Consent disabled on ci/production

[robconery]

I've tried 3 times now on machines that have Node installed without Nuxt and not once have I seen the prompt that allows you to opt out of telemetry. I know I can disable it and I have - but I also know there is supposed to be a prompt in the CLI and I haven't seen it once when creating a new project.

[LinusBorg]

Can you check if there's a .nuxtrc file in your user directory?

The telemetry can be enabled or disabled globally with a flag, which saves the choice in that file in the user directory.

Maybe that happened for you for some reason

[robconery]

Yep it's there with a telemetry.seed and yes, as I've been told now (repeatedly) I know there are ways to disable telemetry. This issue is here because there's supposed to be an opt-in prompt in the CLI and it seems to be disabled.

[pi0]

Hi dear @robconery thanks for making the issue.

Actually it is finally team decision to make a change or not but technically it is intended that we skip prompt on headless environments (src) since making a prompt basically breaks CIs and not doing so we would miss almost all telemetry data of CodeSandbox, Vercel, netlify, etc. We had an alternative choice to enforce consent per-project and persist but after initial version many reported it is frustrating prompt so we made it one-time per machine.

Also consider that telemetry is not only package that sends metrics. Basically any npm dependency installed in CI environment can use postinstall script to send a network request (like dependencies using OpenCollective hook so please beware to also disable each!) So if privacy is really a matter, it is your job (DevOps and Firewall) to set proper roles to prohibit external access from Container and Production servers. If there was not an error on CI, perhaps you would never notice this one. Other dependencies may actually leak source-code with a silent hook...

Also comparing to similar frameworks, we at least make a one time prompt on machine instead of completely making it silent, also stats are not only hashed, but hashed with a (machine+project) seed we cannot ever even track developer activity. We really did our best to respect privacy as much as possible without losing DX or possibility to have proper stats.

Anyway personally think it could be a nice feature if we run telemetry prompt after create-nuxt-app wizard since we are already asking more questions. /cc @clarkdo @Atinux

[robconery]

If I understand your reply - you're saying you have a prompt but you disabled it because it was... breaking things so you opt-in everyone automatically, even in a production environment. And you're contending that automatically opting in my application is OK because other projects are doing it.

The only telemetry that was emanating from my app was from Nuxt and I didn't opt-in to that and now it appears I was never given the chance. We can argue whether this is a good idea or not - however this issue is about the CLI not prompting me for opt-in. Am I understanding you to say that there is a prompt and it's disabled and you don't intend to fix it?

[robconery]

So if privacy is really a matter, it is your job (DevOps and Firewall) to set proper roles to prohibit external access from Container and Production servers

YIKES. I think you should rethink this before posting it in a public forum. Privacy is ALWAYS a concern.

[LinusBorg]

You're misunderstanding a bit. He's saying after users complaining about the opt-in being asked over and over, they only ask for it once per machine (but they did not "disable" it).

That's a change that happened because of user feedback, and one that can be discussed and reverted if need be.

[pi0]

The only telemetry that was emanating from my app was from Nuxt

Then I think you didn't even get real security issue of your environment and trying to balme nuxt because could see that request :) (please read more about postinstall. at least i'm sure we have opencollective hook but you never mentioned or noticed)

so you opt-in everyone automatically

You might say. But then you might be better start a general protest against telemetry concept itself when Gatsby and NextJS do opt-in by default with zero consent too. At least we make CLI consent when possible (local system)

YIKES. I think you should rethink this before posting it in a public forum. Privacy is ALWAYS a concern.

However i disagree this is a security issue, there is security@nuxtjs.org you could use instead of tweet or making issue!! So i think you are to blame right now

Afterall I fully respect and understand frustration. It was not a stupid decition nor not thinking. We spent weeks discussing about cons-pros and trying different setup. One project cannot make everyone happy but we are open to constructive feedbacks. Like i mentioned above, possibly also doing consent in last step of create-nuxt-app.

[robconery]

So... is it my fault that this prompt is disabled as well? That's the issue here - you can keep attacking me or you can acknowledge that there's a problem with your CLI.

[bnb]

Also consider that telemetry is not only package that sends metrics. Basically any npm dependency installed in CI environment can use postinstall script to send a network request (like dependencies using OpenCollective hook so please beware to also disable each!)

Then I think you didn't even get real security issue of your environment and trying to balme nuxt because could see that request :) (please read more about postinstall. at least i'm sure we have opencollective hook but you never mentioned or noticed)

Just because someone can do something doesn't justify someone else doing something similar, especially when it's a potential risk to end-users' data. This is an incredibly weak point.

However i disagree this is a security issue, there is security@nuxtjs.org you could use instead of tweet or making issue!! So i think you are to blame right now

You think leaking production information from end-users isn't a security issue?

[robconery]

This isn't the intended title of this issue. I think it's fair to wont-fix this if that's your response - we can move the opt-in discussion to another thread.

[pi0]

• If a particular metric is risking leaking information, please report and we will directly address (also wip-out from DB)
• If you think there is a way to respect privacy even more by consenting per-project and opt-in, kindly please create a proposal. We will make a poll and based on that finally respect user's choice and make change
• Again please please re-consider infrastructure security by your team. nuxt is not evil but if you care about leaking information and at the same time allowing container to make a remote request, something is wrong
• I can understand frustration and honestly we had most of this concerns before published telemetry. It is not possible by just trying to blame nuxt team

[bnb]

It is not possible by just trying to blame nuxt team

where did someone blame the Nuxt team? Reading through every comment in this issue, there's been no blame assigned outside of you blaming an end-user.

[pi0]

where did someone blame the Nuxt team? Reading through every comment in this issue, there's been no blame assigned outside of you blaming an end-user.

I truly apologize if by any means implied a blame on you <3 But I consider Just because someone can do something doesn't justify someone else doing something similar, especially when it's a potential risk to end-users data as a blame directly about decision that made by nuxt team.

TBH I see no point to continue this discussion. By any means tried to clarify reasons of current behavior and openness to respect user choices and changing CLI. You just discovered something and have a strong opinion against it. I understand that.

[robconery]

This is discouraging. I wish you could understand that just the appearance of a framework sending data to a 3rd party server in production without the developer's consent could get someone fired. I'm urging you to respect the developers that use your product and make the opt-in clear and stop collecting production data.

[pi0]

@robconery Actually we can directly make a release to disable sending events on CI, but we have to first confirm it internally (it is not my personal decision). You asked for a change, and it is being discussed, nothing is discouraging :)

[robconery]

So... the issue title is again misleading and not at all what I intended. The issue isn't CI environment - it's production and moreover the CLI prompt has been disabled.

I'm feeling like this entire thread has gone far, far off the rails and my best course of action right now is to remove Nuxt entirely and go with plain old Vue. I'm sure you and your team will come up with a good solution in the future and best of luck to you all. I need to focus on something else for now.

[pi0]

If you checked source line i referred it affects both production and CI (basically a check any environment we can't consent -- more technically when TTY is not available) so title is still relevant to what you intended...

Still your issue is under discussion so reopened whilst you can unfollow. So thanks for bringing it up and best luck ❤️

[pi0]

@robconery, measurements took via #35 (please check rollout-strategy) and best wishes again :)