Mastodawn

hexa-Feb 15, 2025

If you're using #devenv for your projects, please note that the new `generate` command in 1.4.0 uses your repository content.

It tars up all files it can find through `git ls-files -z`³ and exfiltrates them to the service.

It handles `DO_NOT_TRACK=`¹ by sending that intent along² as a query string, so now you need to trust the service to not keep data.

🧵 1/n

[1] https://github.com/cachix/devenv/blob/6c987a8795eedea872afe4d1c1ac518d0c7f6db1/devenv/src/cli.rs#L202-L204
[2] https://github.com/cachix/devenv/blob/6c987a8795eedea872afe4d1c1ac518d0c7f6db1/devenv/src/devenv.rs#L212-L214
[3] https://github.com/cachix/devenv/blob/6c987a8795eedea872afe4d1c1ac518d0c7f6db1/devenv/src/devenv.rs#L226-L257

devenv/devenv/src/cli.rs at 6c987a8795eedea872afe4d1c1ac518d0c7f6db1 · cachix/devenv

Fast, Declarative, Reproducible, and Composable Developer Environments - cachix/devenv

GitHub

Show thread

hexa-Feb 15, 2025

The #devenv CLI does not do informed consent and neither `devenv.sh` nor `devenv.new` have a privacy policy or will tell you who runs the service and who it shares its data with.

In #nixpkgs the package was bumped to 1.4.0 after which a contributor immediately sent a follow-up PR¹ to enable `DO_NOT_TRACK=1` when wrapping the devenv binary.

This was promptly reverted² by the author of devenv.

🧵2/n

[1] https://github.com/NixOS/nixpkgs/pull/381817
[2] https://github.com/NixOS/nixpkgs/pull/381981

devenv: disable telemetry by default by kampka · Pull Request #381817 · NixOS/nixpkgs

Packages and modules in nixpkgs have a proven history of disabling / opting out of telemetry on behalf of their users. I believe it's reasonable to assume the same would be expected from the de...

GitHub

Show thread

hexa-Feb 15, 2025

Unfortunately #nixpkgs is not well-equipped to resolve this conflict. There is no explicit policy and common sense seems not to be equally distributed.

Ultimately this is a governance issue for #NixOS where the steering committee would be in a great position to limit the scope of what is acceptable behaviour.

In fact, if you have an opinion on the matter, please reach out to any steering committee representative and tell them:

https://github.com/NixOS/org/blob/main/doc/governance.md

🧵3/n

org/doc/governance.md at main · NixOS/org

Organisational documentation. Contribute to NixOS/org development by creating an account on GitHub.

GitHub

Show thread

Sofie 🏳️‍🌈Feb 15, 2025

@hexa Do you mean in a packaging sense, or like a denouncement of action created by the NixOS organization?

Show thread

hexa-Feb 15, 2025

@soupglasses Nixpkgs can control what it allows to be redistributed and what modifications are applied to it.

It is also in power of controlling who exerts power.

But these are really just examples, and I'm sure you have your own gripes that don't overlap with mine.

Show thread

ck Feb 15, 2025

@hexa @soupglasses There is a discussion around that on discourse if you're interested

https://discourse.nixos.org/t/should-commercial-actors-ship-telemetry-in-nixpkgs/60279

Personally, I find the situation quite bizarre, it kind of completely conflicts with my believe on how a FOSS space should function.

#nix #nixos

Should commercial actors ship telemetry in nixpkgs?

I’m not sure where to put this, so I’ll put it here. The events around devenv 1.4 sending telemetry by default to train their AI model has demonstrated (at least for me) that we need some clarification on the leeway that commercial actors should have on nixpkgs and it’s ecosystem. My personal opinion is that nixpkgs is a community project. Commercial actors are of course welcome to contribute and maintain their own packages, but the wishes and needs of the community should always have precede...

NixOS Discourse

Show thread

Sofie 🏳️‍🌈Feb 15, 2025

@ck @hexa Okay okay okay. I think this is very important to pull forward.

> The events around devenv 1.4 sending telemetry by default to train their AI model

This is beyond fucked up. Holy shit.

Show thread

Asta [AMP]

@soupglasses @ck @hexa Given that nix governance has largely been taken control of by outright bigots working for war profiteers (Jon Ringer, who threw a hissy fit so intense over DEI in the community he was banned... then somehow this was all reverted and he gained even more control?) this lack of ability to push back on telemetry is hardly surprising, unfortunately.

This "we should take no actions" stance is rather consistent with the kind of decisions and actions that resulted in the lix fork.

(this is also another huge mistake on their part; under no circumstances should that guy have force pushed telemetry, nor should he have been allowed to re-enable it by default).