Hacker News new | past | comments | ask | show | jobs | submit login
Gitlab cancels plan on tracking user behavior on GitLab.com (gitlab.com)
602 points by tyteen4a03 87 days ago | hide | past | web | favorite | 271 comments



We received an apology email at the same time, well written, explaining what they did wrong, apologizing, promising to do a post-mortem, promising to not send to 3rd party trackers, and saying they did a mistake and waiting for feedbacks on the issue tracker. And with very little BS in the mail.

Such level of transparency, of apologizing and clarity, especially written at the first person "I am truly sorry." is very rare and should be praised.


What should really be praised... Without further, congratulations to everyone protesting against this gitlab move. This is something that should be done years back when google started with its tracking, same with facebook. This was the behaviour that should be seen each and every time some company wants to take advantage of its users. But to my sadness it is rarely seen. So once again congratulations to each and every gitlab user that did anything against their move.


It was done. There even was those small banners that said something in the way of "if you have gmail I won't mail you" etc.

Thing is, the broader public don't care. The difference between gitlab and gmail is primarily that developers care more about this stuff and value their code more than most people care about their email. They are also much more informed in the matter, most using gmail haven't got a clue.


"...developers care more about this stuff..."

No, they only care when the tools they are using are targeted. Otherwise, they couldn't care less.

We have tracking on websites and in apps on an industrial scale - built by developers in technology companies. We even have tracking of school kids courtesy of ChromeOS. When have developers ever shown any care about that? When have they ever spoken out about that? They're more likely to rush to defend that software and the company that built it: It's not being used to build profiles, or the data is aggregated and anonymous.

Presumably, if GitLab tracked behaviour 'anonymously' and in aggregate form, that would all be fine? Didn't think so. The hypocrisy that runs through the programming profession when it comes to online tracking really knows no end.


If I had a guarantee from Gitlab that _they_ were scrubbing the data, I would have no problem. I get the sense they know what they're doing (naive, maybe)

However, giving a third party script, potentially unvetted, access to the crown jewels of the company I work for? No fucking way.

Different. Not a double standard.


They are tracking things anonymously at least in some places, judging by what I've read in the linked Gitlab issue tracker threads. The debacle started with someone higher up requesting to start recording user ID with that data, in order for the "growth team" to be able to do "experiments".


There's a difference between gitlab and gmail. People pay for gitlab while gmail is free. Google can easily declare "either you take it for what it is, or leave."

Gitlab can't.


A lot of institutions used to run their own e-mail. Over the years I've watched as my e-mail addresses (both universities and my current employer) have been replaced by Gmail on the backend. All of them stopped being willing to manage e-mail themselves. None of them were willing to use a less surveillance-oriented provider. That choice wasn't made by consumers. It was made by the same kind of informed IT people. I suspect it wasn't free, either.


I remember when Dartmouth ran blitz mail... when google talk supported jabber... when people complained mostly about MAPI...

It’s a shame that so many innovations are being squashed in communication because of the “free” price for cloud solutions.

Google is learning so much about students thanks to this program.


I thought the main problem with e-mail specifically was spam, and the reputation model that's arisen to combat it: a medium-sized university running their own e-mail service runs a risk of getting their domain blacklisted, if a few accounts are compromised and start sending out mass mailings.


For universities, it actually is free (as in beer), aside from the university staff's compensation toward the migration.


My understanding was that Gitlab wanted to collect your data to improve their product. Google is collecting your data to sell ads.

I understand the reticence towards third party telemetry, but refusing basic interaction tracking for a product you pay for is just hurting yourself, even if you're already satisfied with the service. You don't go to the doctor for a checkup and then refuse bloodwork. Obviously there are rules around privacy for medical records that don't exist for interaction tracking. But I don't think the solution should be to get rid of tracking entirely, it should be to extend reasonable privacy rights and protections to our online data.


My understanding was that Gitlab wanted to collect your data to improve their product.

Gitlab could have collected anonymous data, with opting out of collection as the default, and promised not to sell it if they seriously believed it was about improving their product. Plenty of products record telemetry data only if you opt in to the program. Users understand and often accept that. That approach would have generated fewer headlines.


opt-in telemetry does not allow you to draw statistical conclusions because your data is skewed/incomplete due to selection bias. This is why developers are so intent on opt-out, it ensures that they have more accurate data to drive their roadmap. Clearly there are going to be privacy concerns with this, so they really need to minimize how much identifiable information they collect, and then communicate to users what will be collected, how it can be used, and who will have access to it. Gitlab seems to have jumped the gun and skipped over much of this part of the process, which sparked a justified backlash, but I don't fault them for wanting opt-out telemetry.


Opt-out is not a reasonable approach to telemetry, end of story. It's perfectly understandable how problematic that is for statistics, but statistics never trumps the fact that your software should not snoop without your permission.

No amount of vague promises over how good you will be and how nice you'll treat your users' information should be enough to make this acceptable. We have a huge body of evidence informing us that trust is a fundamentally bad idea when it comes to a corporation.


> This is why developers are so intent on opt-out

In GitLab's case, developers weren't. Their C-level executives simply overruled them and forced the change.


> but refusing basic interaction tracking for a product you pay for is just hurting yourself,

If that were the case, Gitlab could have simply asked for permission.


Were people really arguing for removal of telemetry altogether? I would think that many of us are comfortable with aspects of tracking.

For me, the concern was the value of the content. It might as well have been my bank saying they were going to start embedding disqus threads.


Not everyone wants tracking, even if that means sacrificing software quality. Making it mandatory is never excusable.


It was opt-out, not mandatory.


Was it? My bad. I thought I read something about GitLab planning to block access to the platform until you accepted the new ToS but maybe I was wrong.

My point still stands though.


Gitlab has a fairly powerful "free" (as 'gratis') service-plan.

https://about.gitlab.com/pricing/gitlab-com/feature-comparis...


Both are freemium. However, there's slight truthiness in your claim by way of the difference in probability that any given non-business user pays.


Gitlab has an excellent free plan, in fact it’s so good I honestly don’t understand how they can afford it and doubt it will last (but really hope it will for individual developers). They even give you Docker registries and thousands of CI hours.


> doubt it will last Yeah it won't. It's just too good to be true


Yeah, people back then should have written angry replies to Google's and Facebook's advance warnings about the tracking they were planning on doing. /s


Oh, so we only live in a surveillance-capitalist state because we didn’t send Facebook and Google enough emails? D’oh! Who knew it was that simple?


read it again...


It's a tiny SaaS that depends on customer good will. A few hundred pings did the job because we matter.

If only this worked with giant corps. FB has around 2.4 billion MAU and a few nerd rants won't be noticed the next time they screw the user and a handful complain.


>'tiny'

Goldman Sachs valued it close to $3b.


Frankly I can understand that ads selling company like Google wants to track its users. Their core business depends on that.

Why Gitlab wanted to do this I have no idea, sounds like some marketing people came up with such idea "because everyone is doing this"?

Tracking wasn't going to bring much revenue, if any, so they could just get rid of that, trying to turn it into some positive PR. The cynic in me tells me that if they smell any significant money from tracking they would tell HN and the rest to back off (or would added some convoluted way to opt-out from tracking).


> same with facebook

There was a huge uproar when Facebook first launched "Beacon", and it was cancelled as a result.

Unfortunately it just morphed into the Facebook Platform and eventually the Pixel. Same pig with different lipstick.


If you want to ban tracking, I would totally oppose it. I think its great that google manage to make money out of my personal data, and in return I get to use their of free service. Fortunately, in the regards of google user, there are more people who are fine (or don't care) with tracking.


The ability for people to have amazing technology and spend no currency on it is, in my opinion, a net positive for the world. But it would be nice if there were some provable toggle switch to choose between paying with data and paying with currency, for those who prefer the latter. Since proof is problematic, carefully selecting your vendor is the toggle switch, and that kind of switching unfortunately has switching costs including the massive inconvenience when, say, using an Android phone without a Google account.


What google services do you think would not continue to be free if they couldn’t mine your personal data?


Saying "I'm sorry" when you don't have to is worth praise. Saying it when your back is to the wall and your job is on the line - even cowards can do that.

I agree it's one of the best-written apologies I've heard in a while, and they deserve some praise for not letting the corporate ~bullshit~ PR department run loose all over it.

But still. I suggest that whoever is responsible should resign as a result of this Pendogate business. I feel that he has betrayed users' trust in a way where an apology alone is not sufficient. I personally consider the original plan - we'll lock you out of your accounts and disable the API until you accept our new TOS, if you don't like it there's the door - far worse than anything Brendan Eich ever did, for example. I don't want people who ever think that could be an acceptable idea in charge of a company I rely on day-to-day.

Replacing him would be a very strong signal from Gitlab's board that they are truly sorry and understand the severity of this scandal, and would also encourage future CFOs to take their users' views more seriously.

It is pathetic in a way that while lots of people were worried that Microsoft would "corporatise" github, it's gitlab that decided it was ok to threaten to lock people out from their accounts until they "consented" to this.

_EDIT: Paul Machle is CFO, Sid Sijbrandij is CEO and the person who sent the apology. I have removed names from the original post as I am not sure which of them signed off the original idea. I expect a CEO to take the attitude "the buck stops with me" though - they should be accountable even if they're not directly responsible._


No, there's nothing to praise here.

When I delete all my repositories by hand, one by one, I expect to not find a joke in that email about how "this email is sent to you because you have an active repository on Gitlab".

When I delete an account on Gitlab I expect to be deleted from all further mailings (especially ones I never subscribed separately to), yet I got this email today. How many more places do I have to delete my information from to finally be rid of Gitlab?

How many more third-party companies Gitlab shared my data with at this point? Because that they do have it, there's no question about it - after all I just got this email.


Hi GitLab employee, we used the same mailing list as the one we used for the first email, so that's why you still received it. If you deleted your account you won't get any future emails.


What concerns me is how it got to the point of having to apologize in the first place. It implies a level of disconnect and and corporate group-think that is fundamentally misaligned with core customer expectation of what is in essence a community enabling system. How did Gitlab end up with a set of managers that ever thought this would fly ? They clearly were completely surprised by their customer's reaction - something that almost any of Gitlab' users would have understood viscerally.

This level of management disconnect does not bode well for Gitlab, as a paying customer this worries me...


Still, it's worth something that they reversed course and apologized, where so many companies wouldn't do either.


You can read email content on this issue https://gitlab.com/gitlab-com/www-gitlab-com/issues/5672


Given that any default opt-out is a clear violation of GDPR when it comes to data gathering, I wonder how it ever passed compliance/legal. Given the size of the company (valued ~ $3b) they should have some 'data protection officer' position.

I recall they setup some blog page with explanations, so obviously they expected push back. Part of my work is making sure policies, code, etc. are compliant. Notifying compliance for such changes should be a standard procedure as well. In this regard I can't understand how the entire process went through, as GDPR challenge should have been expected.


There is a comment on the issue tracker alleging that the CFO overrode concerns by the Director of Global Risk and Compliance.


wow, do you have a link for?

pushing through legal recommendation is quite reckless. GDPR is quite a hot topic and the regulation has real teeth (aside the public backlash)


It's a comment by @rfc1459 on https://gitlab.com/gitlab-com/www-gitlab-com/issues/5672 "The CFO trying to overrule issues raised by the Director of Global Risk and Compliance. \n\n Just... wow." relating to https://gitlab.com/gitlab-org/gitlab/merge_requests/14182#no... - which on closer reading refers to snowplow, not Pendo.

The original comment from Paul Machle is "I don’t understand. This should not be an opt in or an opt out. It is a condition of using our product. There is an acceptance of terms and the use of this data should be included in that."

I am not a lawyer, but that does contradict pretty much everything I've been taught about GDPR.


Nice! An apology apology! Way to go GitLab!


Yes. Wonderful. More like this!


The reaction to this whole saga has been insane. Chill out people.

They fucked up, users gave feedback, they listened.

This isn't some corporate conspiracy, some grand ethical dilemma with an evil company on one side and some white knight hackers on the other.

Let's imagine for a second that they are people trying to do the right thing, with years of history doing the best they can.

They wanted to measure usage to make their product better. People seem to disagree, which, okay, but the outrage here is everything wrong with the internet.


> The reaction to this whole saga has been insane. Chill out people.

I very much disagree. I think the outcry was warranted, and right now I see GitLab doing the right thing (and, obviously, the outcry was a huge reason for that).

Changing plans in the harsh light of public condemnation isn't easy, and for that I very much commend GitLab. As someone who was very much against the previously announced change, though ( https://news.ycombinator.com/item?id=21350146 ), I'm glad the community feedback was so strong.


Yeah, if the outcry continued even after their rollback & apology, _then_ it would be unwarranted. But everyone's happy now (well, arguably GitLab may not be, but they should surely be able to work out a solution with the community on how to collect telemetrics in a privacy-conscious way).

I'm also glad the feedback was so strong, as the ad-tech industry has spent the past 15 years numbing the general populace to unwarranted (and often unnecessary) telemetrics.

It's understandable that GitLab had no ill-intentions. But how can one know whether third-parties share such sentiments?


> Yeah, if the outcry continued even after their rollback & apology, _then_ it would be unwarranted.

The outcry may stop but the trust is now gone and will take years to rebuild. Next time I'm considering/recommending on-premise git hosting I won't be recommending gitlab.

I'm also considering moving my personal repos that I pay for. Generally I only interact through the CLI and don't think about the web interface much, but apparently when I go there I'm sharing info with whatever the hell gravatar is.


While I haven't used it myself, I think gravitar is an avatar that gravitates toward you, as implemented by you putting an image on their server, and countless other websites include it from that server when an identifier (probably email address) match exists between the two accounts. So in other words, gravitar knows a bit about your usage of countless websites that each volunteered your usage pattern to it. Since evidently you are seeing a connection between your machine and gravatar, they get page-load granularity. If this description is incorrect, which it very well might be since I know nothing about the service beyond what I inferred by its name, please do correct me.


Gitlab could restore some trust in my eyes by parting ways with whoever signed this off in the first place.


It doesn't seem to me that GP disagrees with that. They're not telling people to chill out in the sense that they should have voiced their concerns about the feature; it's about the outcry, about the black-and-white, evil-vs-good type of discourse that was happening in response to it.


Their CFO showed that he has little regard for the privacy of their users. I highly doubt that has changed. Many devs and compliance folk were on the right side of this in the MR and feature threads, but they were overruled.

I highly doubt the CFO has changed his viewpoint, and he's still in power over there. They only backtracked after the "insane" reaction. They anticipated some amount of pushback, but obviously hoped it would be smaller and they could move forward.


The CFO is not in charge.


Yet, the CFO was given authority to make an important product decision, over the objections of engineering and product design. Can you name any successful tech company that sells a highly technical product to a highly technical audience that give the CFO final decision authority on product decisions -- decision authority over and above marketing, product design, and engineering?

The root-cause screw-up here is delegating product decisions to F&A. A good CFO adds huge value to a company, but should not have final decision authority over product decisions. That is not the role of a CFO. Any company that makes it so is organizationally dysfunctional from the C-suite down.


Privacy? Their users are companies building software. The CFO is right -- they can agree or disagree to the terms of use and choose whether or not to use the new software.


The issue is that it they changed the agreement suddenly, and held user's data hostage until they "agreed".

I don't know why you think that's ethically ok to hold user data hostage until they agree to give up more rights. It's borderline ransom.


It is illegal do to so under GDPR to be honest.


No, the CFO is dead wrong. I'm a very vocal Gitlab advocate and would have stopped promoting them if they did this. There are 100's if not 1000's of people like me and we help build Gitlab value. And then there is the GDPR to contend with.


The only sense in which he's "wrong" is as you describe: people won't want to use the software, and it's a bad decision when it comes to making money. He's not wrong on some principles-based reason.


Since GitLab have operations, sales and other employees inside the European Union, and the assertions from the CFO are contrary to European law, he is wrong for legal reasons.


I guess you just like to argue.

It's strictly illegal under GDPR, the agreement is void as it contradicts the law (you cannot have terms and conditions superseding the law). The policy - "agree to tracking" must be explained and justified, consent must be given (affirmative action by customer/user).

Failing to do that and holding user's data as hostage would be compliance breach. GDPR fines are no joke and set forward to prevent abuse. (up to 20m euro or 4% global revenue) GitLab is no small business any more and a fine would outweight the 'tracking profits'


That, and all the other senses (GDPR, contracts) outlined in this thread.


>Privacy? Their users are companies building software

Not sure I follow your logic there.

First of all, he's not right. As stated by the compliance officer in that thread, his plan would have violated the GDPR. It also would have violated existing contracts with enterprise customers.

Secondly, it's a scummy thing to do. just because you have the right to do something doesn't make it the right thing to do.


I'm not talking about existing contracts or the law in some far-off land, and neither are you. You deserve nothing. You aren't entitled to Gitlab releasing software the way you'd like them to. Maybe your brain tells you otherwise. Instead, just don't use their software. For example, I wish Windows 10 didn't have telemetry. But it does, so I don't use Windows 10.

The world doesn't owe you a free Git issue tracker.


Oh, so you're not talking about the two ways in which he is objectively wrong in arguing to implement this feature, only that a vendor has the right to add user hostile terms to their ToS. Ok, well you've convinced me!

Honestly, who here is arguing that they can't implement some form of this? No one. Exactly no one. We don't like what it, and we're the consumer! It's not entitlement to pushback when a vendor changes their terms in a way you don't like.

I have no idea what point you're trying to make here.


Let me make it clear for you then:

> Their CFO showed that he has little regard for the privacy of their users.

Their users are companies, who can put on their big boy pants and decide what they think of Gitlab earnestly gathering usage information, not deep personal secrets, that it uses to help it improve its own product so that it can better serve the customer.

Throwing this all under the same category of "privacy" that one might use for private content -- the content of emails, the content of messages, copyrighted material, trade secrets, and the like -- as if this is a great moral issue, is just not a clear-minded way of operating.


People store copyrighted code and trade secrets in their repositories with gitlab, if the third party tracker is compromised those secrets can also be compromised.


> Let's imagine for a second that they are people trying to do the right thing, with years of history doing the best they can.

When I first saw they had their compliance policy repos set to public so anyone could view internal discussions around changes the lawyer in me just about fell off my chair. That is an almost unbelievable level of transparency. It's difficult for me to assume anything but the best intentions when GitLab has gone out of their way to let people see how the sausage is made.


I think what sparked a bit more outcry in this matter is the way the CFO responded to discussion and early warnings way before it was finalized.

EDIT: https://gitlab.com/gitlab-org/gitlab/merge_requests/14182#no...


Bit surprised that Paul Machle is still employed as CFO.


Lesson learned here - the CFO is not and should not be responsible for a company's tracking policies and communication thereof.


Sadly, that "F" means they pretty much have veto power over anything anybody (with the possible exception of the CTO and the board) wants to do.


Uh, that's not how it works. Legitimate veto power is usually based on a board and/or shares of the company. Not to mention most CFOs are appointed positions in startups, because they are usually not roles filled in the early days of a tech startups life (as opposed to CEOs and CTOs).

Note - it is worth saying, CFOs are, generally speaking consider extremely important positions for many companies, even more-so than the CEO. But this isn't because they make policy decisions or conduct external communications, but rather because they control the lifeblood of any company - the money.


"Oh, you're wanting to implement more 'privacy' for our users? Well it turns out that we've just done a reorg, and your whole department has no budget for the rest of the year."

As you say, whoever controls the money flow, ultimately controls the people, and can shut down any activity they desire...

Sure it's not "legitimate veto power", but ultimately it is the same thing.


> whoever controls the money flow, ultimately controls the people, and can shut down any activity they desire

I never said this...


Sorry. I was paraphrasing your " ... but rather because they control the lifeblood of any company - the money." rather than directly quoting you there. I think my point stands.


sadly?

that the board failed to stop this (or was bypassed) is telling, but this doesn't seem like a failure of the corporate governance model or anything. money is basically essential to a corporation; engineering staff shouldn't be on the level of C suite, despite what many here would have you believe


Although I think the person is getting too much grief for this, I have to say that if a CFO is allowed to make decisions in an area where he lacks understanding, simply because his title starts with a "C", that counts as a failure of the governance model.


"Sadly" because in this instance, it appears there's a CFO in power who's championing selling user's privacy out. Not a comment of whether or not a CFO in general has more influence than engineering (or other) staff, but that an ethically challenged CFO is potentially a toxic influence to a company culture and direction.


Uhm, they sent a mail saying "we're locking all access to your project data until you accept our new ToS, or fuck off".

It doesn't take a genius to realize the mistake here.


> Let's imagine for a second that they are people trying to do the right thing, with years of history doing the best they can.

How could a company like this ever think that opt-out is appropriate? It seems like all their engineers knew this was a bad idea and everyone else seemed to think it was okay!

The problem for me was how a company like this couldn't see that this would happen and went along with it, I held Gitlab to a high standard and honestly I've lost a lot of trust with them.

I'm thankful for the outrage, and whilst I will never condemn personal attacks, I feel discussing the matter on places like HN was appropriate.


Not to mention the fact that the CFO didn't want to even allow opt-out under any circumstances.


>"The reaction to this whole saga has been insane. Chill out people."

No, it hasn't unless a civil discussion in an area where people have strong opinions is somehow your definition of "insane."

>"People seem to disagree, which, okay, but the outrage here is everything wrong with the internet."

There is no "outrage" here just lots of concern if not some well-placed bewilderment at a particular brusque comment made by their CFO on the issue[1]

The great irony is that you have dismissed and self-proclaimed that an entire civilized and adult discussion as "outrage culture" and "everything wrong with the internet."

[1] https://gitlab.com/gitlab-org/gitlab/merge_requests/14182#no...


If there hadn't been an outcry gitlab wouldn't have changed their trajectory. Seems like it worked.


How do we know that they would have changed their plans without the outrage?


They wouldn't have. many devs were against it internally, but they went forward anyway with the opt-out scheme. Why would they go through all that, announce the feature, and then just decide to cancel it?


They wanted to violate my rights given by Article 7.2 of the General Data Protection Regulation (GDPR), this is clearly making the product worse.

What's great with GitLab compared to other companies is that they are doing things in the open, while another company would just violate my rights without me knowing it.

If you go through the comments, multiple (toxic) people in GitLab doesn't care about user rights, just want to push the change as soon as possible (just like in any other company that I have been working in).

It's also clear that you get VP/Director/Staff engineer by just pushing through other people (sadly I have seen the same thing happening other times as well).


You can opt out by not using it, right? They'd be supposed to drop EU users, under some interpretation of the law. But even if they didn't, then as an EU user, you'd still be able to protect your own rights by ceasing use of their services.


GDPR pretty much says "you can't do that".

The advice I have bookmarked (which I'll admit is not a legal opinion or the source legislation) says:

‘specific website content’ means that you should not make ‘general access’ subject to conditions requiring users to accept non-essential cookies – you can only limit certain content if the user does not consent;

and

the term ‘legitimate purpose’ refers to facilitating the provision of an information society service – ie, a service the user explicitly requests. This does not include third parties such as analytics services or online advertising.

As I read/understand things, unless the service you're providing is "being tracked by advertisers or analytics", you cannot block ac cess to users based on then not consenting to being tracked for advertising/analytics.

Pretty sure "They'd be supposed to drop EU users, under some interpretation of the law." is correct there, and that if Gitlab wants to have tracking consent as a mandatory requirement for using their source control service, they'd need to stop selling it in EU completely.


There is some potent American law lurking about, so I'm not going to assume the GDPR is enforceable in ways untested in U.S. court.


https://gdpr.eu/compliance-checklist-us-companies/

Good luck trying your luck with international law.

,,You may be wondering how the European Union will enforce a law in territory it does not control. The fact is, foreign governments help other countries enforce their laws through mutual assistance treaties and other mechanisms all the time. GDPR Article 50 addresses this question directly. So far, the EU’s reach has not been tested, but no doubt data protection authorities are exploring their options on a case-by-case basis.''


If a company does business in Europe, they must comply with GDPR. It' doesn't matter where they are located.

It won't even go to US court, but to EU one.


The EU court needs to actually be able to enforce its decisions, which may require a US court.


Are you sure that American companies are immune to fines resulting from EU court sentences if they want to make business in EU?


The EU could certainly stop them from doing business there. Beyond that, you can't be sure they could collect fines. It may depend on the technical details of what the fines are about, and how big they are. America has human rights that privacy regulations like California's CCPA are careful to waltz around.


If at all, then only as long as they're conducting their business with EU customers entirely from the US. As soon as they're putting servers in a colo in the EU, there's something that EU authorities could confiscate to cover outstanding fines.


this has been explained tons of times.

You cannot conduct business in the EU unless you have a VAT number issued by any of the member (still 28) states. You cannot sell anything in the EU w/o VAT, it'd be illegal. The company =must= pay the collected VAT to the respective member state(s).

So they have to register in the EU to conduct business (and issue VAT receipts). This requires some assets and people to be responsible.

The only way to conduct business outside is a small shipments (less than 22e) that would be free of VAT and customs clearance.


GDPR is very clear, there are no multiple interpretations: the responsibility of telling me how they are using data about me is on the server side.

It's impossible for people in the EU to track all the time how different services use their data, so what you are suggesting is not practical.

As an example if you go with 200km/h on the German highway the responsibility of the road not ending is not yours. When I was going with a car in Albania and this happened to me, I (and my car) was quite shocked, but there are differences between countries.


I don't see where it is canceled. The closest thing I see to canceled, is postponed.

From the update: 'We will not activate user level product usage tracking on GitLab.com or GitLab self-managed before we address the feedback and re-evaluate our plan.'

That leaves a lot of wiggle room.


"Further, GitLab will commit to not implementing telemetry in our products that sends usage data to a third-party product analytics service."

That seems like a pretty solid indication that the plans are cancelled.


That sounds like they are going to roll out a first-party service, which is better, but not great for the self-hosted deployments.


Telemetry still sucks. I don't want it, and it should never be opt-out.


You opt in to first party telemetry by using gitlab. It is impossible for you not to send data to gitlab when using gitlab.

Self-host it if you don't want it. I dunno what to tell you; at some point, the company does have to observe how people use their product, and they'll do so a lot more effectively by looking at how most people are using it, rather than … idk, send a survey or something. Not that they won't do the latter anyway, nothing prevents them from doing that, but it's a very different type of data.

I'm a privacy nut by the way, and nothing in that field pisses me off more than people who vocally shit on telemetry. "I hate you, you should just GUESS what I want rather than do real work to figure it out" sort of thing.

What is it about telemetry you don't like, exactly? And I do say "telemetry" in general, because you're saying it sucks in general. So no specific examples like Windows 10's abhorrently overreaching telemetry, privacy invasions that look at PII, etc.

Telemetry generally is things like "97% of users have visited the issue tracker. 66% of projects with an issue tracker enabled have at least 1 issue. new issue rate on public repositories climbs by 15% if the new issue button is orange instead of green. users spend 30% more time on the new issue page if there's a new issue template. issues with a template have a commit/mr associated with them at a 8% higher rate than issues with empty templates".

By choosing to die on this hill, you're taking both good-will and attention away from much more severe issues of telemetry abuse, such as "let's collect the precise geoloc of all our users in our gay dating app at 5 minute intervals, store it for 3 years and not care one ounce about security".


Self-hosting was going to have telemetry, which is simply a dealbreaker for many companies.

And it may still have it. I just don't trust GitLab's management anymore.


> You opt in to first party telemetry by using gitlab. It is impossible for you not to send data to gitlab when using gitlab.

There is still a difference between sending actions you selected to the server and tracking where you move the mouse while on the page in your browser or other bs like that. One is required to implement the functionality, the other is not.


Telemetry doesn't necessarily mean tracking mouse movements.


Telemetry is necessary to be able to observe the system, and look for adverse impact. You should be more thoughtful to the people supporting the tools you use, because without telemetry they do a bad job keeping it working for you.


If anything, the deterioration of quality in most modern software is a proof that telemetry makes people do bad job at keeping software working for its users.


Saying "the deterioration of quality in most modern software" is such a cop-out. There's no universal agreement upon any "general" deterioration, and I'm not sure you're keeping track of the "deteriorating" software that has telemetry vs. the one that doesn't. I personally find that a lot of software I use daily does improve over time, especially web software.

You want a counter-example? Reddit has very little telemetry and quite famously barely looks at the data it does gather. You want to talk about deterioration, how's that for some severe rot.


> Saying "the deterioration of quality in most modern software" is such a cop-out.

Fair. It's just my opinion. Though I'm not the only one expressing it. You've probably heard the phrase "optimizing for lowest common denominator", or as 'dredmorbius calls it, "the tyranny of the minimum viable user".

> I personally find that a lot of software I use daily does improve over time, especially web software.

I find the reverse. GMail and Dropbox being prominent examples.

> Reddit has very little telemetry and quite famously barely looks at the data it does gather.

Huh. That's not what I expected. I see Reddit as poster child of making the UX worse and worse, driven by advertising goals - something that generally does correlate strongly with running telemetry. I'm confused about them now.


> GMail and Dropbox being prominent examples.

Dropbox I'd agree with, gmail I actually much prefer the current UI to the old one.

And indeed web services do tend to optimize for the "lowest common denominator", or more generally for the "majority of users". Which does tend to fuck over power-users. But it also means for most people telemetry works out.


I disagree that this works out well, because - perhaps unlike the data-driven companies - I don't believe the measure of a good program is the number of registered users. I believe it's just a half of the equation, and the actual equation looks more like (number of users * average utility for user)[0]. Whenever you dumb down your application by removing useful features or sacrificing ergonomics for looks, you're trading average utility for adoption. The software is more appealing to more people, but less useful to them[1].

It does fuck over power-users, but it also fucks over regular users. Not only doing tasks takes longer than it could (or than it took in previous generations of equivalent software), it often precludes them from becoming power users. Because a "power user" of a specific suite of software is something a person becomes over time and repeated exposure. Which includes essentially everyone doing a full-time job in front of computers. I believe dumbed down software is causing a huge hidden economic loss in reduced efficiency of office workers. Not to mention their misery.

(A good example here would be POS systems. If you've ever seen a DOS based one, you'll know it's an order of magnitude more efficient to use than the current breed of browser-based ones. The old-school UI was clean, ergonomic, consistent and fully keyboard-operated, allowing to do most tasks without even looking at the screen for most of the time. There was a relevant thread on HN recently[2].)

--

[0] - actually, I think it's more like: $$ \sum_{user \in users} utility_{user} $$ (https://latex.codecogs.com/gif.latex?%5Csum_%7Buser%20%5Cin%...).

[1] - by "useful" I mean, what tasks it lets users accomplish and how efficiently.

[2] - https://news.ycombinator.com/item?id=21045935


No, it is not. We have been selling software for decades without telemetry and it worked just fine.

I am more than willing to help GitLab, but telemetry in a VCS is simply a red flag (even a legal impediment in many cases).


No 1/2 decent CEO, PR, Legal or any other department at work here would leave themselves without wiggle room.

I’ll reserve the pitchforks for if this comes up again.


Yup, and it's not that they plan to backtrack, it's to reserve room for not committing to an exact outcome, but instead a general outcome. What they plan to do is not necessarily what will happen exactly, as anybody that has been in a position of authority or part of a project knows. Things may take a little longer, there may be some detours, etc. It's insurance so somebody doesn't armchair nitpick and shame them.


I think there's compelling evidence that there is not a "1/2 decent" CFO at work there...

I'm gonna keep my pitchfork sharp, close, and on display here.


This comment, from the CFO, is particularly nasty: https://gitlab.com/gitlab-org/gitlab/merge_requests/14182#no...


You may or may not agree with that comment, but it is not nasty. What is nasty, on the other hand, is the vitriolic reaction to it. So far I count 16 "middle finger" emojis, including one with the subtitle "incompentent or malicious CFO". In what world does a disagreement over the right level of telemetry justify this kind of behavior?

It's mind-boggling to me how entitled and aggressive the open-source culture is allowed to be. Does a company like Gitlab really deserve to have its employees publicly insulted in this way, after giving away so much to their users, for free, and being so much more transparent than 99% of tech companies?

At this point I don't understand why anyone in their right mind would go to the trouble of making their product open-source. It's just not worth it.


Assuming we're all using the word "nasty" to mean spiteful or unpleasant, I think it's quite fair to call that comment by the CFO nasty toward users. The CFO is literally saying that users should not have a choice about how their data is used. Now, that may be a "reasonable" business decision for GitLab to make, but it's still quite fair to call it nasty toward users. Again, it's literally the CFO instructing the GitLab product team to remove a choice from their users about how their users' data is being used. Middle fingers and feelings of entitlement may also be nasty, but this comment from the CFO is, in my view, pretty much textbook nasty.


Gitlab is a wonderful company, but it's still a for profit company, it's not a charity. Everything they're giving away for free is part of the business model, and particularly part of their user acquisition approach. They, and many other companies, have discovered that the open source (or in this case "open core") approach can be very profitable.

I'm not advocating in favor of rudeness, but the same reasoning goes for the middle finger gesture. It's an emoji that Gitlab have (I believe) deliberately included in their commenting mechanism. As far as I understand, it acts as a way to categorize users' anger and vitriol in a much more sanitized manner than if the users were to type their sentiment into the comment box. In general, allowing and encouraging negative feedback of specific parts of the service helps drive user engagement and demonstrably makes good business sense.

If users feel entitled and free to speak up, it's because there is a lot of competition in this area and they can easily leave. The fact that users are providing this feedback to Gitlab, rather than just deleting their users is a sign that they still trust the company and the service, want to keep using it and to drive it to be better.


<disclaimer: founder of a GitLab competitor>

When a C-level fundamentally misunderstands the company's culture and the culture of their target audience, incompotence becomes presumable and maliciousness becomes possible, IMO.


> In what world does a disagreement over the right level of telemetry justify this kind of behavior?

In a world where companies think little of collecting and selling our personal data to make a profit? In a world where companies feel the need to track every part of my life with or without my permission. This is something I can't escape, as every time I interact with someone that does use one of these platforms than they are able to collect data on me.

We both know that there are companies out there that are trying their best to not exploit their users, and sadly these companies are often held to much higher standards. When a company that we trust, and trust enough to recommend to others who value their privacy, it does hurt when a company goes in the opposite direction with your privacy even when they have noble intentions at heart.

It's also completely telling when their engineers are standing up for their users and others at the company are trying to find any excuse to collect certain information for reasons.

Now, I'm never for personal attacks on someone no matter what, but I find it hard to call out people for using a widely used and available emoji. I do agree it's very much on the line and others might take the other opinion in this case.


Then what about the people who are fine with the tracking and selling personal data (I for one) ? I think its great that let say google manage to make money out of my personal data, and in return I get to use their of free service.


Great for you. But please smoke outside so the rest of us don't have to deal with negatives (eg. smell if not health issues).

(Hopefully you get the parallel: some of us consider it harmful, and the fact that you don't care or you actually enjoy it does not mean we should be subjected to it)


In the regards of smoking, sure its great for the non-smokers but its sucks for the rest of smokers.


It's really not too much to ask smokers to not externalize the health problems of their addiction to other people. On the contrary, a decent human being would not willingly expose non-smokers to cigarette smoke. Unfortunately, there's not enough decency around to outweight convenience, so it had to be turned into law.

As for telemetry, I can't find any reason one would willingly subject to it. But even if, that's why laws like GDPR don't ban it outright, just ask for it to be optional and opt-in.


>It's really not too much to ask smokers to not externalize

Sure, from the perspective of non-smokers.

>On the contrary, a decent human being would not willingly expose non-smokers to cigarette smoke

A decent non smoker can also excuse themselves, in order not to disturb the smokers.

>Unfortunately, there's not enough decency around to outweight convenience, so it had to be turned into law

This is nothing to do with decency, the smokers doesn't have enough power/influence to prevent it to become law.

Lets say in a place where 95% are smokers, or even in the place there are 5% smokers but those 5% has a lot of power/influence. Do you think there will be law againts smokers ?

>As for telemetry, I can't find any reason one would willingly subject to it

You mean willingly subject to tracking ? Like I said before, I am fine with tracking because the benefit outweight the cost, it gives me something in return, free or cheap service.


> Sure, from the perspective of non-smokers.

From the perspective of any moral human being. Not intentionally harming others is kind of fundamental.

> A decent non smoker can also excuse themselves, in order not to disturb the smokers.

Non-smokers came first. And there's more of them. Plus, non-smokers are at best inconvenience to smokers, while smokers are a health hazard to non-smokers.

> Lets say in a place where 95% are smokers, or even in the place there are 5% smokers but those 5% has a lot of power/influence. Do you think there will be law againts smokers ?

Not likely. If the smokers are decent people, there won't be a problem; if they aren't, they obviously won't vote in laws that inconvenience them. But that only tells about deficiencies of the regulatory process, which optimizes for the loudest voices instead of maximizing good for everyone.

> Like I said before, I am fine with tracking because the benefit outweight the cost, it gives me something in return, free or cheap service.

And like I said, that's why current legal standard people are leaning towards is not to ban it, but to make it opt-in. So if you're fine with tracking, you can have it. The problem is with the infectious, anticompetitive nature of tracking - once one party does it to offset their costs, all other competitors have to follow suit or risk getting outcompeted.


>From the perspective of any moral human being. Not intentionally harming others is kind of fundamental.

Sure, at least from your perspective. But all human being ? Even now we disagree.

There are some people that to them harming people is the moral thing to do.

You may then say they are wrong, but again you view it from your morality, using your definition of 'wrong'.

>Non-smokers came first.

Sure, for the Non-smokers, Non-smokers came first.

>And there's more of them

Right, so its more to do with which side has more power/influence.

>Plus, non-smokers are at best inconvenience to smokers

Sure the non-smokers can dismiss it as merely inconvenience. But I'm sure there is some smokers that are highly suffer from not able to smoke anywhere anytime.

>Not likely. If the smokers are decent people, there won't be a problem

Again, some smokers can use the same argument, if the non-smokers are decent people, they can excuse themselves and there won't be a problem.

>if they aren't, they obviously won't vote in laws that inconvenience them

While I'm sure within smokers there are people who support the law, but I'm taking about the smokers who againts the law. Unfortunately, they fail or just don't have enough power/influence to prevent the law to exist.

>deficiencies of the regulatory process, which optimizes for the loudest voices instead of maximizing good for everyone

Its not deficiencies because it just the way it is, whichever side who are the strongest get to decide the law.

Maximizing good for everyone is an impossibility. What one human consider as good may be considered bad to other human.

>And like I said, that's why current legal standard people are leaning towards is not to ban it, but to make it opt-in. So if you're fine with tracking, you can have it

Sure if you can gain the power/influence to make it law. But I hope not and I will not support it. why ? It increase friction/inconvenience. Just like the cookie warning, its highly annoying, I would much prefer it to be opt-out or no option at all.


> In a world where companies feel the need to track every part of my life with or without my permission. This is something I can't escape, as every time I interact with someone that does use one of these platforms than they are able to collect data on me.

I find this attitude honestly kind of confusing. I mean, you know that the shops you go to know what products you're buying from them, right? Presumably those shops look at that data in aggregate when thinking about which products to stock. How is this any different? If you're transacting with someone, it's not possible to hide that transaction from them.


"At this point I don't understand why anyone in their right mind would go to the trouble of making their product open-source. It's just not worth it."

Umm...that's their business model. It's not an act of generosity. It was a decision that they thought was in their best interest.

Do you also think Facebook and Google are making their products free out of the goodness of their hearts?


I don't believe I said anything about their motives.


But you said "I don't understand why anyone in their right mind would go to the trouble of making their product open-source." The "trouble" of going open source is the same trouble as any other business expense, whether that is developer time, security audits, etc. If that's Gitlab's business model, and open source really was their only choice for a sustainable business model, it's not hard for me to understand why they went open source. Your phrasing only makes sense if they were doing something they didn't need to do.


Also, beside the point. I agree it is not nasty on the surface. But it sure is a callous sentiment—you will submit to our privacy invasion or take a hike. FU indeed.


The reactions came after the comment was widely publicized. With wide publication comes the trolls. The original comment was thoroughly thumbs-down, but the only ones interacting were people who actually use/follow the product.

How any C level position blindly walks into this kind of thing in a post Cambridge-Analytica world is a different conversation.


> "It's mind-boggling to me how entitled and aggressive the open-source culture is allowed to be."

'Allowed' to be? The "open source culture" is the sum of the participants and participation is open to the general public. If being rude were "not allowed" who would be doing the not allowing and why should they be so empowered over members of the general public?


This assumes all participation is equal. This is not the case. It’s GitLab’s sandbox, their rules (including not being crass if desired).

How is this different than what would be expected with a Code of Conduct? Must one call out “Don’t be a dick”? Vigorous debate is to be expected, being rude is not.


Gitlab is well within the right to ban rude remarks on their platform, but that isn't the same as regulating the open source community as a whole, which they have neither the right nor ability to do.


They have the right to regulate any activity taking place on any forum or digital property they control.


Obviously. The matter I am concerned with is the attitude that anybody is empowered to regulate the 'open source culture', which is worlds apart from regulating one particular forum.


> It’s GitLab’s sandbox, their rules (including not being crass if desired).

They can ban people who clicked on the "Reversed Hand With Middle Finger Extended" emojis. If it's against their rules, they should (otherwise there's no point in having rules in the first place). That said, if the emoji is in their system (and it's not there by accident), it probably serves a purpose. In this case, it accurately represents the sentiment of people who gave that feedback.

> How is this different than what would be expected with a Code of Conduct?

No different at all; Codes of Conduct exist primarily to signal allegiance or submission to the social justice crowd. They introduce nothing new on top of regular rulesets that existed in on-line communities since on-line was a thing.


I am absolutely of the mind that Codes of Conduct have been weaponized, but there’s no reason for participants to be so overtly rude in the discussion, regardless of reactji availability.


And we collectively allow this behavior. Do we not?

For example, I don't see anyone stepping up in that github thread and saying that insults and middle finger emojis are not OK. That's because that behavior is normalized. Participants in the thread either a) are OK with it; b) have resigned themselves to it; c) are refraining from speaking up for fear of being attacked too. That is what I mean by "allowed to happen".


What would it mean for me to 'not allow' other members of a free society to speak their mind?

Your right to criticize it and their right to say it are one and the same. Criticizing it and not permitting it are not the same thing.


If you are participant of the Gitlab community, you could speak up in that thread and say that you are not OK with people being insulted over a disagreement. I won't fault you for not wanting to, though. You would probably be attacked too, and have to spend a few hours of your life justifying yourself.


There is a keen difference between criticizing it and forbidding it. Gitlab may forbid it on their platform, but they don't have the ability, let alone right, to regulate the speech of the general public outside their platform.


Loud condemnation from the wider community. Contact their employers. Ban them from contributing to projects.

When GamerGate became a thing, every major publication and several major figures in the gaming community all loudly spoke out against the harassment, and many prominent Gamergaters permanently gained reputations as harassers.

Not only do we need this kind of condemnation from leaders within the open-source community, but we need to go farther. We need open-source projects to say "we will not accept any contributions from anyone who participates in harassing GitLab employees", and if they work for a large corporation who's paying them to work on open-source code (e.g. Red Hat, Google), then contact their employers and convince them to cut ties. If you participate in harassment campaigns and sustained personal attacks against private individuals over a policy disagreement, then you should have no place in the community.


You're well within your right to write letters to companies complaining that they employ people who use emojis of rude gestures online. What you don't have the right or ability to do is forbid rude behavior in the culture, rather than on a given platform.


Gitlab isn't in the "open-source community" any more than Oracle is. In fact, Oracle probably contributes more to "Open Source" as a movement and in code than Gitlab. Both are closed-source companies that release part of their works as open.

I can't see tears falling for either of those companies' employees as far as the broader community goes.


Thank you. That's exactly right.

Unfortunately the problem has deep roots, and the corporations you mention have a track record of either turning a blind eye to bad behavior when the perpetrator is a popular open-source figure (Google), or actively supporting it because the victims are employed by a competitor (Red Hat).

In general, open-source communities are still stuck in the middle ages from an HR perspective. You can be the victim of terrible behavior, and have no recourse at all, because the project itself has no clear legal requirement to protect you, and none of the corporate sponsors will take responsibility for protecting you in the same way they protect their own employees; even if in practice they are the only ones with the power to do so. The result is a legal limbo where people can get away with terrible behavior. I've seen people get crushed by this, it's kafkaesque.


Authoritarian sentiment at it’s best. Ignore the attacker and focus the discussion on the rudeness of the victim’s response.


No, we do not, because we do not make decisions collectively. Or at least, I wasn't consulted. Maybe everyone else was.


> And we collectively allow this behavior. Do we not?

We don't just allow it, it appears that a vocal part even encourages it. It's toxic and unprofessional behavior, but organizations have no choice but to listen (as evidenced by Gitlab's response).


Assuming Free Software was meant to be professional in the first place was a mistake. It may have gained a professional following from sheer utility but it isn't fundamentally professional - there is an expectation for professionals to obey or outright refuse if it crosses some line and be calm either way. Not so for a community.


This doesn't have anything to do with it being open source. It's a separate movement called Open Company, which was tried by Gittip/Gratipay. It's mostly irrelevant to the open source-ness of a product whether the company's website is open source.


It is not just nasty to customers.

It is public evidence of commitment to an illegal policy after the CFO was informed of the legal problems.

Not sure how you can do something worse.


It's a way to send a message across. Before things turn irreversibly nasty.


Here's a screenshot for people that don't feel like waiting for the page to load:

https://imgur.com/a/uxaU0h8

How is GitLab still this slow?


It's a Rails app trying to load hundreds of different bits of data (emojis, comments, votes on comments, etc.), I'd honestly be more surprised if it were quick.


GitHub loads similar data and is also written in rails, but long GitHub PRs/issues are significantly faster to load.


It’s probably hammering the database right now.

These kind of things, by nature, are difficult to cache because the balance between “fresh” new content and how often they are accessed leans heavily towards having it served from the backend directly.


Resources are cached, lightweight JSON that dictates how to lay those resources out is fresh, doesn’t seem tooooo difficult


Ruby on Rails backend, I think.


Github is also RoR backend, and it's not this slow.


At least they said what they actually thought and opened a discussion instead of spewing one of the standard canned PR statements. The replies are a pretty good source of arguing against the position he took and now can be referenced by anyone else having a similar discussion.


Did they said that because they always speak they're minds or because forced telemetry is becoming a norm? We will never know I guess.


What?

>I don’t understand. This should not be an opt in or an opt out. It is a condition of using our product. There is an acceptance of terms and the use of this data should be included in that.

In what way is that "nasty"?


It's "clueless" but not "nasty".


It's either extremely clueless or nasty, but regardless, it also expresses a suggestion that's hostile to the users.


I wonder if Microsoft not allowing full telemetry opt-out in Windows 10 opened a precedent for this kind if thing.


looks like CFO actual need is the historical data for LTV calculations https://gitlab.com/gitlab-org/gitlab/issues/13297


This is just the beginning, at some point, they will flip. Google was our darling, that could do no wrong. Just imagine, to be bold and say "Don't be evil!" And then, what happened? This is just a short term reaction to quiet down the noise, but their long term hand has been exposed. They are not going to do it, but note that nothing says they won't try to or do it again in the far future.

What I really will like to know is how they will profit off that data. Is it even going to make a bump on their bottom line?


What happened ? Google is still one of the better players around. They pulled out of DoD contracts etc. This site just hates it for every single thing..it's just group think now , majority of the general public still loves it.


They trust lots of other companies more, including Amazon

http://nymag.com/intelligencer/2018/10/americans-cant-agree-...


No bathroom breaks and shitty benefits.


Take that up with the American people being polled then I guess.

$15/hr is a pretty good minimum wage for a company that operates in every state!

(My benefits are fine too, for what it's worth)


What about bathroom breaks ? Also even Microsoft insurance is better than Amazon. All my friends say Amazon's perks sucks. Even at the concert apparently people were allowed two non-alcoholic drinks for the first time. There was a joke that this was a big deal when it came to perks.


Majority of the general public does definitely not love, nor hate Google. They are merely indifferent and tolerate it, just like they tolerate Microsoft, or more recently Facebook, despite all the flaws and annoyances their products have.

The general public does not really care, they just want to get on with their lives.


Gitlab has also committed to doing a post-mortem on this, just as they do for crashes or data breaches, which is a good thing.


We sent an MR to Gitlab 1.5 years ago (https://gitlab.com/gitlab-org/gitlab-foss/merge_requests/156...) implementing our open-source analytics tool to their app and letting the system administrators opt-in to this feature if they want to analyze their user behavior but it looks like Gitlab wanted to implement a centralized user tracking feature for themselves instead.

However, given that most of the Gitlab customers / open-source community cares about their privacy and want to have the control (well, that's probably why they switched to Gitlab from other products), I wonder why they wanted to follow this approach in the first place. The good thing is that they almost always know how to take action when their community reacts.


This is incredibly dumb. Both Pendo and Snowplow are analytics providers, meaning they both have in their TOS that the company remains the owner of the data in question and that the services only exist to facilitate analysis of the data in question.

Effectively this is users complaining that Gitlab wants to simplify their data analysis overhead. Presumably nothing precludes them from sending the exact same data to these companies and more on the backend. What do users expect? For Gitlab to build every single part of their stack in-house (CRM, analytics, support tooling, etc)? Because that's what this is effectively asking for.

What's next? Protesting that a company uses RDS instead of their own hand-rolled Postgres setup? Because this is the same level of stupid.


What about running third party scripts on the page, which would have access to all code on the account you’re logged in with? How do organisations audit these scripts, and how can they audit new versions of these scripts when gitlab controls the release strategy of these scripts?

You’d be moving from one (possibly two if you include the cloud provider) vendors having theoretical access to all of your code to four vendors having potential access.


Any vendor Gitlab works with already has potential access. Just because you have a known front-end attack vector doesn’t mean you’ve gone from 1 to 4. You’ve been at N the whole time, it just hasn’t been as visible.

FWIW I agree that on-page JS on pages with source code is a terrible idea, but that’s easily fixable and doesn’t seem to be at the root of the issue.


I think part of the issue was that there are many cases where you can't send potentially sensitive information to a third party, regardless of their TOS.

I left a comment on the feedback issue about this. It's not as comprehensive as a third party, but you can build your own analytics in house. There are a lot of managed services (like BigQuery) that make it significantly easier to implement it yourself, and you do get valuable insights from such data.


> I think part of the issue was that there are many cases where you can't send potentially sensitive information to a third party, regardless of their TOS.

I don’t think this is true, provided the third-party is GDPR compliant themselves. It’s the controller-processor relationship under GDPR. Presumably if there was not a cutout for this, AWS would not be able to exist.


I'm not talking about GDPR specifically, I'm talking about embedding a third party script (or sending data to a third party) from a company that I have no relationship with. Many companies would find that unacceptable, especially within their source control. Where all their IP is hosted.

The "can't" here isn't necessary legal, it could be internal.


I think that’s a fair point from a security standpoint, but there are clear technical solutions for sending telemetry data to third party scripts without allowing page access that are well established (e.g safeframes) yet the conversation isn’t about that. The conversation (more like coordinated uni-directional screeching) is instead an irrational moral panic which is not justified by the facts at hand.

I don’t see the fact that you have or don’t have a relationship with the company as relevant. The mechanism of passing of the data is just an implementation detail. You don’t have control over what relationships the company has on the backend (e.g. what if they store your telemetry data in BigQuery or Snowflake, or keep your log data in Loggly) so I don’t see how this expectation suddenly applies if the data is being sent from the frontend instead.


In the self hosted instances, which is what I was talking about, you do have a control over the backend. At last more than you do with the managed version. It pretty much boils down to this: Can something leak sensitive information to a third party. If so, then it's a no go.

If you have a contract with that third party, and you deem that third party to be a safe harbour for your data (yes, that includes gitlab.org, AWS, etc), then that's a different case.

If Gitlab was to have instead said:

1. We are going to enable telemetry on all public repositories on Gitlab

2. On self-hosted instances we will provide you with the ability to embed your own analytics, from a company of your choosing

Then the screeching (and I fully agree it is screeching) would have been less. Unfortunately, with self-hosted instances, you simply cannot allow Gitlab to leak information like that to a company you don't have a direct relationship with. I'm not sure how else to phrase this concept or explain it, and it doesn't really matter if you use safeframes or not.


I see your point with respect to self-hosting. I get that most of the reason for running on-prem is data security and privacy and I can see why people might get annoyed at something they thought they were buying not really being there.

That said, while I'm not familiar enough with the details of how Gitlab supports self-hosting to comment on whether or not their particular case allows them control over the backend still or not, many self-hosted AWS solutions are implemented as marketplace AMIs for which the end-user can run in their VPC but still doesn't maintain control over what is running inside the AMI. It's not necessarily that odd for software implemented this way to still phone home with telemetry.


They indeed do have opt out instance wide telemetry. This is restricted to specific site-wide activity: number of merge requests created, users active, gitlab version, usage of feature X etc. It doesn’t send back any sensitive data (project names, namespaces, comment text, diffs), or give the potential to access that to a third party.

You can also view all the data it sends back in the admin console, and disable it.

Again, it’s the trust aspect. Sure, gitlab could just silently implement a phone home with all your private data (even by accident). They would be put out of business if they did, for breaking their contract with us and others. Nobody would trust them.


Most companies won't allow telemetry nor arbitrary code fetched from the Internet in their private network.

It is common sense. Some are even legally required to ensure that.


The main issue was that this is for internally hosted enterprise instances, so no they can't just pass along the same data on the backend because they don't control the environment the backend is running in.

In the hosted gitlab, if they want to keep me as a paying customer they should be looking at on premise analytics providers. If there going to be sending data out to random third parties I don't trust, who I can't trust because I have never heard of them and have no relationship with, then I can't trust gitlab either.


There is a lot of FUD whenever someone mentioned third party because many don't know the difference between a dedicated analytics provider and Facebook.


How would you know a difference, how could you trust the difference (given the adtech industry being what it is), and how can you know things won't change over time? All that without being in a contractual relationship with that third party.


Are you in a contractual relationship with AWS for every service you use that uses AWS on the backend? How about Loggly? How about BigQuery/Snowflake? Intercom if they use that? Salesforce? Facebook and Google if they run ads? They may not do anything weird with your data now but how can you know that things won’t change over time?


GDPR.


You don't understand GDPR very well.


Could someone here please explain to me why Gitlab's product managers would be so interested in client-side analytics in the first place? From my familiarity with their service, almost every operation requires an ajax call, or a full page refresh. Is there really that much value for the product managers in these additional analytics?


Even anonymous cohort analysis can be super useful as a product manager. If you want to encourage usage of a particular feature and the most successful users of that feature fit into a cohort, you can reach out to them for feedback, optimize paths between those features, improve documentation connecting relevant features together, etc.

This doesn't mean its malicious or all about the $$$...it might be that users that set up GitLab CI have 40% fewer security incidents and they want to encourage that behavior as a better customer outcome with the overall product.

edit: and this behavior might take place over a long period of time, not something you can get from access logs or just-in-time stats.


That's an interesting point. But wouldn't the vast majority of Gitlab users be signed in (and thus server-side trackable)? Pretty much all functionality other than just reading code seems to require it.


The only way to know this would be if you read the entire discussion across 2+ threads on the Gitlab site for their event tracking MR. Basically this whole shit show started as so:

* Gitlab previously used 3rd party infrastructure for their user event tracking

* They did not send this 3rd party user id for GDPR and other reasons

* Because they did not have user id, they could not understand user behavior across sessions. Understanding user behavior across sessions is important, so they wanted to add it.

* Gitlab had just finished moving their event tracking infrastructure in house.

* The original MR was to add user id as an attribute to their event tracking

What proceeded was what I consider a very reasonable back and forth between data, infrastructure, and legal on the correct way to add user id. But somewhere along the line it went off the rails. How it turned from simply adding user id into including Pendo JS tags for on-prem customers, I have no idea.


I read in one of the issues that it was Marketing that wanted Pendo tracking. (I'm guessing marketing mainly wanted it for gitlab.com).

In one place I saw a developer basically say Pendo is marketing's, and product is only interested in using Snowplow (with first party data processing).

Development was entirely happy with a true opt-in. Development does want to be able to get data back from on premises instances, but is totally fine with having it be an instance wide option that can be off.


My guess was that it was just seen as easier to drop in a third party analytics component in as opposed to doing via their own backend.


years ago, at a previous employer of mine, one of the IT staff members was giving a presentation on an internal website/app they created for some widely used business function (i don't recall exactly) and they were rather proud of the fact that they tied in Google Analytics so that they could get a better view on how people were using the site.

I expect that a lot of other companies are also doing this to themselves...


Every project I've ever worked on has used analytics; it's super useful.


Wasn't this proposal to add the client-side tracking to their hosted on-premises product?

They don't have any visibility in how those instances are being used, and wanted to use the telemetry to get that. (Not understanding that often, the entire point of choosing to host your own instance is to avoid this in the first place)


No, it was for everyone. They initially conceded not to add it to their enterprise versions (post-backlash), but the intent was always to add it for the rest of us.


I believe in this case it is server-size analytics. The case were this would have been significan would have been with self-hosted instances as there gitlab controls neither the servers not the clients


I find the anti-telemetry attitude honestly kind of confusing. I mean, you know that the shops you go to know what products you're buying from them, right? Presumably those shops look at that data in aggregate when thinking about which products to stock. How is this any different? If you're transacting with someone, it's not possible to hide that transaction from them. Of course you should have the right to have that data deleted, but that's different from saying it should never be collected at all.

Also, given that nearly all websites are using something like Google Analytics or similar (or several of these at once), the reaction and vitriol here just seems weirdly disproportionate.


> I mean, you know that the shops you go to know what products you're buying from them, right?

They know what products are selling. They don't necessarily know what I personally am buying.

The point of those loyalty program cards is to associate purchasing habits with repeat customers. Those cards, you may note, are opt-in. To belabor the analogy, this was the equivalent of my grocery store putting cameras all over the building and offering me a mask if I wanted to opt out of the user monitoring program.

"Everyone else is doing it" is a pretty bad reason when many of your clients chose to do business with you at least in part because you are not doing it.


> They know what products are selling. They don't necessarily know what I personally am buying.

The vast majority of people use credit cards, which would allow them to track you. If you want to be more anonymous, you can use cash, just like you could install a blocker extension if you want to be more anonymous in the browser.

> To belabor the analogy, this was the equivalent of my grocery store putting cameras all over the building and offering me a mask if I wanted to opt out of the user monitoring program.

Indeed, my local grocery store added cameras all over recently, and apparently many of them use bluetooth trackers. I don't even think they offer masks, though I've never asked.

> "Everyone else is doing it" is a pretty bad reason when many of your clients chose to do business with you at least in part because you are not doing it.

Did gitlab pitch themselves as a privacy-centric git host? I thought their main selling point used to be that they had unlimited private repos. I could be wrong though, I haven't followed them much.


Correct me if I am wrong, but Apple Pay solves this, does it not?


Web tracking is different in that it's ongoing tracking of behaviour. When I buy something from a shop, that's the end of their knowledge: the shop has no idea what I use it for.


When you make non-cash purchases in a shop they sell your purchase data to an aggregator who adds it into their profile of you and derives demographic classifications from that.

Single woman driving a Subaru? Your odds of being lesbian go up a few points. We'll target you for a certain form of advertising.

This has been going on for decades. Before the web ever existed.


To make it worse - the shop, your credit card issuer (aka the bank) and the payment processor (aka Visa) are all each doing this.


Hmm, that must be where the breakdown is. It seems like you view just the transaction as your interaction with Gitlab, but to me if I'm on Gitlab, I'm still "in the shop" so to speak. So to me it's more like sitting in a coffee shop than going to the grocery store.


One of the big issues people had with the Gitlab proposal was that it was going to use 3rd party trackers, so Gitlab wouldn't have full control over your data. Some people were commenting that if the analytics data never left Gitlab, they wouldn't have an issue with it. They were also going to block access to your account until you accepted the tracking.

Following the shopping analogy, it'd be like they let you in the store, but they won't let you leave with your purchase until you fill out a survey by a 3rd party company.


> Of course you should have the right to have that data deleted, but that's different from saying it should never be collected at all.

Err...do you have that right? The whole concept of a "right to be forgotten" is a relatively new thing that generally has not been observed in the past.

Like, if I want the library to erase all records of me checking out books, they probably just aren't going to do it, and I don't see how I have a right to force them to. I willingly gave them my information and used the books there.


>Err...do you have that right?

In the EU, yes you do.

>Like, if I want the library to erase all records of me checking out books, they probably just aren't going to do it, and I don't see how I have a right to force them to.

They will. You do.

>I willingly gave them my information and used the books there.

And then you changed your mind.


I'm hostile towards both on-line and meatspace telemetry alike. It's just it's much harder to opt out from the latter. When a store I frequent decides to be total assholes and install customer-tracking cameras, I can't even tell (and unfortunately, there's no legal requirement to inform about it; I hope it'll change in the future). And even if I could, like most people, I'm rather price-sensitive when bulk shopping. On-line, I can at least try to defeat most telemetry with content blockers and network filters.

> Of course you should have the right to have that data deleted, but that's different from saying it should never be collected at all.

Anything that GDPR forces to be opt-in (like this telemetry here) is essentially data that shouldn't be collected in the first place.

> Also, given that nearly all websites are using something like Google Analytics or similar (or several of these at once), the reaction and vitriol here just seems weirdly disproportionate.

There were couple compounding issues here, not the least of which was them wanting to deploy telemetry on self-hosted instances. On Gitlab.com, they can deploy analytics scripts to their heart's content; that's just being disrespectful. But self-hosting is something one does in big part to control the data flow, and pushing telemetry onto that kind of defeats the point (it's a real compliance issue for a lot of companies).

As others have said, just because many other people do something, doesn't mean it's good and you should do it too.


>We have not yet added instrumentation to the Enterprise edition versions, and we will not do so until we have a way for self-hosted customers to opt out... (Scott Williamson, Gitlab VP of product, responding to the OP)

That's not the right way to do it. Customers should need to opt in, rather than having to opt out.


I'm glad they reversed course and apologized but it still amazes me how powerful the reality distortion bubble can be even at well-meaning corporations. It's as if there was a meeting at the Red Cross where somebody said "Hey why don't we start selling guns? It would be a great fundraising tool." And everybody in the room just nodded and said "Yeah that's a pretty great idea. Let's start tomorrow!"


The real reason you shouldn't be using GitLab is performance. How is it possible that that page took over a minute to load? Nevermind that the design is completely incomprehensible.


I make a habit out of pushing to both gitlab and github. Even if github is technically superior, I don't think we're served well in the long run by monocultures.

(But yes, gitlab's web interfaces are generally frustrating. Slow, bugged, or just organized in ways I find challenging.)


Performance and UI are valid considerations for using or not using any service, but not everyone has the same requirements on either of those.

If you don't find them acceptable, that's legit. Those are the "real reasons" you shouldn't use it. However, those reasons may not apply to others. They don't apply to me, for instance, and as Gitlab has a lot of users, I'm not alone.


further down the thread are mentioned of ruby on rails.

i use gitlab because it allows me > 1 private repo. if there are better solutions then i'm all ears.


Have a look at GitHub. It's a similar service with unlimited private repos for free.


thanks. not sure why i was downvoted but the last time i checked, GH only allowed 1


They only started allowing free private repos this year: https://github.blog/2019-01-07-new-year-new-github/


You are correct but Github allows them now so I moved back to GH.


I use Bitbucket, unlimited private repos. I believe Github now offers the same, but didn't ~5 years ago.


How can you trust a company like GitLab whose default decision is always bad and then they change direction after public outcry.

Either they don't think before they make decisions or they are just trying to figure out what they can get away with.

This really shows their lack of morality. They kind of remind me of Facebook.


How can you trust a company that does the same things behind closed doors?

With GitLab we know about everything that's happening and can react before bad things happen. This is awesome.


Lol, I think you're forgetting about another provider. Besides you can always try Gitea.


Is the on premise one different? The hosted one leaks data to google and cloudflare.


I don't understand, what changed? This was last updated on the 24th. They said they'll be re-evaluating it and returning later, but afaict they haven't made any statements about a blanket cancellation of the telemetry roll-out.


An email is being sent right now, but emailing at scale... takes time:

---8<---

Dear GitLab users and customers,

On October 23, we sent an email entitled “Important Updates to our Terms of Service and Telemetry Services” announcing upcoming changes. Based on considerable feedback from our customers, users, and the broader community, we reversed course the next day and removed those changes before they went into effect. Further, GitLab will commit to not implementing telemetry in our products that sends usage data to a third-party product analytics service. This clearly struck a nerve with our community and I apologize for this mistake.

So, what happened? In an effort to improve our user experience, we decided to implement user behavior tracking with both first and third-party technology. Clearly, our evaluation and communication processes for rolling out a change like this were lacking and we need to improve those processes. But that’s not the main thing we did wrong.

Our main mistake was that we did not live up to our own core value of collaboration by including our users, contributors, and customers in the strategy discussion and, for that, I am truly sorry. It shouldn’t have surprised us that you have strong feelings about opt-in/opt-out decisions, first versus third-party tracking, data protection, security, deployment flexibility and many other topics, and we should have listened first.

So, where do we go from here? The first step is a retrospective that is happening on October 29 to document what went wrong. We are reaching out to customers who expressed concerns and collecting feedback from users and the wider community. We will put together a new proposal for improving the user experience and share it for feedback. We made a mistake by not collaborating, so now we will take as much time as needed to make sure we get this right. You can be part of the collaboration by posting comments in this issue: https://gitlab.com/gitlab-com/www-gitlab-com/issues/5672 If you are a customer, you may also reach out to your GitLab representative if you have additional feedback.

I am glad you hold GitLab to a higher standard. If we are going to be transparent and collaborative, we need to do it consistently and learn from our mistakes.

Sincerely, Sid Sijbrandij Co-Founder and CEO GitLab


Thanks! That context is sorely needed in their web channels.


remember when everyone was bailing on github because of evil microsoft?


Most of everyone's main reason was that GitLab was "open source" and also supports free software. As much as they claim to do, I'm afraid that by being partially owned by VCs, they are at the mercy of pleasing those who may conflict with these ideas in favour of adware such a telemetry or ad-tracking.

A very principled move from GitLab to revert this, but I think that GitLab's trusted is damaged due to this.


I think it will bring them under more scrutiny and rightfully so. But this sounds like a misunderstanding, both of the GDPR and user sentiment, enforced without discussion from the top. They responded quickly, humbly, and transparently in reversing the decision. I'm not sure about long-term erosion of trust, although this may harm subscription levels or contract negotiation in the medium term


An employee comment in the relevant merge request indicates that they are already knowing non-compliant with the GDPR. While I applaud their openness I wonder if this will comeback to bite them.


Do you have a link (or screenshot) of that comment?


"This is because we suspect that we are not currently in compliance but cannot expressly call out the gaps until the DPIAs are complete. (Actually, by not having the DPIAs, we are, on our face, out of compliance with GDPR regulations.)"

https://gitlab.com/gitlab-org/gitlab/merge_requests/14182#no...

The author, @cciresi is Candice Ciresi, their Director of Global Risk and Compliance.

https://i.imgur.com/52DUErO.png


The lesson to learn is that you can't trust VC-backed companies to have the same values or behavior through the years.


I'm happy to enable telemetry on my self-hosted Gitlab if that makes gitlab better, maybe make it opt-in instead opt-out?


Something a little ironic about putting a tracked click link in an email apologizing for adding tracking. That said I firmly believe in opt-in tracking and would likely enable it for my gitlab usage.


Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: