Homebrew is arguably the best package manager for OSX around. It’s a great project, I’ve been using it for years, and it’s doing what it’s supposed to in a very clean manner. Unfortunately, the team decided to track the behaviour of its users via Google Analytics.
This is bad.
- Open Source is about trust. Trust is underminded by things like tracking.
- Do not track your users. In the rare case you really need anonymous data, ask your users first.
- Never use Google products (or any other “big data” company that relies on making money out of the data you provide) to track your users.
- Using Google’s tracking and then calling it “anonymous” is a lie. Google collects tons of information of its users and even non-users. There’s no way to know what data Google will relate internally. Even if you don’t get to see all of the collected information, Google still has them.
- Opt-out is never an excuse. It always excludes most users (which either don’t care, or have more severe things to care about than protecting their privacy in every random app they’re using).
Read on to lean howto fix the issue for at least yourself.
Edit: I’ve been contacted by a Homebrew maintainer and have been asked to remove the link to the Github issue. His arguments about keeping the issue to the topic convinced me, and I was sad to hear that he apparently received tons of personally insulting emails. When I asked for a more appropriate way to provide feedback, he didn’t give any and stated that they won’t make the tracking procedure opt-in. They also have removed all comments regarding complaints about their tracking from the issue. I wrote a final comment in the comment section, which was deleted immediately. For completeness, I’m quoting it here:
While I can understand you want to keep this Issue productive, I find it disturbing how Homebrew deals with massive complaints from an open-source-loving community (see HN, Reddit, etc. discussions). Don’t just delete this away and hope everybody just forgets about this.
I know this will probably be deleted in a minute and you guys will probably ban me, but I’m still writing this so people get notified via email/ etc.
There are people out there for whom this is a serious issue. I beg you do not take this lightly. I want to tell people “Homebrew is good, use it” and not “Homebrew is kinda good, but before you use it make sure to paste this-and-this in your terminal and also block this and that, otherwise you’ll be tracked”.
Fixing the issue
Homebrew ships with an option to opt-out of the tracking.
- Set the environment variable
- Or run
git config --file="$(brew --repository)/.git/config" --replace-all homebrew.analyticsdisabled true
A more general approach (as there are other programs out there, which are less nice than Homebrew) is to block known tracking hosts.
This can be either done using something like Little Snitch, or by setting up an adblocking
/etc/hosts file. The latter option is free and pretty straightforward. You can use the following script to collect well-known tracking services and tell your computer to not resolve them.
#!/bin/sh # # This code is GPLv3 HOSTSFILE=hosts TMPFILE=/tmp/aosp-hosts-file echo "Updating adblocking hosts file..." curl "http://hosts-file.net/download/hosts.txt" > $TMPFILE curl "http://winhelp2002.mvps.org/hosts.txt" >> $TMPFILE curl "http://pgl.yoyo.org/adservers/serverlist.php?mimetype=plaintext&hostformat=hosts" >> $TMPFILE curl "http://someonewhocares.org/hosts/hosts" >> $TMPFILE echo "# This is a generated hostfile for adblocking. # Sources: # - http://hosts-file.net/download/hosts.txt # - http://www.mvps.org/winhelp2002/hosts.txt # - http://pgl.yoyo.org/adservers/serverlist.php?mimetype=plaintext&hostformat=hosts # - http://someonewhocares.org/hosts/hosts # Localhost entries 127.0.0.1 localhost ::1 ip6-localhost ip6-loopback fe00::0 ip6-localnet ff00::0 ip6-mcastprefix ff02::1 ip6-allnodes ff02::2 ip6-allrouters ff02::3 ip6-allhosts " > $HOSTSFILE # Streamline all entries to use 0.0.0.0 gsed -i 's/127\.0\.0\.1/0\.0\.0\.0/' $TMPFILE # Remove other localhost entries gsed -i '/localhost/d' $TMPFILE # Remove comments gsed -i 's/#.*$//g' $TMPFILE # Replace tabs with spaces gsed -i 's/\t/ /g' $TMPFILE # Also block ipv6 gsed -i 's/\(0\.0\.0\.0\)\(.*\)/\1\2\n::0\2/' $TMPFILE # Sort and remove duplicates and empty lines sort -u $TMPFILE |grep -v '^\s*$' >> $HOSTSFILE dos2unix $HOSTSFILE rm $TMPFILE
This script will download known tracking services or other malicious domains from three different sources, removes duplicates and makes sure both ipv4 and ipv6 addresses are blocked.
Save it as
get-hosts.sh and you can use it like so:
# Install dependencies, but make sure tracking is disabled export HOMEBREW_NO_ANALYTICS=1 brew install dos2unix brew install gnu-sed # Generate hosts file chmod +x get-hosts.sh ./get-hosts.sh # Inspect the hosts file if your paranoid, then deploy it sudo mv hosts /etc/hosts
What Homebrew should do
- Homebrew should (really!) make the tracking opt-in. A “really ask your user whether it’s ok” opt-in.
- It should really consider other methods for the goals it wants to achieve (like finding out “most-used” packages), and make sure they are really necessary.