Not quite sure why this is news; we've been discussing telemetry for a long time.
I haven't actually watched the video because I've been really busy finishing my last semester of graduate school and switching research labs to start my masters thesis this week.
Several of us in the research community have agreed that telemetry can be a net good for the Web. Similar to how Firefox, the privacy-focused browser, has telemetry on by default to help improve the Web.
A huge thanks to everyone who contributes to Caddy and makes it -- in my opinion -- one of the best, easiest-to-use web servers around. We have over 200 contributors and it is amazing what the open source community has pulled together, despite the growing pains we faced last year .
I hope you love using Caddy, and if you don't, you don't have to use it.
Next time, maybe spend more time on elaborating on the "very real privacy concerns" and less on personalities.
Your video contains little argument that hasn't been already in the discussion, goes in no detail what specifically you object to, personally insults him, and being a video isn't a very good contribution in a text-forum anyways: in sum more then enough reasons for a moderator to remove it, and adding very little to the overall discussion.
Matt has a right, as the creator of that work, to ask for some form of compensation for the portion of his life invested into the project. It's a completely fair and reasonable request. If you're set on avoiding any form of compensation (financial or otherwise), then you don't have any rights to demand anything from him. Just go use nginx and be done with it.
We don't want a) a sole developer making decisions which the community has rejected, and b) software which sends telemetry by default.
Have you run a poll to be sure that >50% of the community rejects the change? Anyway, online polls are not reliable, it's difficult to be avoid sock puppets, people that don't use the software, ensure that people that disagree with your proposal care to vote, ...
Just make a fork and if most of the community agree with you, your fork will be most popular and shadow the original.
I can see that different people would take exception to that which is why there's an off switch for telemetry.
If you're having a difficult time accepting that telemetry exists at all, then I'm almost certain Matt would be happy to create a non-telemetry version for paid subscribers.
And still, apparently, some people will use the slightest disagreement to say that the whole project is garbage, just like this article is doing. I think we're lucky that open source developers don't get deterred by these kinds of article, because they sure could be. What does religion have to do with the quality of a free software project ? Does your server run better if coded by an atheist ?
Instead of being disdainful, a more constructive thing to do would be to openly talk about forking, on Caddy's forum, and see the response. If nothing changes, fork and convince people that your fork is better.
Some of these forks get re-merged a few years later (see ffmpeg), others don't, but this is not bad at all.
The ideal solution would be to build Caddy with flags that disable telemetry, just like Firefox is built for Debian.
Saying "Caddy was supposed to be great" or "This is no longer just a conversation on privacy; this is a hostage situation" is not right. Caddy is great, but Neflabs doesn't agree with the direction it's taking. The solution is not describing the free software's developer as a hostage taker.
The solution, as you said, is forking.
At any rate having read this article I didn't see anything saying that "the whole project was garbage".
The video (which Matt Holt removed) is also actually worth watching IMO, although I can see why he doesn't want it posted on the forum given its tone.
Having said that, I have no idea why the makers of Caddy think that telemetry is a good idea. None of the examples given on the Caddy site make any sense to me except for maybe reporting crashes. Who cares about the depth of certificate chains? What value does it bring?
The data will be used to analyze the Internet from the server perspective, similar to e.g Mozilla collecting data from the clients perspective. It can/will be used by e.g researchers to improve the Internet (security, speed etc.)
I could sort of understand it is this was being pitched as a way to improve Caddy by reporting back crashes or misconfigurations. But what I've heard makes no sense to me.
Give me a break. I'm tired of this type of drama and FUD coming up through sensationalized posts like this. It's open source -- there's no hostage situation.
I stopped reading at that whiney BS.
Matt is looking to collect anonymized data so that he knows how his product is being used and how it can be improved -- which must be a tough situation, considering most SaaS companies can throw whatever trackers they want up into their apps and be done with it -- on-prem software is a little different when it comes to usage statistics, etc., and I think this is acceptable.
You can grep this to see all of the data they're collecting,
People should already know this here but it seems they often ignore it: Data collection can be useful for developers so they can see what features are used the most and which are used the least. If there's a nice feature that people aren't using then maybe it should be "promoted" better in documentation for people to find it, optimise functions people are using amongst other things.
With opt-in you only reach something like 10% of your users, if you're like, while opt-out is the exact opposite, you reach 80-90%.
This creates massive financial incentives to be sneaky and push opt-out.
And every time this happens for products where there's decent competition, the people doing this lose a chunk of their users...
I sincerely hope much of the community views this kind of personal attack on an open source developer for what it is: disgusting.
If this kind of behavior is encouraged, imagine the message it sends to people building open source software. Not only does your open source work not directly reward you financially, but it will be used as ammunition to tarnish your reputation, all because someone doesn't like the direction you're taking your project.
Honestly, this is shameful.
I don't think it is attacking his religion, but the criticism of the project direction could be made without that.
On top of that, "fast, automatic TLS HTTP2 capable web server" is not some complex feat in Go. HTTP2 is already baked into the stdlib, and you can add automatic TLS via LE in a few lines of code: https://godoc.org/golang.org/x/crypto/acme/autocert.
A few alternatives:
Wow, that's just embarrassing.
Collecting telemetry is a decades-old method of getting real data about the behaviour of a program in real-world environments. This is why web browsers, smartphones, and OSes all have telemetry collection routines.
There's plenty of reason to be upset with Mr. Holt. His own reply elsewhere in this thread reads more like a PR response than a real reply. But keep the contention on-topic and less like a personal hit.
What would you like me to say?
To be clear, I am not a Caddy user and have no horse in this race. I tend to sympathize with the privacy-conscious, however, having been a user who turned off telemetry in Firefox after the Mr. Robot scandal. Let me see if I can explain why your response comes across as tone-deaf:
1) Your first response is "I haven't actually watched the video," which immediately suggests that you're not going to actually engage with the claims so much as tackle a strawman version of the claim. Now perhaps the author is repeating an accusation that he has made in the past, and so you actually are familiar with it already, but that's not how this comes across.
2) Your next response--"Several of us in the research community have agreed that telemetry can be a net good for the Web."--is not really doing anything to assuage the privacy concerns. It's not a technical refutation, and it's not a particularly fleshed-out emotional appeal, either. It's basically, "We disagree."
Put another way, let's imagine for a sec that you were a Tobacco CEO and the following exchange was recorded:
Reporter: Sir, we have a multitude of evidence that smoking is conclusively, irreversibly detrimental to human health.
CEO: Actually, a number of scientists and health officials have agreed that smoking is good.
Do you realize how tone-deaf that non-answer comes across?
3) Your final response is the most "PR" part, as it first advertises the product, then pivots away from the contention at hand in favor of praising how wonderful it is that it's open source and has a vast number of contributors.
I've already done the transposition analogy once, so I'm hesitant to do it again lest it look like I'm demonizing you, but I want you to read the below and see how you would perceive this response if it came from the CEO of J.Crew about accusations of child labor in its clothing factories:
"Hey everyone. James here.
I haven't actually reviewed the accusations yet because I've been at a conference.
We believe that allowing underage employees to fill a limited number of positions at
are factories allows impoverished families to bring in badly needed revenue, and
ultimately serves as a net positive for these needy communities.
A huge thanks to everyone for shopping at J.Crew and making it the World's Best
Clothing Line™ five years and counting!"
Hopefully that makes sense. It may not have been your intent, but perception is critical when you're the public face of the company. You can gain or lose a ton of goodwill among your users depending on whether you attempt to receive their criticisms with an open ear and work towards a solution, or dismiss them and dodge around the question. And even if you're doing the former, the mere perception of the latter can be damaging.
The reason I left Caddy was that it just didn't feel that stable to me. By that I don't mean that there are bugs, just that he keeps changing things. A web server is not something I want to have breaking changes all of the time. I want to deploy it and leave it alone; only upgrade for security patches. So I've decided to switch to AWS.
And forum discussion here:
I thought some of the ideas in the "middle ground" section discussing opt-in versus opt-out being the default depending on how you obtained the software were sort of interesting, hadn't heard that compromise suggested before.
GDPR does not regulate information you can store about software components. It merely ensures that companies can only store information about people which the person has given explicit and implicit consent for, and that they can account for this consent.
Log-data from a running service disconnected from any identifiable personal data is in no way covered by GDPR.
You won’t find a single lawyer anywhere who considers this to be privacy sensitive and definitely not covered by the GDPR.
My understanding is that anything that enables fingerprinting is potentially covered.
[EDIT] So, here's a better link that specifically discusses fingerprinting and user agents in a post-GDPR world:
My assumption was that the GDPR was attempting to be sufficiently broad such as to cover these kind of fingerprinting techniques but I guess not?
At least the second link makes it sound like at least some portion of people are likely to turn more towards device fingerprinting techniques specifically because they are GDPR-safe.
The GDPR regulations largely represents common sense and decensy and this über-paranoid consideration about what “may” be covered or not is not really productive use of time.
Example: if you explicitly email someone, according to the GDPR the recipient has been given an implicit right to store your email and email-address. Because there’s no way for them not to. Because that’s just how email and computers works.
I can’t imagine a fucking user-agent string shared by billion of other users enjoys higher protection.
The GDPR is not insane. Chill.
Isn't it? Just one particularly absurd example: logging IP addresses in your httpd's access logs can be considered a violation of GDPR. 
Out of all the metrics Caddy plans to collect, it's the only one I think has some merit to its complainants. It might be simpler to only keep user agents that conform to common browser standards. But this has all been discussed in the Caddy forum thread itself, and we'd welcome your input there!
It's a nice-looking project, and the integrated Let's Encrypt is great for non-sophisticated users, but the user-base must be suffering.
Free OSS is great, but for these types of tools, so is paid OSS.
There's a large pool of small, useful dev tools that could be making money instead of begging for it. And I'm glad Matt is a part of the much smaller group that makes money.
I'm well aware that nginx has a commercial side, which is why I mentioned it as a comparison.
$300 is the annual rate for 1 instance.
And for all the jibes people like to make when comparing things like apache to Caddy etc: guess which sole http/2 server passes all the spec tests?
Hint: it’s the one “that looks like a dinosaur” from 1995.