They're not - and are incapable of -
linking this to any other database that does contain personally identifiable
information. There's no "profile" worth anything to anybody except the
developers, who are trying to get some very basic information completely
detached from any identity.

>> You will be notified the first time you run brew update or install
Homebrew.

>> to opt-out of Homebrew's analytics you may set HOMEBREW_NO_ANALYTICS=1 in
your environment

They went to the lengths to document this. And to notify you when you run the
software. You have the opportunity to opt-out of something that is completely
harmless. There is no valid reason to be crying foul over this. Of all the
tracking that goes on with our internet connections, this should by far be the
least of anyone's concerns.

I have uBlock Origin installed in Chrome. With all the ad networks _and_
analytics scripts blocked. Google Analytics does not run in my browser. And
yet, I am not even slightly opposed to homebrew's use of it. It's _actually_
anonymous, unlike how many developers use GA in the browser (tracking IP
addresses, custom fields like user ids that link back to the site's database,
etc). God speed, homebrew devs.

~~~
peterwoo
If all this is true then why even go to the trouble of supporting opt out?

The support for opt out acknowledges (implicitly) that the choice to upload
data is rightfully the user's own prerogative. Then paradoxically enables the
feature by default anyway and places the switch behind some esoteric opt out
commands.

~~~
chris_wot
You might not support or use Google in any way. There are such people. They
use DDG and go to extraordinary lengths to prevent any assistance to Google.
I'm not one of those people, but the ability to turn off the feature is
reasonable.

Some folks don't trust Google. There might be a case down the road where the
U.S. government required access to the data due to National Security. Given
how they handled the San Bernadino iPhone incident, it's not like this won't
ever happen.

Others believe that Google will use the data for their own ends. In the same
way other don't want Googke to become more powerful, others will be concerned
that Google uses analytical data like this for their own commercial purposes,
and it's not known what this might be.

It also would be a PR nightmare if this wasn't added, even though the data is
anonymised to the Homebrew guys. Perception is important also. Not to mention
the fact that it doesn't hurt to add this option to Homebrew.

Personally, I'll just leave it on as I don't subscribe to any of the above
views, but I'm imaginative enough to see potentially legitimate concerns. :-)

~~~
newjersey
I support opt-in as well. Make it the default option so people can press enter
or use -y if you'd like.

I'm thinking along the lines of popcon in Debian
[http://popcon.debian.org/](http://popcon.debian.org/)

------
xutopia
The fact that they are transparent about this, that we can opt-out if we want
and that they're open source makes me feel more than comfortable sharing
anonymous usage information with them. Homebrew has been amazing for me!

~~~
LeoPanthera
Is an alert displayed to the user the first time it tries to send info to
Google? If not, that is far from "transparent". It's good that they tell you
how to opt out on the website, but I can't remember the last time I went to
the website. Probably when I first installed Homebrew on this Mac.

~~~
atmosx
Get littlesnitch on Mac and you won't need to rely on third parties alerting
about outgoing connections, although I recon the when we're talking about
something like homebrew it's not _easy_ to vet every single outgoing
connection.

Still littlesnitch is really awesome for the privacy conscious users.

~~~
makeitsuckless
LittleSnitch also makes you totally paranoid about how almost every piece of
software is spying on you without explicit consent.

Also, Microsoft really needs to clean up their domain usage, because it takes
999 permission rules to run Office.

~~~
_asummers
In a similar vein, installing uMatrix makes you (rightfully) paranoid about
what web pages are collecting from you. "Wait I can disable 28 Javascript
scripts and iframes and the page loads OK?"

------
LeoPanthera
Set HOMEBREW_NO_ANALYTICS=1 to opt out.

The right thing to do would be to make it opt in, not opt out. (Which would
not be without precedent. Debian's popcon is opt-in.)

~~~
mikevm
That's probably true, but then no one would opt-in.

~~~
joosters
...which is very telling.

~~~
toomuchtodo
As in, people want privacy at the expense of volunteer time.

Simple solution: Charge people for using Homebrew who don't want to send
analytics in, fund Homebrew development with those funds. Otherwise, its an
external cost being foisted on the volunteers by developers who want privacy
at the cost of additional volunteer time.

EDIT: The tone of this thread is the exact problem with open source projects
and participation. "I want a say, but I'm not willing to contribute in any way
except use your tool you're providing for free." Sad, but expected.

~~~
cname
I think most people aren't concerned so much about sharing usage data. The
problem is specifically the way it's being shared via a third party. Other
apps ask if I mind sharing some data (e.g., Firefox), and I don't have a
problem with that.

~~~
toomuchtodo
Okay. Is everyone going to pony up for a self-hosted analytics box and the
time to manage it? No? Of course not. Everyone wants to complain, no one would
contribute resources to do it though. Privacy has a high moral value (its free
to want it and complain about it), but small economic value (you use Chrome?
It sends everything you do back to Google. You'll still use it, because its
better than not).

~~~
Touche
a HN thread is not the appropriate place to ask for resources for a project.

There are many OS projects out there with larger needs than an analytics
server that have managed to get the support they need. If resources are an
ongoing problem you even have the option of applying to join a free software
foundation like Apache that has resources.

~~~
vorg
> join a free software foundation like Apache that has resources

There's a reciprocal arrangement here. One of the requirements of joining the
Apache Software Foundation is using "Apache" when refering to the name of the
software product for the first time in a new context, e.g. first mention on a
webpage. Apache Groovy was promoted from Apache's incubator last November
(2015), so I've been doing just that ever since. Unfortunately, many of the
developers who work on Groovy don't bother, availing themselves of those
resources but not giving back to the foundation the small amount asked.

------
cstrahan
Yet another reason to ditch the antiquated Homebrew, and switch to the cross
platform Nix:

[http://nixos.org/nix](http://nixos.org/nix)

[https://github.com/NixOS/nixpkgs](https://github.com/NixOS/nixpkgs)

[https://blog.errright.com/switching-from-homebrew-to-
nix/](https://blog.errright.com/switching-from-homebrew-to-nix/)

~~~
astrange
Remember when everyone switched to Homebrew because Fink/macports were
"antiquated", a.k.a. not written in Ruby?

It was nice back then. Packages didn't install themselves in /usr/local.

~~~
cstrahan
> Remember when everyone switched to Homebrew because Fink/macports were
> "antiquated", a.k.a. not written in Ruby?

Yes, I must admit I chose the word "antiquated" quite intentionally, as
Homebrew seems to get so much attention (for now) because it's written in Ruby
and the website ([http://brew.sh/](http://brew.sh/)) is shiny, rather than
technical merits.

> It was nice back then. Packages didn't install themselves in /usr/local.

You might enjoy Nix, then -- for that reason, and the following:

1\. Everything is stored in /nix/store -- nothing ever touches
/{local,}/{bin,lib,share}

2\. Profiles are symlink forests that merge multiple packages into one
FSH[1]-like tree -- each link pointing into /nix/store. When you install a
package, a new symlink forest is created replacing the one at ~/.nix-profile
(your user profile, being the default). If you request that nix rollback to a
previous "generation" of your profile, all Nix has to do is replace the
~/.nix-profile link to instead point at the previous generation's symlink
forest (you can think of this as bumping HEAD in git -- it's nearly
instantaneous). If upgrading a package goes wrong, just rollback.

3\. Because Nix knows the entire dependency graph, its trivial to distribute a
build plan across multiple machines (you can set this up to happen by default)

4\. We have a continuous integration server (Hydra[2]) that builds and signs
all of our packages. Of course, there's nothing stopping you from building
from source (or you could run your own Hydra instance, if you so wish).

[1]: [http://www.pathname.com/fhs/](http://www.pathname.com/fhs/) [2]:
[http://nixos.org/hydra/](http://nixos.org/hydra/)

~~~
lawnchair_larry
That's the purpose of /usr/local.

/nix/store? Really? You can't just make up new root level directories. That's
so wrong.

~~~
cstrahan
> That's the purpose of /usr/local.

I think you must have ignored a substantial portion of my comment. Let's take
a look at what (part of) my Nix store looks like (you'll see it fundamentally
looks nothing like /usr/local):

    
    
      /nix/store/2mmvks92lx37xghj0795ldzrg50lh2pg-bash-4.3-p42
      ├── bin
      │   ├── bash
      │   ├── bashbug
      │   └── sh -> bash
      └── share
          ├── info
          │   ├── bash.info
          …   …
          └── man
              └── man1
                  ├── bash.1.gz
                  └── bashbug.1.gz
      
      /nix/store/8g6gb6r49fxsrp547rdi3zr06vd69khq-git-2.7.4
      ├── bin
      │   ├── git
      │   ├── git-cvsserver
      │   ├── git-http-backend -> /nix/store/8g6gb6r49fxsrp547rdi3zr06vd69khq-git-2.7.4/libexec/git-core/git-http-backend
      │   ├── git-receive-pack -> git
      │   ├── git-shell
      │   ├── git-upload-archive -> git
      …   └── git-upload-pack
      

Note that each package under /nix/store is its own prefix; that is, it
contains its own bin, lib, share, etc.

/usr/local is a dumping ground "for use by the system administrator when
installing software locally"[1]. If you need multiple versions of automake
installed: tough luck, the paths collide. If you need multiple versions of
Erlang: tough luck, the paths collide.

Would you like to be able to rollback your system by changing _one_
symlink[2]? Too bad: when you last installed packages into /usr/local, your
package manager clobbered the previous version.

Technically, we could make /usr/local a symlink forest pointing into
/nix/store, but we don't: we want to make sure that only the packages we
explicitly declared are picked up by build tools, rather than defaulting to
searching through the currently "installed" packages.

> /nix/store? Really? You can't just make up new root level directories.
> That's so wrong.

Can you substantiate your claim? Note that "it doesn't feel right" doesn't
count as a rational criticism.

[1]:
[http://www.pathname.com/fhs/pub/fhs-2.3.html#USRLOCALLOCALHI...](http://www.pathname.com/fhs/pub/fhs-2.3.html#USRLOCALLOCALHIERARCHY)

[2]: This probably sounds like a bold claim. I tried to explain how this works
above, but if you don't believe me, feel free to ask and I'll explain further.
Alternatively, feel free to read the first paragraph here:
[http://nixos.org/nix/manual/#sec-profiles](http://nixos.org/nix/manual/#sec-
profiles)

~~~
tremon
Funny that you should mention the FHS. From that same document:

 _Applications must never create or require special files or subdirectories in
the root directory. Other locations in the FHS hierarchy provide more than
enough flexibility for any package._

They really should be using /opt:

 _/ opt is reserved for the installation of add-on application software
packages.

A package to be installed in /opt must locate its static files in a separate
/opt/<package> or /opt/<provider> directory tree_

------
pdkl95
> generated by uuidgen

So sending a unique tracking number...

> enable us to accurately measure user counts vs. event counts

for the specific purpose of associating events from the same user...

> This does not allow us to track individual users

somehow doesn't accomplish it's stated purpose? The entire point of that UUID
is to track individual users.

> The Google Analytics anonymous IP setting is enabled

Sending Google an additional boolean flag doesn't prevent Google from reading
the Source Address from the IP header.

------
jalami
Would really prefer it to be opt-in instead of opt-out as others have said.
Sharing the info with Homebrew is one thing, the GA borg-malware is another
entirely. Something like that should require an explicit request. At least in
the browser, I can blacklist all requests with uBlock.

Atom does the same thing and I'm not a fan. You have to explicitly remove the
analytics 'package'. Soon every piece of software will be reporting, silently.

~~~
dublinben
>Soon every piece of software will be reporting, silently.

Not ethically written, free software. You would never see this behavior from a
GNU program.

~~~
HappyTypist
Absolutely. If there were it'd be opt in and not to Google.

------
mehta
Seems like Homebrew is doing many things right:

\- Anonimizing IP address.

\- Explaining what data is collected, and why

\- A way to optout

Something that could be better:

\- Make this optout for new users and opt-in for existing users?

\- Notify the user in some manner when the data is sent to GA for the first
time?

\- Change the uuid every X period of time to make things more privacy
friendly.

[Edit: wording]

------
kodablah
"[...] we do not have the resources to do detailed user studies of Homebrew
users to decide on how best to design future features and prioritise current
work. Anonymous aggregate user analytics allow us [...]"

Isn't this a false dichotomy? Why can't other measures be used that don't
require "resources" to do "detailed user studies" yet don't require on-by-
default information capturing? Surely there are many open source projects that
persist to make their users happy without this information, correct?

------
Gratsby
These kinds of "features" are a problem for open source, and I don't know that
they are a good idea in general.

It's nice to know how and where your software is being used, but in many
environments call-home functionality and auto-update functionality are non-
starters.

Any non-user initiated network activity should be explicitly agreed to and
available to be easily stripped.

We can and should do a better job with open source software than closed source
would-be competition. Even if you aren't a privacy advocate, privacy is a
priority of a significant amount of the technical community. It's significant
enough that it should be addressed as a forethought to features like this, not
an afterthought.

Things like this pop up as negative news entries that people gloss over. The
guy who makes the snap decision "don't use brew, it phones home" today could
be a CTO who never had that opinion changed three years from now.

------
dotwtf
Made me open an HN account just to say this

This is a very bad move and will further erode the already declining trust
people put in package managers and software distribution channels. This is
_not_ transparency - transparency would be asking for user's explicit consent
on the first brew invocation that includes this "feature". If this decision is
not publicly reverted I will be removing homebrew altogether as it indicates a
severe lapse in judgement, good faith or both on the part of the homebrew
team.

------
lawnchair_larry
Reminder - The NSA/GCHQ systems described their use of Google Analytics
piggybacking to fingerprint and target users for exploitation.

They also used similar Windows error reporting to monitor what
software/hardware users have.

Not that anyone should be snooping on what users do without opt-in permission,
but even if we believed that Google "anonymize" it, there are still concerns.

More simply, there's just no reason for you to know what I do on my own
computer. It's none of your business and I don't need a reason.

------
nicolas_t
I don't mind homebrew collecting anonymous information about me but I do not
want Google to get even more information about me (and since the ip address I
use with homebrew is the same I use to surf the web, the information is not
anonymous for Google).

------
codedokode
It looks like everybody today wants to spy on you. Google, Facebook, and
Twitter want to look at your browsing history, NSA wants to see your calls,
emails, and messages history. Microsoft wants to know about everything you do
at your PC and now even package managers want to have their share of data,
too. What about asking my opinion first? Well, as homebrew developer have said

> The problem with opt-in is that you don’t get representative data.

Users do not seem to be enthusiastic about participating when they have a
choice so let's go without asking them.

------
spicyj
Isn't this the same info they'd get if they ran their own registry like every
other package manager (instead of using GitHub)? In the grand scheme of
things, this seems pretty minor to me.

------
rurban
See, that's why I am a diehard macports user. /opt/local and not /usr/local.
No cross pollution with my own configure && make && make install packages,
nicely separated and maintained.

~~~
Scarbutt
macports requires all of xcode, homebrew just the CLI tools.

~~~
jxy
This statement is false. With only Command Line Tools installed, macports
complains, but everything works.

------
davesque
Here's a github issue related to this for those who are interested:
[https://github.com/Homebrew/brew/issues/142](https://github.com/Homebrew/brew/issues/142)

------
petrikapu
Tonight I'm going to read about pkgsrc and tomorrow give a try. It has active
community last time I used it few years ago. Seems to have also binaries
available at [http://pkgsrc.joyent.com/install-on-
osx/](http://pkgsrc.joyent.com/install-on-osx/)

~~~
petrikapu

      My quick notes on how to get started with pkgsrc
      
      More info:	http://pkgsrc.org/
      			http://wiki.netbsd.org/pkgsrc/pkgsrc_64bit_osx/
      			
      # Download pkgsrc
      curl -O https://ftp.netbsd.org/pub/pkgsrc/stable/pkgsrc.tar.bz2
      # validate shasum
      $ curl -O https://ftp.netbsd.org/pub/pkgsrc/stable/pkgsrc.tar.bz2.SHA1
      $ cat pkgsrc.tar.bz2.SHA1
      $ shasum pkgsrc.tar.bz2
      # extract pkgsrc archive. Mine lives at ~/Work and I also install built packages under Work.
      $ tar jxvf pkgsrc.tar.bz2
      # bootstrap
      $ cd pkgsrc/bootstrap
      $ ./bootstrap --abi=64 --prefer-pkgsrc=yes --unprivileged --compiler=clang --prefix="$HOME/Work/pkg"
      # append prefix/bin to your PATH
      $ cat ~/.bash_profile
      export PATH="$PATH:$HOME/Work/pkg/bin"
      # re-login to make PATH effective
      # Example build of dos2unix (poor example because lots of dependencies like perl...)
      $ cd pkgsrc/converters/dos2unix/
      $ bmake install
      ...
      ===> Installing binary package of dos2unix-7.3.3
      
      $ file ~/Work/pkg/bin/dos2unix
      /Users/petri/Work/pkg/bin/dos2unix: Mach-O 64-bit executable x86_64

~~~
petrikapu
You can find homebrew uninstall info from here

[https://github.com/Homebrew/brew/blob/master/share/doc/homeb...](https://github.com/Homebrew/brew/blob/master/share/doc/homebrew/FAQ.md)

    
    
      # I did:
      
      # remove all packages
      $ for f in $(brew list); do brew remove "$f"; done
      
      # download uninstall script
      $ curl -O https://raw.githubusercontent.com/Homebrew/install/master/uninstall
      # review script
      # run uninstall script
      $ chmod +x uninstall
      $ ./uninstall
      ...
      
      # review
      /usr/local/bin/
      /usr/local/etc/
      /usr/local/lib/
      /usr/local/share/
      
      # I removed
      $ rm -rf /usr/local/share/ /usr/local/etc/
      
      # Restore permissions
      
      $ sudo chmod 0755 /usr/local
      $ sudo chgrp wheel /usr/local

------
faizanbhat
Honest question for people who are opposed to this update and think it should
be opt-in: what do you see as the downsides or pitfalls of sending anonymised
usage info to Homebrew / Google Analytics?

~~~
cellularmitosis
I really wish people would explain their reasoning here. I guess I just don't
understand why handing a list of installed packages to Google is not my
interest. Everyone in this thread seems to be just assuming that everyone else
is already onboard with this reasoning.

------
mescalito
I normally enjoyed the insight and comments of the thread more than the
content of the article and don't comment that much.

But my personal opinion on this, only to share it and be heard possibly by the
developers of homebrew, is that I honestly do not care about this. It's nice
they are open about it, it's a hell of a tool and hey, if they want to track
what I do to improve it, have my data.

I really don't see the opt-in/opt-out debate being so harsh on this. Because
it's open source it should be opt-in? I really don't think so. Analytics are a
valuable source of information for the developer and google provides a hell of
a service for that. And you probably use several closed source tools that
track you, sometimes without even telling you. Yes, you can really of external
tools to block this, great for all of us those tools exists, you can use it
for homebrew as well.

I wonder if all of the opt-in advocates don't use gmail for their email. I am
pretty sure they do, and they are not worried about all of the tracking going
on there? Or on other apps? Unless you really follow most if not all of
stallman's computing principles[1], being furious about this, is, IMHO,
disproportionate and a bit ungrateful.

So I am more than OK with opt-out. Nice that you wrote about it, nice that you
provide a way to do it, and nice that you use your time to create such a great
tool!

Kudos!

[1]: [https://stallman.org/stallman-
computing.html](https://stallman.org/stallman-computing.html)

~~~
tremon
_Because it 's open source it should be opt-in?_

Because the sending of data to a third party is not directly related to the
functioning of the software.

 _Analytics are a valuable source of information for the developer_

Yet it's not the developer's data, it's the users' data.

 _you probably use several closed source tools that track you, sometimes
without even telling you_

[https://en.wikipedia.org/wiki/Argumentum_ad_populum](https://en.wikipedia.org/wiki/Argumentum_ad_populum)

 _I wonder if all of the opt-in advocates don 't use gmail for their email. I
am pretty sure they do_

[https://en.wikipedia.org/wiki/Ad_hominem](https://en.wikipedia.org/wiki/Ad_hominem)

~~~
mescalito
Nice links, that's why I like comments.

Ok, let's don't state it as an argument, but rather as a question.

Do anyone that's so much against opt-in is aware of closed source tools that
tracks you and use it anyway?

And..

Do you use any third party web service like gmail or any other?

Although I hardly think I'll get an answer from most. At some point you have
to make assumptions, wether those are fallacies, ok.

It's true it's not directly related to the functioning of the software, but it
improves it in anyway, then there's a connection with it.

I take developer side and I personally look for see the grater good/less harm
and compromise.

Opt-in will likely give them very little % of adherence and thus rendering all
of this useless. Most of the opt-in advocates have technical capabilities to
opt-out in any way (homebrew way, network filters, forking ,etc...). So why
not simply letting this go?

I do think homebrew is a rather technical tool so most users are tech savvy
guys, but still.

For me, this is pretty similar debate to donating organs.

[https://en.wikipedia.org/wiki/Organ_donation#Opt-
in_versus_o...](https://en.wikipedia.org/wiki/Organ_donation#Opt-
in_versus_opt-out)

And I am 100% an opt-out advocate!

~~~
tremon
_Do anyone that 's so much against opt-in is aware of closed source tools that
tracks you and use it anyway?

And..

Do you use any third party web service like gmail or any other?_

I can only answer for myself, and it's no to both, with caveats. I do have a
hotmail account, but I only use it for subscriptions to public mailing lists.
I've had it for over 20 years, and stopped using it for private correspondence
around 2005. I also have an Android phone, but it's not activated (as in, I
never gave it any credentials to log in to any Google services, and I do not
have a mobile data plan). Any application I need is sideloaded, or installed
with F-Droid.

The rest of my networked machines are running Debian, OpenWRT or NetBSD. I do
have a Windows (8.1) VM on my work laptop, but that VM is switched off unless
I get paid to use it.

 _It 's true it's not directly related to the functioning of the software, but
it improves it in anyway, then there's a connection with it._

It's not a given to any specific user that sharing their data will improve the
software in areas that the user cares about. Nor is it a certainty that not
sharing leads to the software not improving in those areas.

There definitely is a case to be made that more accurate metrics will allow
the developers to make more focused decisions, and I don't think anyone is
arguing against that. That's not what the argument is about. The question is
whether the developers' need for data is sufficient justification to hand over
their users' data to the biggest aggregator of personal data on the planet,
and whether it is justifiable to do so without the user's knowledge (the
primary reason for opt-in is because it's the easiest way to unambiguously
ascertain consent).

------
andreis_
Not on my computer:
[https://github.com/StevenBlack/hosts](https://github.com/StevenBlack/hosts)

~~~
nathanaldensr
Thanks for the link! I have been using
[http://winhelp2002.mvps.org/hosts.htm](http://winhelp2002.mvps.org/hosts.htm)
for many years but it looks like StevenBlack's file is more comprehensive and
updated more frequently.

------
jwilk
It's high time for CVE-like identifiers for privacy violations.

~~~
hnhnhn3
This is a great idea. Has there been any prior attempt at this?

------
HappyTypist
I think it's very reasonable to prompt a message on install saying "Homebrew
collects and sends anonymous analytics. Use Homebrew --disable-analytics to
opt out" and have that null the analytics identifier. Environment variables
aren't that convenient.

------
socketsAPI
You know what homebrew team : you guys are providing a great tool here and you
should really charge for it. Take out the analytics stuff, cause no one cares
if it helps you or makes it easier for you to improve software that you write
for free on your own time. No one cares that it'll take you more time to
improve this great tool without the analytics. No one cares that it'll cost
you money to use another service besides Google Analytics. We don't want you
to spend time or money that you don't have either, just don't bother doing
updates or improving it, it's pretty good the way that it is. But honestly,
the fact that I can do a clean install of OSX and install my entire dev
environment + favorite apps in about 3 minutes VS going to each individual
site, having each of them (most likely) collect data about me, have to
download them individually, and then install them individually -- is
DEFINITELY worth some extra money in your pocket! Charge me a couple bucks,
I'll gladly pay you for it. Heck, I'm going to go donate now + wait to get
charged. ALSO: Don't let me know TOO much, all the details make me think I
can't trust you! And you made the opt-out directions too hard.. you mean I
have to do extra work that will take 15 SECONDS OR LESS out of my day to opt-
out?.. NO! You do more work, don't make things easy on yourself OR me, that's
not cool, you can just start charging me for it. =P. Keep up the good work!

------
jbverschoor
Totally fine with it.

------
atmosx
I use MacPorts[1] which is a good alternative to homebrew. It's an older
project.

Lately though, I've came across many packages that are available for Homebrew
but not for macports.

[1] [http://macports.org/](http://macports.org/)

------
tristor
Here's a quick and dirty way to opt out for BASH and ZSH users for easy
copy/pasting.

BASH:

    
    
      cat <<EOF >> .bashrc
      # Opt out of Homebrew analytics
      export HOMEBREW_NO_ANALYTICS=1
      if [[ -e "$HOME/.homebrew_analytics_user_uuid" ]]; then
        rm -f "$HOME/.homebrew_analytics_user_uuid"
      fi
      EOF
    

ZSH:

    
    
      cat <<EOF >> .zshrc
      # Opt out of Homebrew analytics
      export HOMEBREW_NO_ANALYTICS=1
      if [[ -e "$HOME/.homebrew_analytics_user_uuid" ]]; then
        rm -f "$HOME/.homebrew_analytics_user_uuid"
      fi
      EOF
    
    

Cheers.

~~~
alainv
`rm -f` ignores nonexistent files so you could omit the `if` to be concise.

~~~
tristor
Good call. I was mainly using `-f` to suppress the prompt about deleting the
file, but you're correct, it's unnecessary to have the if statement in this
case.

------
hckr1292
Kudos for at least announcing this. (And I've totally opted out.)

------
izacus
So essentially US government is now one data request from Google away from
having a full list of software (and vulnerabilities) for any given developer
Mac?

------
corporatemonkey
Many large corporations have internal homebrew packages. You can learn company
secrets by getting a list of packages that are being installed.

------
joeblau
As I see more applications try and hit remote ad servers, I feel even better
that I'm blocking all of these ad servers with my /etc/hosts file using
[https://github.com/StevenBlack/hosts](https://github.com/StevenBlack/hosts).
The update will be a no-op from my machine.

------
liveoneggs
+1 for pkgsrc

------
aurora72
AFAIK, Max Howell was rejected from a position at Google, and now his
trademark making use of Google? Let him take a look at GNU.ORG; if he can see
any GA code.

------
agounaris
People have all of their traffic tracked by their ISPs, they use chrome, they
have full activated accounts on their phones, they add tag themselves
everywhere around facebook and they are mad because someone wants statistics
over google analytics... you IT people need to relax... I'm sure someone will
find a way to bring up inequality, sexism, racism and being vegan at some
point on the thread.

------
geggam
one more what used to be decent software selling out to marketing....

guess its back to the linux vm when working on a mac...

------
quotha
is it formulae or formula?

~~~
andrewjanke
"formulae" is plural for "formula".

------
escot
opt-in by default is fine with me. Thanks for the great tool!

------
lutoma
The tinfoil hats are strong in this thread.

------
rajesht
set HOMEBREW_NO_ANALYTICS=1

------
FussyZeus
I love the knee-jerk hostile reactions to any sort of phoning home by an
application. They've provided extensive explanations on what is collected, why
they're collecting it, who has access, what it's for, and even the code that
does the actual collecting and it still isn't enough for people.

While I'm against this type of thing typically, this information is exactly
what someone who is concerned about it needs to see, and if they don't want to
be involved they include the opt-out on the very same page. I don't see how
this could get any better, this could be held up as a gold standard for
Microsoft and Google moving forward.

This type of data is invaluable to developers, I can't tell you how
frustrating it is that so many people now refuse to share it because of
overblown privacy concerns. The data is anonymized and no one cares enough
about what you're doing to de-anonymize it.

There are real threats to your privacy out there and spending time on stuff
like this just adds to the noise.

~~~
nathanaldensr
Your arguments are ridiculous. Humans judge; we're good at it. Burn us enough
times with false promises of privacy or outright lies and yes, we will learn
to become very skeptical and untrusting. You're asking people to _continue_
trusting a system that has proven to be working against users' best interests
for a long time.

The data is not sufficiently anonymized. Your public IP address is sent to
Google and--the burden of proof is on _Google_ to prove this _doesn 't_ happen
--there is nothing stopping Google from comparing that data to other requests
they get from the same IP address (say, from your browser). Maybe Google can't
personally identify me from this data, but they can sure target me with ads,
which-- _shock_ \--make them money.

------
TheLogothete
Yeah. So every site and every product on the internet has this dark pattern.
Do you use google? Youtube? StackOverflow? Are you outraged by them too?

~~~
stephenr
> So every site and every product on the internet has this dark pattern.

Not every site/product on the internet uses an abusive analytics platform,
hell not all of them use analytics at all.

With sites visited in a browser, an extension can be used to block access to
abusive services such as GA. There is no Ghostery for the terminal.

I have no issue with them wanting to collect usage information. I _opt-in_ to
Debian's package usage tracking.

If I still used Homebrew, I would have a _huge_ issue with them sending
information about what packages I install to Google.

~~~
TheLogothete
How is GA abusive? The webmaster has to explicitly permit data sharing with
google. That is, the webmaster is asked if s/he wants to share data with
google and the options are unchecked by default.

GA prohibits the use of personally identifiable information.

Additionally the webmaster can tell google to not store IP info, which the
webmaster has chosen to this in this case.

~~~
stephenr
> The webmaster has to explicitly permit data sharing with google.

Abusive to _users_. Google's whole reason for offering free analytics is to
build better advertising profiles.

> Additionally the webmaster can chose to not send IP info to google,

I must have missed the memo where Google invented a way to make HTTP
connections with no client IP.

~~~
TheLogothete
This has gone full circle and honestly is quite irritating at this point.

People say that Google uses GA data for advertising, I say that this is not
the case and then you just chose to ignore that. So I'm just gonna ask
directly - can you show some evidence suggesting Google uses GA data for
building advertising profiles or did you pull this opinion out of your ass?

Because as someone who analyses marketing and advertising data, I can tell you
that I strongly believe they do not use GA data in this way. 1) They have no
need to, they have better data; 2) This data is unreliable; 3) GA prohibits
the use of personally identifiable information; and most important of all:

THE WEBMASTER CAN CHOSE TO NOT SHARE IT WITH THEM. If this webmaster went out
of his way to tell google not to store IP information, I think it is pretty
safe to assume that they did not opt-in to share the data with google AT ALL.

Apart from these technical reasons, using GA data in the way you think they do
opens a regulatory risk of EPIC proportions.

But if you have some evidence to suggest that they do use it for "advertising
profiles", please do share it. But if you can't and you formed this opinion
because you are prejudiced, I would like to see you admitting it.

~~~
tremon
_THE WEBMASTER CAN CHOSE TO NOT SHARE IT WITH THEM_

No they can't, unless that choice means that the data never arrives at
Google's servers.

~~~
TheLogothete
Of course they can. When you sign up for GA, you get asked

Do you want to share data with google to improve our products?

Do you want to pool aggregated data for benchmarking?

Both are unchecked by default.

Or do you think that google will access the data without permission? In which
case, what do you base your opinion on?

------
fit2rule
Wish there was a way of opt'ing-out without having to set an env var for every
session .. is there some brew place to put ENV vars?

~~~
madeofpalk
That's what ~/.bashrc or ~/.bash_profile or (whatever it is for your shell) is
for.

~~~
fit2rule
Yeah, I don't want to do that every single time I put home-brew on a machine
somewhere, for every single user.

Doesn't it have its own global config? I confess that I'm too miffed by this
intrusion in my privacy to be bothered to find out ..

~~~
madeofpalk
Seeing as it's just an environment variable for your shell, look for a way to
set global environment variables.

------
ccleve
Google must have eventually hired him.

[https://news.ycombinator.com/item?id=9695102](https://news.ycombinator.com/item?id=9695102)

~~~
nkozyra
I'm not sure why Google would care about Google Analytics on brew if they
hired him, though.

