hexa-Feb 15, 2025

If you're using #devenv for your projects, please note that the new `generate` command in 1.4.0 uses your repository content.

It tars up all files it can find through `git ls-files -z`³ and exfiltrates them to the service.

It handles `DO_NOT_TRACK=`¹ by sending that intent along² as a query string, so now you need to trust the service to not keep data.

🧵 1/n

[1] https://github.com/cachix/devenv/blob/6c987a8795eedea872afe4d1c1ac518d0c7f6db1/devenv/src/cli.rs#L202-L204
[2] https://github.com/cachix/devenv/blob/6c987a8795eedea872afe4d1c1ac518d0c7f6db1/devenv/src/devenv.rs#L212-L214
[3] https://github.com/cachix/devenv/blob/6c987a8795eedea872afe4d1c1ac518d0c7f6db1/devenv/src/devenv.rs#L226-L257

devenv/devenv/src/cli.rs at 6c987a8795eedea872afe4d1c1ac518d0c7f6db1 · cachix/devenv

Fast, Declarative, Reproducible, and Composable Developer Environments - cachix/devenv

GitHub
Show threadhexa-Feb 15, 2025

The #devenv CLI does not do informed consent and neither `devenv.sh` nor `devenv.new` have a privacy policy or will tell you who runs the service and who it shares its data with.

In #nixpkgs the package was bumped to 1.4.0 after which a contributor immediately sent a follow-up PR¹ to enable `DO_NOT_TRACK=1` when wrapping the devenv binary.

This was promptly reverted² by the author of devenv.

🧵2/n

[1] https://github.com/NixOS/nixpkgs/pull/381817
[2] https://github.com/NixOS/nixpkgs/pull/381981

devenv: disable telemetry by default by kampka · Pull Request #381817 · NixOS/nixpkgs

Packages and modules in nixpkgs have a proven history of disabling / opting out of telemetry on behalf of their users. I believe it's reasonable to assume the same would be expected from the de...

GitHub
Show threadhexa-Feb 15, 2025

Unfortunately #nixpkgs is not well-equipped to resolve this conflict. There is no explicit policy and common sense seems not to be equally distributed.

Ultimately this is a governance issue for #NixOS where the steering committee would be in a great position to limit the scope of what is acceptable behaviour.

In fact, if you have an opinion on the matter, please reach out to any steering committee representative and tell them:

https://github.com/NixOS/org/blob/main/doc/governance.md

🧵3/n

org/doc/governance.md at main · NixOS/org

Organisational documentation. Contribute to NixOS/org development by creating an account on GitHub.

GitHub
Show threadhexa-

The backing service is https://devenv.new, that creates the scaffolding from a prompt. That seemed pretty innocent in comparison.

But the documentation for the executable clearly states "based on your existing git source code"¹, so the behaviour is to be expected.

What is not to be expected is the lack of a privacy policy and informed consent. Your repository content is for example being passed on to Google Gemini.

🧵 4/n

[1] https://devenv.sh/blog/2025/02/13/devenv-14-generating-nix-developer-environments-using-ai/

Generate developer environments

Feb 15, 2025 at 9:15pmWeb
Show threadhansenerdFeb 17, 2025
@hexa i noticed the PR discussion but… they upload your repo? Wow that's bad. Had no idea. Instant breach of contract had I used it on client's code 😳