telemetry in the Go toolchain #58409
Replies: 95 comments 394 replies
-
Should be off by default. There is no reason for a development chain to have any kind of telemetry on by default. One reason it should be off by default would be cases such as Jenkins farms, Bazel use, and other locations that arnt your regular development environment. |
Beta Was this translation helpful? Give feedback.
-
@rsc I think this is an interesting idea. As an open-source developer (OpenTelemetry) I agree that we need an ethical way to collect usage telemetry about our own products. I will run this idea inside OpenTelemetry project to see what our community thinks. If you are interested in using an existing metric reporting library it may be helpful to take a look at OpenTelemetry-Go. It supports histograms and can send collected metrics to the backend using a standard OTLP protocol (Protobuf or JSON payloads over HTTP). |
Beta Was this translation helpful? Give feedback.
-
What would prevent users from sending garbage to the telemetry server? |
Beta Was this translation helpful? Give feedback.
-
I don't think that an opt-out mechanism is compliant with GDPR. Was the proposal reviewed by any Compliance experts? Personally, I don't like the idea of automatic collection of telemetry pushed on me. Isn't Google tracking enough information about me already? |
Beta Was this translation helpful? Give feedback.
-
I don't feel like I have a stake in this debate, but I want to provide a "steel" man for the counter position. I think the principal issue for people who are averse to default-opt-in telemetry is that the policy of what data is sent over that connection is mutable. Even if the debates over which telemetry data to publish is public, once we establish the pattern of telemetry, the policy of what is sent through the pipes is subject to change. Put another way, the logic of "never telemetry" goes something like: if we never have a network call to begin with, we don't have to know the latest version of a policy that's wholly irrelevant to our day-to-day work, but essential to our personal privacy. I have full faith in the current humans of the Go team to write policy and compose processes that are fair and respect peoples' privacy. However, it's important to recognize that this move opens a hitherto nonexistent door for less-than-scrupulous data collection, and that future members of the Go team (or future versions of ourselves) might not hold privacy to be so sacrosanct. In summary, there's a trade-off to be had here. The proposed metrics to collect would be invaluable to ongoing development of the toolchain. And, to be clear, the technical solution proposed appears to be a sound basis for preserving privacy. The quandary is whether this value is worth creating space to (eventually/perhaps unwittingly) emit private information? I think one can argue either side rationally, but it has to be said that making the system unobtrusively opt-in would largely resolve the ethical concerns by introducing a mechanism for informed consent. Even if a default-opt-out solution provides 1/10th the value of opt-in telemetry, it may be worth considering for that reason alone. |
Beta Was this translation helpful? Give feedback.
-
The controversy here is whether the proposed telemetry should default on or default off. But there's at least one other option: default advertise. When you have neither opted in nor opted out, the Go toolchain could remind you, "There's this telemetry option we'd like you to turn on." In fact here's another option: time-limited opt-in. "I agree to send telemetry until 31 Dec 2023." That should help some users over the natural resistance barrier to opting in. |
Beta Was this translation helpful? Give feedback.
-
Edit: I missed the use cases link at the bottom. (I feel one or two examples should have been included in the original post, and left the link as an addendum. the other two blog posts are otherwise sufficiently summarized)
|
Beta Was this translation helpful? Give feedback.
-
I have resisted Go for years because it comes from Google. I've started to work with it a little bit, because I've been convinced over time by friends who love building with Go that it really isn't that Googley, and it's just Google funds this thing the Go creators wanted to do their way. The GOPROXY issues were a big scare point, but hey, you can shut that off, I guess. Now I feel just a little bit sold out by my friends who told me Go was okay to invest time in. Now you guys want to introduce telemetry into your programming language? This is how you drive off any person who even considered giving your project a chance despite the warning signs. Please don't do this, and please issue a public apology for even proposing it. Please leave a blast radius around this idea wide enough that nobody even suggests trying to do this again. Trust in Google's behavior is at an all time low, and moves like this are a choice to shove what's left of it off the edge of a cliff. Thank you. |
Beta Was this translation helpful? Give feedback.
-
Quick question. You claim in the article that even though the IP is exposed because of the TCP connection, it is not logged in the reports. What happens if someone decides to spam the telemetry service with bogus data? Will the data be kept? How will you identify which data came from the spammer's address so that it can be removed? |
Beta Was this translation helpful? Give feedback.
This comment was marked as spam.
This comment was marked as spam.
-
No telemetry in my toolchains, hard pass. Edit: I'm making a bet here now this will get shoved through despite concerns and people not finding these "mitigations" acceptable. This isn't something that belongs in major developer tooling like the Go compiler/toolchain and is an abuse of power from a company that tends to take privacy lightly. It's not about mitigating concerns, it's about why we have them and why this is a toxic idea. My advice is to steer clear of this, Google swung and missed and let Go of the bat here. |
Beta Was this translation helpful? Give feedback.
This comment was marked as spam.
This comment was marked as spam.
-
There's already quite a lot of useful data stored at https://pkg.go.dev/ and also able to be crawled from source-available (not just open-source) code repositories like GitHub, etc What additional data points would the Go team find useful that isn't already available from the above? |
Beta Was this translation helpful? Give feedback.
This comment was marked as spam.
This comment was marked as spam.
This comment has been minimized.
This comment has been minimized.
This comment was marked as off-topic.
This comment was marked as off-topic.
-
This is mostly a technical proposal offered without enough consideration for one of the main preliminary concerns, which is (social) trust. And as I'll argue at the end of this comment, among others, more expert consensus is necessary to get there first. You can't admit that for years you didn't believe telemetry was necessary and that we all tend to have a "visceral negative reaction" to telemetry and then not confront the subject anywhere near the title of this discussion. Or not discussing the potential dangers nor attempting to explicitly address the concerns of the many people who have doubts. If someone wants to say: "you should have read the blogpost, most issues you mention are addressed through the comments of this long discussion"; yes, that's exactly why this is poor communication. Pursuing something that you believe can help improve the way things are done no matter how contrary it may to the public sentiment can be brave and noble. Failing to go out of your way to address that public sentiment while you do it is a communication and leadership failure (let's not get too dramatic either, though). The list of use cases and the blogpost make a strong case for the pros of telemetry. If the cons and potential dangers and risks were discussed in as much depth and prominently acknowledged, this could start to be a different discussion. Now, on the topic of opt-in by default, there are obvious moral concerns being brushed away too easily:
To me, a major issue that I think hasn't been discussed here is that the differences between transparent telemetry and telemetry are not yet recognized or clear to developers, and therefore opt-in by default can't be possibly acceptable. But even if you happen to be right and opt-in by default is perfectly morally acceptable for transparent telemetry and given some time privacy experts would agree with you or whatever, we are not at that point yet. I honestly believe that a few blogposts by a single individual, no matter how good your reputation may be, don't have enough weight to say that opt-in by default is ok (specially in a topic related to privacy). After reading the more detailed proposal, I'm still very unconvinced. I think there needs to be more and more qualified and broader consensus and feedback, both from experts and developers, before transparent telemetry can legitimately materialize in the suggested form for a project of the scale of Go. I don't think this discussion approaches all these concerns from the right angle at the right place. |
Beta Was this translation helpful? Give feedback.
This comment was marked as off-topic.
This comment was marked as off-topic.
This comment was marked as off-topic.
This comment was marked as off-topic.
This comment was marked as off-topic.
This comment was marked as off-topic.
This comment has been minimized.
This comment has been minimized.
-
After seeing what happen with Tailscale IOS, I do see the need we should have some form of telemetry, I would also recommend try discussing this with Developers of CockroachDB or Traefik to get their feedback |
Beta Was this translation helpful? Give feedback.
-
Enabled by default means you believe that what I do on my computer is your business unless I choose otherwise. This should be self-evidently "wrong", because what I do on my computer is absolutely not the Go team's business unless and until I choose to make it your business. It does not matter whether knowing "what I do" makes your job easier, or is somehow "useful" to you. It does not matter if you find an implementation that is somehow technically "legal". It does not matter if the proposed implementation of telemetry itself is sound and reasonable. None of that changes the simple fact that what I do on my computer is not, by default, ever any of your business. That this is even under consideration raises a number of questions regarding Go's leadership and future direction. |
Beta Was this translation helpful? Give feedback.
-
Coming from a very privacy aware country and background the problem for me at least is the collecting itself. Also taking Google's reputation on handling private data into consideration I think there is very little to be said to convince people. Voluntary participation in surveys etc is much better way overall and I think this telemetry idea should be abandoned. |
Beta Was this translation helpful? Give feedback.
-
Why was this comment minimized? It seems pretty darn legit to me, I don't think this line of thinking has been mentioned elsewhere in the discussion, and it's not really pithy. Suppress this line of thinking and I will personally feel the need to move even more of my everyday computing into sandboxes that prevent unwanted networking. Also, need I remind people of https://harmful.cat-v.org/cat-v/ |
Beta Was this translation helpful? Give feedback.
This comment was marked as spam.
This comment was marked as spam.
-
there seems to be quite a detailed design posted on the blog for something that's supposed to be "not a proposal" and "something that might become a proposal"... |
Beta Was this translation helpful? Give feedback.
This comment was marked as spam.
This comment was marked as spam.
-
I've made a list of pros and cons that I've found in this discussion so far: Pros:
Cons:
I am obviously biased towards opt-in telemetry, and I might have missed arguments, so please add to the list if you can think of anything else. |
Beta Was this translation helpful? Give feedback.
-
Feb 10 5pm US Eastern: Thanks for the lively discussion everyone. It has given me plenty to think about. We are starting to go in circles, and actually new comments are increasingly rare, so I've locked this to give everyone their weekend back. Thanks again.
If anyone feels like there's something important that wasn't said in these 506 comments, please feel free to email me at rsc@golang.org.
Feb 26 The current plan is to use some form of opt-in to collect telemetry.
How do software developers understand which parts of their software are being used and whether they are performing as expected? The modern answer is telemetry, which means software sending data to answer those questions back to a collection server.
I believe that open-source software projects need to explore new telemetry designs that help developers get the information they need to work efficiently and effectively, without collecting invasive traces of detailed user activity.
I have written a short series of blog posts about one such design, which I call transparent telemetry, because it collects as little as possible (kilobytes per year from each installation) and then publishes every bit that it collects, for public inspection and analysis.
I’d like to explore using transparent telemetry, or a system like it, in the Go toolchain, which I hope will help Go project developers and users alike. To be clear, I am only suggesting that the instrumentation be added to the Go command-line tools written and distributed by the Go team, such as the
go
command, the Go compiler,gopls
, andgovulncheck
. I am not suggesting that instrumentation be added by the Go compiler to all Go programs in the world: that’s clearly inappropriate.Transparent telemetry has the following key properties:
The decisions about what metrics to collect are made in an open, public process.
The collection configuration is automatically generated from the actively tracked metrics: no data is collected that isn’t needed for the metrics.
The collection configuration is served using a tamper-evident transparent log, making it very difficult to serve different collection configurations to different systems.
The collection configuration is a cacheable, proxied Go module, so any privacy-enhancing local Go proxy already in use for ordinary modules will automatically be used for collection configuration. To further ameliorate concerns about tracking systems by the downloading of the collection configuration, each installation only bothers downloading the configuration each week with probability 10%, so that each installation only asks for the configuration about five times per year.
Uploaded reports only include total event counts over a full week, not any kind of time-ordered event trace.
Uploaded reports do not include user IDs, machine IDs, or any other kind of ID.
Uploaded reports only contain strings that are already known to the collection server: counter names, program names, and version strings repeated from the collection configuration, along with the names of functions in specific, unmodified Go toolchain programs for stack traces. The only types of non-string data in the reports are event counts, dates, and line numbers.
IP addresses exposed by the HTTP session that uploads the report are not recorded with the reports.
Thanks to sampling, only a constant number of uploaded reports are needed to achieve a specific accuracy target, no matter how many installations exist. Specifically, only about 16,000 reports are needed for 1% accuracy at a 99% confidence level. This means that as new systems are added to the system, each system reports less often. With a conservative estimate of two million Go installations, about 16,000 reporting each week corresponds to an overall reporting rate of well under 2% per week, meaning each installation would upload a report on average less than once per year.
The aggregate computed metrics are made public in graphical and tabular form.
The full raw data as collected is made public, so that project maintainers have no proprietary advantage or insights in their role as the direct data collector.
The system is on by default, but opting out is easy, effective, and persistent.
Please read the introductory blog post for more background before commenting here. You may also want to check out the detailed design and list of use cases.
Beta Was this translation helpful? Give feedback.
All reactions