chr4

Devops. I've never asked for this.

Homebrew betrayed us all to Google

Homebrew is arguably the best package manager for OSX around. It’s a great project, I’ve been using it for years, and it’s doing what it’s supposed to in a very clean manner. Unfortunately, the team decided to track the behaviour of its users via Google Analytics.

This is bad.

  1. Open Source is about trust. Trust is underminded by things like tracking.
  2. Do not track your users. In the rare case you really need anonymous data, ask your users first.
  3. Never use Google products (or any other “big data” company that relies on making money out of the data you provide) to track your users.
  4. Using Google’s tracking and then calling it “anonymous” is a lie. Google collects tons of information of its users and even non-users. There’s no way to know what data Google will relate internally. Even if you don’t get to see all of the collected information, Google still has them.
  5. Opt-out is never an excuse. It always excludes most users (which either don’t care, or have more severe things to care about than protecting their privacy in every random app they’re using).

Read on to lean howto fix the issue for at least yourself.

Edit: I’ve been contacted by a Homebrew maintainer and have been asked to remove the link to the Github issue. His arguments about keeping the issue to the topic convinced me, and I was sad to hear that he apparently received tons of personally insulting emails. When I asked for a more appropriate way to provide feedback, he didn’t give any and stated that they won’t make the tracking procedure opt-in. They also have removed all comments regarding complaints about their tracking from the issue. I wrote a final comment in the comment section, which was deleted immediately. For completeness, I’m quoting it here:

While I can understand you want to keep this Issue productive, I find it disturbing how Homebrew deals with massive complaints from an open-source-loving community (see HN, Reddit, etc. discussions). Don’t just delete this away and hope everybody just forgets about this.

I know this will probably be deleted in a minute and you guys will probably ban me, but I’m still writing this so people get notified via email/ etc.

There are people out there for whom this is a serious issue. I beg you do not take this lightly. I want to tell people “Homebrew is good, use it” and not “Homebrew is kinda good, but before you use it make sure to paste this-and-this in your terminal and also block this and that, otherwise you’ll be tracked”.

Fixing the issue

Homebrew ships with an option to opt-out of the tracking.

  • Set the environment variable HOMEBREW_NO_ANALYTICS=1
  • Or run git config --file="$(brew --repository)/.git/config" --replace-all homebrew.analyticsdisabled true

A more general approach (as there are other programs out there, which are less nice than Homebrew) is to block known tracking hosts. This can be either done using something like Little Snitch, or by setting up an adblocking /etc/hosts file. The latter option is free and pretty straightforward. You can use the following script to collect well-known tracking services and tell your computer to not resolve them.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
#!/bin/sh
#
# This code is GPLv3

HOSTSFILE=hosts
TMPFILE=/tmp/aosp-hosts-file

echo "Updating adblocking hosts file..."

curl "http://hosts-file.net/download/hosts.txt" > $TMPFILE
curl "http://winhelp2002.mvps.org/hosts.txt" >> $TMPFILE
curl "http://pgl.yoyo.org/adservers/serverlist.php?mimetype=plaintext&hostformat=hosts" >> $TMPFILE
curl "http://someonewhocares.org/hosts/hosts" >> $TMPFILE

echo "# This is a generated hostfile for adblocking.
# Sources:
# - http://hosts-file.net/download/hosts.txt
# - http://www.mvps.org/winhelp2002/hosts.txt
# - http://pgl.yoyo.org/adservers/serverlist.php?mimetype=plaintext&hostformat=hosts
# - http://someonewhocares.org/hosts/hosts

# Localhost entries
127.0.0.1 localhost
::1 ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
ff02::3 ip6-allhosts
" > $HOSTSFILE

# Streamline all entries to use 0.0.0.0
gsed -i 's/127\.0\.0\.1/0\.0\.0\.0/' $TMPFILE

# Remove other localhost entries
gsed -i '/localhost/d' $TMPFILE

# Remove comments
gsed -i 's/#.*$//g' $TMPFILE

# Replace tabs with spaces
gsed -i 's/\t/ /g' $TMPFILE

# Also block ipv6
gsed -i 's/\(0\.0\.0\.0\)\(.*\)/\1\2\n::0\2/' $TMPFILE

# Sort and remove duplicates and empty lines
sort -u $TMPFILE |grep -v '^\s*$' >> $HOSTSFILE

dos2unix $HOSTSFILE

rm $TMPFILE

This script will download known tracking services or other malicious domains from three different sources, removes duplicates and makes sure both ipv4 and ipv6 addresses are blocked. Save it as get-hosts.sh and you can use it like so:

1
2
3
4
5
6
7
8
9
10
11
# Install dependencies, but make sure tracking is disabled
export HOMEBREW_NO_ANALYTICS=1
brew install dos2unix
brew install gnu-sed

# Generate hosts file
chmod +x get-hosts.sh
./get-hosts.sh

# Inspect the hosts file if your paranoid, then deploy it
sudo mv hosts /etc/hosts

What Homebrew should do

  1. Homebrew should (really!) make the tracking opt-in. A “really ask your user whether it’s ok” opt-in.
  2. It should really consider other methods for the goals it wants to achieve (like finding out “most-used” packages), and make sure they are really necessary.