hexa-Feb 15, 2025

If you're using #devenv for your projects, please note that the new `generate` command in 1.4.0 uses your repository content.

It tars up all files it can find through `git ls-files -z`鲁 and exfiltrates them to the service.

It handles `DO_NOT_TRACK=`鹿 by sending that intent along虏 as a query string, so now you need to trust the service to not keep data.

馃У 1/n

[1] https://github.com/cachix/devenv/blob/6c987a8795eedea872afe4d1c1ac518d0c7f6db1/devenv/src/cli.rs#L202-L204
[2] https://github.com/cachix/devenv/blob/6c987a8795eedea872afe4d1c1ac518d0c7f6db1/devenv/src/devenv.rs#L212-L214
[3] https://github.com/cachix/devenv/blob/6c987a8795eedea872afe4d1c1ac518d0c7f6db1/devenv/src/devenv.rs#L226-L257

devenv/devenv/src/cli.rs at 6c987a8795eedea872afe4d1c1ac518d0c7f6db1 路 cachix/devenv

Fast, Declarative, Reproducible, and Composable Developer Environments - cachix/devenv

GitHub
Show threadhexa-Feb 15, 2025

The #devenv CLI does not do informed consent and neither `devenv.sh` nor `devenv.new` have a privacy policy or will tell you who runs the service and who it shares its data with.

In #nixpkgs the package was bumped to 1.4.0 after which a contributor immediately sent a follow-up PR鹿 to enable `DO_NOT_TRACK=1` when wrapping the devenv binary.

This was promptly reverted虏 by the author of devenv.

馃У2/n

[1] https://github.com/NixOS/nixpkgs/pull/381817
[2] https://github.com/NixOS/nixpkgs/pull/381981

devenv: disable telemetry by default by kampka 路 Pull Request #381817 路 NixOS/nixpkgs

Packages and modules in nixpkgs have a proven history of disabling / opting out of telemetry on behalf of their users. I believe it's reasonable to assume the same would be expected from the de...

GitHub
Show threadMOVED TO @[email protected]
@hexa i dont know what's more insane, how they added that completely silently or the way it works
Feb 15, 2025 at 9:40pmWeb