Running "joy" with no arguments attempts user-hostile behavior

[rkeene]

I recently tried out "joy" and I noticed some user-hostile behavior.

• It attempted to read ~/.aws/credentials
• It apparently attempts to keep track of, and possible exfiltrate, my activities

[matthewmueller]

It attempted to read ~/.aws/credentials

It doesn't read any AWS credentials, it does use AWS credentials (my personal credentials) for sending metrics.

I'll probably change this anyway to just being an API endpoint. I don't really like my credentials floating around.

It apparently attempts to keep track of, and possible exfiltrate, my activities

Nothing hostile. It just measures what features are being used, if there are any compiler errors and how long the compiler is taking. For more information: https://mat.tm/joy/#faq-metrics

It's all open source under:

• https://github.com/matthewmueller/joy/blob/master/internal/env/env.go
• https://github.com/matthewmueller/joy/blob/master/internal/stats/stats.go

[matthewmueller]

UPDATE: Ah, I think I see the issue on (1):

https://github.com/matthewmueller/joy/blob/master/internal/env/env.go#L23-L25

If you have those environment variables set, it'll read from them. This was for my development purposes, but I need to fix this. Maybe I should prefix those environment variables with JOY_.

Would that work for you?

[matthewmueller]

prefixed with JOY_* in master

[rkeene]

Regarding reading ~/.aws/credentials -- it is attempting to access that file, as verified by strace, not the environment variables.

Collecting my information from me for your use is hostile. It is my information, not yours.

[rkeene]

I'm not sure why you closed this ticket without taking any functional actions -- reading different environment variables has nothing to do with either issue I reported, in which I specified a file and reported other hostile behavior.

[theclapp]

@matthewmueller You should probably review the AWS library and make sure it's not trying to open ~/.aws/credentials by default or without your knowledge and configure Joy to not do that.

And, you know, maybe stop sending compiler metrics from random users back to Amazon at all. At best there should be a toggle for that and it should be opt-in. I don't really see a need for random compiler authors to know how much code I'm compiling or the errors I'm getting, and certainly not the IP address from which I'm doing it. If you want that information, you should ask.

Also be advised that the #faq-metrics anchor in https://mat.tm/joy/#faq-metrics doesn't work.

[matthewmueller]

You should probably review the AWS library and make sure it's not trying to open ~/.aws/credentials by default or without your knowledge and configure Joy to not do that.

Yah, I think that's the issue here – it's opening that file but not actually doing anything with it because it's reading from values baked in or in the environment. there must be a way to just pull from env or use the supplied credentials. I'll investigate.

And, you know, maybe stop sending compiler metrics from random users back to Amazon at all. At best there should be a toggle for that and it should be opt-in

I don't really understand the problem here other than perhaps pre-existing expectations. There are tons of CLIs, webapps, operating systems, etc. that collect usage metrics to improve their experiences. It's more transparent than most since it's completely open source and you're free to fork. That being said, I will get to this eventually and will happily accept a PR to better support disabling.

Also be advised that the #faq-metrics anchor in https://mat.tm/joy/#faq-metrics doesn't work.

Weird, will fix. For now: https://mat.tm/joy/#faq and scroll down to "What metrics do you collect?"

[johanbrandhorst]

Seems like there's a space at the end of faq-metrics: https://mat.tm/joy/#faq-metrics%20

[matthewmueller]

Seems like there's a space at the end of faq-metrics: https://mat.tm/joy/#faq-metrics%20

good eye! fixed now. my editor's auto-formatting botched the HTML the other day and I've been trying to fix random issues ever since 😅

[rkeene]

The job of a transpiler/compiler is to ingest my work and source code and produce output in the specified form. Collecting information about my work and sending it to 3rd parties is not only not part of the job, it is not in my best interest. The things that I do using the tool are my business, and I am a completely unrelated entity from you.

[tj]

@rkeene don't use it?

[matthewmueller]

@rkeene let's step back a second. Here are some of the questions I'd like to be able to answer:

• Roughly, how many people are using Joy?
• Roughly, is it growing? is it shrinking? is it flatlining?
• What kinds of errors are people running into?

I'm very open to any solution that will address your privacy concerns while helping me answer these kinds of questions about what I'm building.

---

One more thing I should mention, if you go get there's no metric collection. It's just on the binary build.

[rkeene]

Just because you want to know about the comings and goings of other people in their own domains does not mean that you should or that people will forgive you when they notice the intrusion.

[influx6]

@rkene This is as transparent as it gets if you are unsatisfied you could just not use the library. It's licensed in a way to avoid such issues. I have no issues with a library getting metrics as far as it's transparent to see what is does.

[silbinarywolf]

I'd much rather you collect metrics by default so Joy is easier to improve. Ideally though, I feel making those metrics easily viewable by all would be nice touch if it's easy enough to do.

[tryy3]

I personally don't care if people track my usage so I am all for joy collecting metrics and such. But in today's society collecting metrics of any sort, has become a hot topic where people want to know exactly what you collect and the possibility to opt-in/opt-out.

Imo we should let people know that metrics is being collected when installed, maybe with some patch to the installer. Also we should make it possible to opt-out in a easy way. I believe nowadays most software's and such does opt-in where they ask for metrics when installing, of course there is exceptions. But at least a opt-out for collecting metrics would make people happier when joy grows.

Also like the comment above, making the metrics viewable would allow people to see exactly what is being collected and also help other developers that want to contribute to joy and see what the biggest issues is currently and where the focus should be headed.

[rkeene]

Have the ramifications of the EU GDPR on the collection of the end-user information without opt-in or consent been studied ?