hexa-Feb 15, 2025

If you're using #devenv for your projects, please note that the new `generate` command in 1.4.0 uses your repository content.

It tars up all files it can find through `git ls-files -z`³ and exfiltrates them to the service.

It handles `DO_NOT_TRACK=`¹ by sending that intent along² as a query string, so now you need to trust the service to not keep data.

🧵 1/n

[1] https://github.com/cachix/devenv/blob/6c987a8795eedea872afe4d1c1ac518d0c7f6db1/devenv/src/cli.rs#L202-L204
[2] https://github.com/cachix/devenv/blob/6c987a8795eedea872afe4d1c1ac518d0c7f6db1/devenv/src/devenv.rs#L212-L214
[3] https://github.com/cachix/devenv/blob/6c987a8795eedea872afe4d1c1ac518d0c7f6db1/devenv/src/devenv.rs#L226-L257

devenv/devenv/src/cli.rs at 6c987a8795eedea872afe4d1c1ac518d0c7f6db1 · cachix/devenv

Fast, Declarative, Reproducible, and Composable Developer Environments - cachix/devenv

GitHub
Show threadhexa-Feb 15, 2025

The #devenv CLI does not do informed consent and neither `devenv.sh` nor `devenv.new` have a privacy policy or will tell you who runs the service and who it shares its data with.

In #nixpkgs the package was bumped to 1.4.0 after which a contributor immediately sent a follow-up PR¹ to enable `DO_NOT_TRACK=1` when wrapping the devenv binary.

This was promptly reverted² by the author of devenv.

🧵2/n

[1] https://github.com/NixOS/nixpkgs/pull/381817
[2] https://github.com/NixOS/nixpkgs/pull/381981

devenv: disable telemetry by default by kampka · Pull Request #381817 · NixOS/nixpkgs

Packages and modules in nixpkgs have a proven history of disabling / opting out of telemetry on behalf of their users. I believe it's reasonable to assume the same would be expected from the de...

GitHub
Show threadApril (@39c3) The Pink ⋆☾╶⃝⃤☽⋆ [AS208709]
@hexa what? Can u explain it to me like im 3 and like i didnt just convince my colleagues that devenv is cool and we should start adding it to our private repos?
Feb 15, 2025 at 8:27pmWeb
Show threadhexa-Feb 15, 2025

@april

April, please be careful with the generate command.

April, don't publish your private information to the internet.

April, be wary when the privacy policy does not exist or is "trust me, bro".

Show threadApril (@39c3) The Pink ⋆☾╶⃝⃤☽⋆ [AS208709]Feb 15, 2025
@hexa thx🥺