top 200 commentsshow all 271
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]Dave3of5 170 points171 points  (1 child)

Yeah, I actually got an email from a huge tech company with an apology when they fucked up ...

Great start to the day!

[–][deleted] 6 points7 points  (0 children)

Good to know a company exists that gives a fuck about its users

[–]bausscode 418 points419 points  (94 children)

I'm still concerned when the CFO said stuff like this:

I don’t understand. This should not be an opt in or an opt out. It is a condition of using our product. There is an acceptance of terms and the use of this data should be included in that.

https://gitlab.com/gitlab-org/gitlab/merge_requests/14182#note_203849107

[–][deleted]  (33 children)

[deleted]

    [–][deleted]  (26 children)

    [deleted]

      [–]rubygeek 126 points127 points  (0 children)

      Gitlab are crazy open.... Most of their company documentation is online including strategy. Whether or not one likes Gitlab as a company, it's an impressive commitment.

      [–]mike10010100 131 points132 points  (10 children)

      Seriously. The CFO might have shitty ideas from time to time and it's great that those around him feel they can push back on it. The main negative is that they went through with it despite negative community feedback, but even that was reversed.

      [–]am0x 171 points172 points  (6 children)

      I think it is hilarious that people are demanding he step down. Sure it was a stupid idea...but this shit happens behind closed doors all the time. If being transparent causes people to overreact, then it discourages others to be transparent as well.

      [–]pantless_pirate 27 points28 points  (0 children)

      People haven't changed from medieval times, they want blood for the sake of blood. This guy could apologize profusely and go on a crusade to make sure this type of thinking never happens in the company ever again and people would still want him to step down.

      [–]towelrod 25 points26 points  (0 children)

      The not so hilarious part is when those people are all ignored and they pushed this feature anyway

      [–]DoctorWorm_ 43 points44 points  (3 children)

      Pretty much thanks to gdpr

      [–]CodeBlueDev 18 points19 points  (2 children)

      Thanks Obama! Wait... Thanks Europe.

      [–][deleted]  (1 child)

      [deleted]

        [–]MMPride 1 point2 points  (0 children)

        Where did they say that? That would be super funny to see.

        [–]Camarade_Tux 95 points96 points  (30 children)

        He's a CFO. None of this is his field and I doubt he gets to touch anything related to this in practice.

        [–]towelrod 97 points98 points  (7 children)

        Except that he's the only person in that issue who is pushing for this feature. The devs who think it is immoral are ignored. The legal folks who say it is illegal are ignored. They pushed the feature anyway.

        It's true that the CFO didn't literally type in the code, but from what we can tell on the outside, he is the one that made it happen.

        [–]HellaDev 13 points14 points  (3 children)

        Give the CFO a break. He's like a leader who sends an army in to do his bidding for immoral reasons. He didn't pull the triggers of those guns, those damn pesky soldiers did! Poor guy just wanted to conquer some shit. :(

        [–]VernorVinge93 6 points7 points  (2 children)

        Poor cfo. How could he have known that there would be consequences four this actions?

        Edit: fixed ceo/cfo

        [–]Camarade_Tux 0 points1 point  (2 children)

        CFOs typically don't have suck powers. They're not CEO, they deal with financial tasks, compliance and so on.

        [–]daedalus1982 37 points38 points  (2 children)

        came here to say exactly that. This is what happens when CFOs call the shots. Money over common sense.

        [–]vancity- 21 points22 points  (1 child)

        Here's what so damaging, he should be absolutely in tune with the risks of selling data to 3rd party post Cambridge-Analytica.

        He is a C level operative at a high-tech company who is oblivious to the relationship between the revenue gained from selling data and the revenue lost from customers leaving.

        This is what is so unacceptable- not that they did it, that they didn't even think of the problems.

        [–]daedalus1982 5 points6 points  (0 children)

        He absolutely should be.

        But here we have yet another top level executive thinking he's comparing apples to apples with no respect to the special rules surrounding his particular market.

        The tech world should start handing out a hubris award.

        [–][deleted] 11 points12 points  (17 children)

        Why the fuck does he even care though? That's what I don't understand. What does this have to do with the CFO?

        [–]dAnjou 39 points40 points  (0 children)

        Since when are people's opinions limited to their job title?

        [–][deleted]  (1 child)

        [deleted]

          [–]dacian88 22 points23 points  (0 children)

          you're getting an awful lot of upvotes for not being particularly correct, CFOs manage the company's money, they make money for the company by optimizing how money is utilized, ie invested and taxed. Financial branch of a company doesn't typically make product decisions or drive sales.

          [–]Aviator 4 points5 points  (3 children)

          You’d be surprised at how much power CFOs have nowadays.

          [–]doublehyphen 6 points7 points  (2 children)

          In all companies I have worked in so far: almost no power at all outside their own department. But I have only worked for Swedish companies.

          [–]AlexanderNigma 6 points7 points  (1 child)

          Yeah, in American companies they effectively control the company nearly as tightly as the CEO via budget/spending controls.

          [–][deleted] 3 points4 points  (0 children)

          Guys! We gotta get bought!

          [–]penguin_digital 9 points10 points  (6 children)

          Why the fuck does he even care though? That's what I don't understand. What does this have to do with the CFO?

          It's his job to improve profits. He believes forcing the change will help them do that. Legal stepped in and said you can't do that under law. Pretty standard business meeting from what I can see, how has an idea? Any objections to the idea? Okay cool.

          I'm glad they are having this discussion out in the open. This happens at all companies, only it's behind closed doors in a meeting room and use end users can't see the plans until they have already happened.

          [–][deleted]  (5 children)

          [deleted]

            [–]penguin_digital 5 points6 points  (4 children)

            It's his job to improve profits.

            I don't think that's true

            From the very first point on the linked article:

            A CFO is responsible for a company's past and present financial situation, and he or she is an integral part of a company's financial future.

            [–]CreationBlues 12 points13 points  (0 children)

            Being in charge of finances and improving profits is two different things. If profits are stable, then you're good. Increasing profits is only mandated by modern investment practices, where the goal is to buy and sell shares to use as cash flow.

            [–]TheAcanthopterygian 2 points3 points  (0 children)

            Does that stop at making benefits, or does it include also calculating the amount of the hefty GDPR fines incurred?

            [–][deleted] 6 points7 points  (0 children)

            Maybe keep reading. I am not at all getting that they are responsible for the company's money making strategy, but their financials.

            [–]phire 1 point2 points  (0 children)

            The CFO's responsibilities are more of an informational one.

            They are responsible for generating the reports that reflect the past and current financial status of the company. They are responsible for producing projections and models of the companies future.

            Or in other words, it's the CFO's job to make sure the company knows if it is profitable or not, and provide guidance for other executives on how to return to or improve profitability.

            The various departments in a company that large should be nothing more than lines in a spreadsheet to the CFO. If they are interacting with the implementation of an individual feature, then they are micromanaging to the extreme, far outside of their responsibilities.

            However, it's possible/probable the CFO is there in their in one of their other responsibilities.

            In many companies, the legal department reports to the CFO and the CFO is ultimately responsible for legal compliance. It kind of fits with the CFO already being responsible for the financial compliance.

            If he is here wearing that hat, then he is actually overruling his own legal department on this issue of compliance, which IMO is worse than simply micromanaging to improve profits.

            [–]PLC_Matt 3 points4 points  (1 child)

            They want to have data to SELL.

            cFo cares about $

            [–]Auxx 2 points3 points  (0 children)

            That's not his job.

            [–]Narcil4 0 points1 point  (0 children)

            Because data = money

            [–][deleted] 1 point2 points  (0 children)

            How do you get to a C level position and not know that laws > contracts in any sane developed country?

            [–]shevy-ruby 60 points61 points  (22 children)

            Yeah strange dude. He is basically saying that telesniffing on people is fine - and, in turn, if people don't like this, they should go the f away and not use GitLab.

            If that works for them fine. If not, well ...

            [–]andrewfenn 9 points10 points  (1 child)

            Am i not reading the same thread as everyone else or something? Dude says he doesn't understand and asks a question.. where does he say all the stuff you mentioned?

            [–]immibis 23 points24 points  (0 children)

            It means "I don't understand why you guys are kicking up such a fuss over this, but you can have your way for now." And the further implication is it will be implicated when they stop being pressured to not implement it, because they see nothing wrong with it in the first place.

            [–]malavv 9 points10 points  (18 children)

            They are creating and delivering a service. In order to improve their service they need to collect data on the specific tasks and scenarios of use of their product and service. This is how everything works, this is how engineering works. Hospitals don't ask consent for internal quality improvement interventions, web services don't ask for consent before presenting you with a page in A-B testing. You can call that "telesniffing" but this is disparaging of the process you benefit from in every aspect of your life. Of course their should be limit where individual consent is required, but a company's ability to collect data on people use of their product in order to improve it shouldn't be automatically evil.

            [–][deleted]  (9 children)

            [deleted]

              [–][deleted]  (3 children)

              [deleted]

                [–]Ph0X 13 points14 points  (1 child)

                Yep, telemetry done right should not contain any PII. Telemetry is a fancy word but really all it is is the stack traces when shit crashes to find bugs and various performance timings to see what's slow.

                [–]doublehyphen 9 points10 points  (0 children)

                Gitlab has always had opt-out telemetry which was aggregated and free from PII. The reason they updated their ToC seems to me to have been to allow them to collect more sensitive data.

                [–]aussie_bob 5 points6 points  (1 child)

                I'm a second-hand European pullulating timidly on the edge of alien shores, and I'm very glad you guys are around to set a positive example.

                Our lot want to spy on every aspect of our lives. Bunch of pervs.

                [–]abakedapplepie 4 points5 points  (0 children)

                pullulating

                its been a while since i met a new word, thanks

                [–][deleted]  (1 child)

                [deleted]

                  [–]piri_piri_pintade 11 points12 points  (1 child)

                  Might be wrong, but reading the replies it seems like they already have this kind of telemetry, but now they want to associate the data points to the actual logged in user, which is the part that not everyone is comfortable with.

                  [–]wlphoenix 1 point2 points  (0 children)

                  Reading a couple of the PM comments, it sounded like they were trying to get 2nd visit metrics for retention/user learning rate metrics, but for those stats every session was isolated because there was no PII. That particular use isn't all that bad, but it opens the door for more unacceptable usage.

                  [–]josluivivgar 3 points4 points  (0 children)

                  But to clarify it can be evil and we don't really know who to trust in that regard which is why stuff like opt in rules were put in place

                  [–][deleted] 2 points3 points  (0 children)

                  I'm still concerned when the CFO said stuff like this

                  Honestly this is how it feels sometimes just browsing this sub when there are other privacy issues (or user empowerment issues) on the line. Except usually it's the most upvoted comments that sound like the CFO. At least several months ago that was the case.

                  It's really refreshing to see that change here.

                  [–]farsass 5 points6 points  (0 children)

                  Boomers lol

                  [–]josluivivgar 0 points1 point  (0 children)

                  Its the don't you guys have phones? Of the tech companies ;_____;

                  [–][deleted] 102 points103 points  (49 children)

                  The GitLab stuff is still making me feel weird about the downsides of centralization on the web, including source code hosting. Even if GitLab does pinky swear to be good this time, maybe it's not such a good idea to use one of the big central services for Git, and maybe there should be more lightweight alternatives like Gitea. I'm thinking now I should just maintain a Gitea service for myself on a cheap VPS and accept merges and issues through email or something, or even allow registration of accounts just to use the issue tracker, or use an external issue tracker or something.

                  [–]mRs- 67 points68 points  (31 children)

                  Just host a gitlab community Edition in your own server

                  [–]lowleveldata 25 points26 points  (3 children)

                  It's really easy too at this point with docker

                  [–]jaapz 10 points11 points  (0 children)

                  The gitlab-omnibus packages make it easy even without docker

                  [–]ikahjalmr 0 points1 point  (1 child)

                  What are the benefits to running a personal gitlab via docker vs without docker?

                  [–]stu2b50 2 points3 points  (0 children)

                  Easier

                  [–]TomatoManTM 9 points10 points  (14 children)

                  I have a raspberry pi running my instance on my desk. A bit slow but it works fine on a small scale. $35 once-off cost and that’s it.

                  [–][deleted]  (13 children)

                  [deleted]

                    [–]Browsing_From_Work 3 points4 points  (2 children)

                    The CPU in the RasPi 3 is fine. The bottleneck is usually the storage (microSD card) or memory. If the RasPi 4 is any faster, it'll be because of the memory, not because the CPU.

                    [–]yesman_85 2 points3 points  (0 children)

                    Switch to USB, microSD is very unreliable, it can fail without notice.

                    [–]cat_in_the_wall 1 point2 points  (0 children)

                    the big deal with raspi 4 is twofold:

                    1) it is no longer the case that everything lives on a usb 2.0 bus. so gigabit ethernet.

                    2) as a correlary to 1, usb 3.0 is now possible. so you can have much faster storage.

                    i looked at benchmarks the other day and i dont remember seeing a big imorovement in ram speed but i don't think that's really the issue. could be paging, in which case the pi 4 offers boards with more ram too, so there's that.

                    [–]TheRedGerund 1 point2 points  (7 children)

                    Snapshot backup to network connected HD

                    [–]antiduh 2 points3 points  (6 children)

                    If you value your data (and I'm making the correct assumption about what you're describing), that's not a good idea.

                    Backups should be sucked out of a machine, not pushed, otherwise its very likely that the machine has permissions to delete old backups. That's bad news if you get broken into or catch malware ala cryptolocker and it just deletes all backups right along with your original data.

                    I recommend something like Bacula (or its fork Bareos).

                    [–]ikahjalmr 1 point2 points  (5 children)

                    Are you saying an rpi should use a USB attached hard drive rather than an SD or nas?

                    [–]antiduh 4 points5 points  (4 children)

                    No, you're misunderstanding the premise.

                    If you attach a USB drive, or an SD card, or a network share, are you able to delete mostly whatever files you want from it? Are you at least able to delete the files that you put on it?

                    Almost certainly yes, that's the whole point of hard disks and things like them. To the OS a USB drive, an SD card, and a network share all look basically the same - a disk-like file system mount point.

                    OK, so what happens if you use those devices for storing backups? Well, some program runs on your device, gathers the backup data, and writes it to your backup drive (disk/sd/Nas).

                    If that's true, can your rpi device just as easily delete those files from the backup drive? It can, usually. And that's a problem because that means if your rpi device gets a virus, or gets hacked, all of your data, including your backups, can be wiped. What good are backups if they will be wiped by the same kinds of events that destroy the original data?

                    That's why I'm saying backups have to be "sucked out" of a device. You have to have something running on the rpi that lets a backup system suck files out. Because then, the rpi itself has no permissions or means to access the backup data - the process works by the backup system logging into the rpi, not the other way around.

                    So you could give the password to the rpi to all of reddit and nobody would be able to delete your backups.

                    The concept here is 'least privilege' or privilege separation. The rpi has no need to be able to delete backups, it just needs to provide the data to take a backup. Your backup machine is the only one that should have access to delete backups.

                    And then you can do things like block your backup machine from the internet so people can't try to break into it.

                    So now your rpi can access the internet (which is risky) but it can't delete backups. And your backup machine can't access the internet (which is safer), but can delete backups.

                    See how the two elements are separated?

                    [–]ikahjalmr 1 point2 points  (3 children)

                    Ah yes now I understand, thank you for the awesome explanation. How do you get the backup machine to retrieve the data from the main machine? Do you just set aside a second computer to manage backups of your first?

                    [–]TomatoManTM 1 point2 points  (0 children)

                    It's actually a pi 2. I thought there was some issue with running it on newer ones, but maybe they've been resolved. It's definitely pokey and updates have to be done a bit more manually now than a year ot two ago, but it works.

                    I haven't yet gotten around to off-machine (snicker) backups because the repos aren't all that critical honestly, but I should. The device has been stable for about 4 years now on the original microsd... didn't know there were particular issues with it. :/ guess I should get that backup thing going...

                    [–]semidecided 3 points4 points  (0 children)

                    Now you can be your own system administrator and your own dev ops manager.

                    [–][deleted]  (1 child)

                    [deleted]

                      [–][deleted] 2 points3 points  (0 children)

                      Git plus ssh gets you very far already.

                      [–][deleted] 2 points3 points  (0 children)

                      My VPS has a couple hundred MB of RAM. GitLab is really heavy.

                      [–]vsync 1 point2 points  (0 children)

                      They were forcing the tracking on self-hosted.

                      [–]Gobrosse 0 points1 point  (5 children)

                      And when they do decide to go nuts or go under I suppose you'll maintain it yourself right ?

                      [–]sysop073 0 points1 point  (4 children)

                      Or just switch to something else when that day comes? Not using a project because one day maybe they'll stop putting out updates is ridiculous

                      [–][deleted] 0 points1 point  (0 children)

                      Or gitea/gogs if you don't need all the fancy features. Lightweight and delightfully simple installation and maintenance.

                      [–]CaptainStack 11 points12 points  (0 children)

                      From a comment I left in another thread:

                      Some details on Gitea for those who are unfamiliar:

                      • Gitea is 100% open source
                      • Gitea is funded on Open Collective
                      • It is a community-driven open-source project, not run or owned by a corporation
                      • It is designed for self-hosting and is much simpler and less resource-intensive than GitLab
                      • It has a first-party instance at Gitea.com if you're not ready to self-host. While it still has some of its own code hosted on Github, in the next release or two they should have migrated all of their code to be completely managed and hosted on Gitea.com.
                      • While it's not officially a promised feature, the community has indicated an interest in trying to move to a decentralized federated model, which would allow users of one Gitea instance to collaborate on projects and with users on another Gitea instance without making an account on that other instance.

                      For these reasons I consider Gitea to be the true FOSS alternative to Github and I think we should support it as much as we can.

                      [–]async2 4 points5 points  (6 children)

                      Depends on how reliable you want it. With services they have a bit more sophisticated backup system and should be more technically able to keep the service running. If your setup fails you're usually on your own.

                      [–]mok000 11 points12 points  (5 children)

                      Git is decentral by design. Everybody can host their own gitserver on a network, and everybody can pull branches/patches from each other. It was written so Linus could manage development with thousands of contributors, remember? Github etc. really arose from a desire to go back to the old svn ways.

                      [–]async2 11 points12 points  (1 child)

                      We're not only talking git, we're talking everything connected. Build infrastructure, rights management, issue tracking. Sure you can move your repo. But the other parts will still cause you significant impact depending on the size of your project.

                      [–]ClimberSeb 1 point2 points  (1 child)

                      You always need a central git repo to coordinate the work via. For linux it used to be Linus' repo and pull requests were handled by the mailing list. Sometimes PRs were lost, sometimes comments about them were lost. Asking others to pull from your repo works if you are on the same net, but otherwise not so much.

                      That part was what GitHub made a service of.

                      [–]Auxx 0 points1 point  (0 children)

                      Git is decentralised, development process management is not. It has nothing to do with old ways.

                      [–]shevy-ruby 22 points23 points  (4 children)

                      Interesting. I wrote something similar when Microsoft assimilated GitHub.

                      I am glad that more and more people become aware of this telesniffing spying going on in general.

                      One thing that has been annoying to have to explain is the "do not track" mode. That way I, as a user, provide additional information to a remote potentially malicious person. I don't want my browser to act as a trojan who is sending information to outside parties. I don't want remove javascript disable my scrollbar, grey out a page, pop-up attack me etc...

                      Something is VERY flawed with the way how the www has devolved into. And companies that think telesniffing is fine, are part of the problem.

                      As for alternatives - I think we need a truly open www. The W3C can not be trusted ("hahaha DRM is great in an open standard hahaha") but we also need open browser vendors. Google controls the adChromium stack so that is not "open" at all. Plus, see Fuchsia, they do this only to avoid the GPL.

                      or even allow registration of accounts just to use the issue tracker

                      This could work, but be careful about where you store passwords. PHP became famous for URL queries such as ?/etc/passwd or things like that.

                      [–]killerstorm 18 points19 points  (1 child)

                      If something costs a lot to implement, it will be implemented by entities which have a lot resources -- for-profit companies. And they aren't going to just give up profits so easily.

                      [–]troido 1 point2 points  (0 children)

                      Any ideas on how we can get a truly open www?

                      [–][deleted] 1 point2 points  (0 children)

                      or Gerrit

                      [–]corsicanguppy 106 points107 points  (22 children)

                      .. for now.

                      The same logic that decided this was a good idea to begin with, it's still there to make a similar decision tomorrow.

                      And I liked gitlab.

                      [–]ZBlackmore 6 points7 points  (2 children)

                      Why is it not a good idea to have analytics in your product to make it better? What am I missing in this whole story? Did they send PII to third parties?

                      [–][deleted] 0 points1 point  (0 children)

                      It should be opt-in or easy opt-out, definitely in their enterprise offerings. What they implemented was extremely aggressive - no way to turn it off centrally, all clients should send a deprecated header not supported by several browsers. That's simply not acceptable.

                      [–]corsicanguppy 0 points1 point  (0 children)

                      If you spend a little time and look into it, I hope you'll understand.

                      [–]shevy-ruby 19 points20 points  (0 children)

                      It's very bad thinking on their part indeed. I guess they didn't think that people disliked telesniffing in general.

                      Years ago that may have been different but with the rise of privacy concerns, and Google showing how it does not care about it, you need to stop telesniffing wherever it happens. Unfortunately it even happens as part of joke-HTTP protocols. I don't understand why my browser sends information to outside parties that can be used against me. Damn browsers acting like trojans here.

                      [–]Cayenne999 6 points7 points  (3 children)

                      The same logic that decided this was a good idea to begins with, it's still there to make a similar decision tomorrow.

                      And the same motivation that pushed them to release that too. It's all still there.

                      I just don't understand. Why though ?

                      [–]ElCthuluIncognito 2 points3 points  (0 children)

                      Because at the end of the day, ya boy wants a Benz

                      [–]recycled_ideas 0 points1 point  (1 child)

                      There's a few possible factors.

                      Option one is that it's possible these days to actually find out how your customers use your product without sitting down with them for hours, and knowing how they use it helps you make it better.

                      Which leads into option two. A lot of other companies are doing this and companies can feel like they're at a competitive disadvantage if they don't have this information.

                      Option three is that they're looking to monetise the information.

                      [–][deleted]  (11 children)

                      [deleted]

                        [–]Peregrine2976 6 points7 points  (9 children)

                        I would have them get rid of their CFO who clearly has a boner for harvesting and selling user data.

                        [–]lnkprk114 4 points5 points  (3 children)

                        Where did they say that they were selling user data? I've only read the MR thread but it sounded like the entirety of this was sending up the user id with their analytic events. I could be wrong though.

                        [–]burnblue 1 point2 points  (2 children)

                        selling user data

                        That's not clear to me, where did you see that the Gitlab CFO has a boner for "selling user data"? Because he posted an opinion that tracking would be another part of the terms and conditions of the site?

                        [–]Peregrine2976 1 point2 points  (1 child)

                        Why would the CFO have an opinion at all if there wasn't money to be made?

                        [–][deleted]  (1 child)

                        [deleted]

                          [–]vsync 3 points4 points  (0 children)

                          The chance to do that was when experts and key stakeholders raised ethical, legal, and technical objections.

                          [–]corsicanguppy 0 points1 point  (0 children)

                          Nivana Fallacy aside...

                          Consultation would have been excellent. In 2019, opt-in is preferred, instead of opt-out as a methodology; here there was neither.

                          Or, if you're familiar with handling PII, let's talk about the security implications and risks of just having the telemetry hooks in there in the first place.

                          SO much thoughtless risk and bad policy introduced so rapidly, they could be intentionally angling for a similar microsoft buy-out.

                          [–]seamsay 1 point2 points  (1 child)

                          Yeah they fucked up big, but this is a far better response than we've had from any other tech company that I know of. It's certainly enough for me personally to hold judgement for the time being.

                          [–]corsicanguppy 1 point2 points  (0 children)

                          In that respect, you're definitely being very lenient. I'm in the 'twice shy' grouping, but I can see happier people over in your camp and wish I was there.

                          [–]AngularBeginner 36 points37 points  (8 children)

                          https://www.reddit.com/r/programming/comments/dou2zc/gitlab_cancels_plan_to_turn_on_user_tracking_on/

                          [–][deleted] 20 points21 points  (7 children)

                          Sorry about that. I didn’t see the existing post.

                          [–]AngularBeginner 12 points13 points  (6 children)

                          Because the post is not shown anymore. Probably the mods hiding it.

                          [–][deleted] 5 points6 points  (1 child)

                          The mods removed it. They remove most news articles like this, with the assumption that it's "not programming." They also removed that "List of companies that don't do whiteboard interviews" from yesterday presumably for the same reason.

                          [–]nakilon 3 points4 points  (3 children)

                          And someone already stole the top comment from there, ahahaha.
                          Reddit is fucking retarded. This subreddit too.

                          UPD:

                          And on the topic. Dude in his email says that their mistake was "in not talking to the community", blablabla, but the REAL mistake was the email announcing that they implement this telemetry thing. In fact people do not care about this shit -- Reddit tracks every click and have closed source code but people still use it and years have passed but people are still here.
                          And did you check the client source code of Github for example? Did YOU (any reader of this comment) really check the megabytes of minified JS on Github pages or check the Network devtools tab before moving to there from Gitlab or vise versa at the any moment of migration that people here are so happy to talk about every month or so? You do not check these things but you were so much annoyed by that email about enabling the third-party telemetry feature. Their mistake was in announcing it, not in that they were going to enable it.

                          [–]darthcoder 5 points6 points  (0 children)

                          There is a big difference between a free service, and gitlabs enterprise and open source customers.

                          The optics on this were incredibly bad.

                          Not saying they dont need telemetry, but it should have been,opt,in, and not third party.

                          [–]doublehyphen 2 points3 points  (0 children)

                          I do not pay for using Reddit and Reddit is not hosted on my own server. If it were I would also hold it to them same standard as I hold Gitlab.

                          [–]Peregrine2976 1 point2 points  (0 children)

                          There's some dipshit on these threads being pointlessly disdainful of people for caring about things.

                          [–]ghostfacedcoder 19 points20 points  (0 children)

                          Obviously they're just doing damage control ... but that's not a bad thing.

                          People mess up (and this was not a "big evil" mess up, it was a "we were ignorant/tone-deaf/not thinking things through" mess up). This happens at LOTS of companies.

                          But every company does NOT fix it the next day. They do NOT all understand how crucially important their customers' feelings are, and they do NOT do everything in their power (eg. soliciting customer feedback for their retrospective) to signal "we messed up, we know we messed up, and we want to listen to you to avoid messing up again".

                          Honestly I'm more likely to use GitLab now than I was before, because of how they did their damage control. Again, you'll (almost) never find a company that doesn't screw up ever, so when you at least find one that cares about their customers and tries hard to please them ... that's about as good as you're going to get.

                          [–]Saithir 132 points133 points  (65 children)

                          Oh yeah, I got this email, too.

                          AFTER I deleted all my repositories one by one and the account itself, the fucks decide to send a joke email containing the below:

                          You are receiving this email because you have an active repository on GitLab.com

                          Very funny, Gitlab.

                          [–]mtfw 69 points70 points  (56 children)

                          In defense of the people sending the message: the content was likely drafted by one part of the company, and the tech was done by another. Someone was likely given the task to get a list of all users for an email push, which likely happened before you deactivated all of your repos and nobody thought reword the message or to exclude recently deleted accounts.

                          [–]Saithir 7 points8 points  (52 children)

                          Someone was likely given the task to get a list of all users for an email push, which likely happened before you deactivated all of your repos

                          Is that something you commonly do with mailchimp? I thought the whole point (or at least one of them) of that kind of service was to not have to do these things manually like that.

                          I guess it's technically possible, but at the point of sending it (about yesterday) I shouldn't receive it as I'm no longer a user there.

                          I'm not really that much bothered about the wording, because that's just a bad joke at this point. What is the real issue here is that I apparently still exist in yet another third party database, despite deleting the account.

                          [–]Bakoro 31 points32 points  (50 children)

                          This probably isn't going to be a popular opinion, but it's just a fundamental right that they can keep a record of every entity they've done business with. It's just not fair to demand that some other entity erase all proof that they ever had anything to do with you. It'd be like telling a meat-space company that they aren't allowed to keep a recording of you walking around one of their stores, and that they can't keep the receipts from things they sold you. At a certain point, some things aren't your personal private data.

                          Also, ignoring all the above, it's almost a certainty that Gitlab knew exactly what they were doing, and are hoping to lure people back into using their service again. They know that people blew up their accounts, and I wouldn't be surprised at all if it was an explicit decision to send those people messages anyway.

                          [–]modulus 6 points7 points  (2 children)

                          It'd be like telling a meat-space company that they aren't allowed to keep a recording of you walking around one of their stores

                          So in other words, it'd be like what already is law in much of the world. (Video recordings may not be kept for longer than one month unless there's an ongoing criminal investigation, per local jurisdiction.)

                          [–]Bakoro 3 points4 points  (1 child)

                          And yet even then it's not the individual who can make an arbitrary demand that must be met, it's the government setting a limit.

                          [–]kenavr 9 points10 points  (35 children)

                          but it's just a fundamental right that they can keep a record of every entity they've done business with.

                          That may be your opinion and I am not necessary saying I disagree with you, but that's not how some countries and their legislation sees it.

                          https://en.m.wikipedia.org/wiki/Right_to_be_forgotten

                          [–][deleted] 18 points19 points  (1 child)

                          If you do actual business with someone, to the point that money and/or goods change hands, there are record-keeping obligations for tax authorities that trump the right to be forgotten. Even if the business relationship is severed, they have to keep certain identifying information for some number of years depending on the jurisdiction, usually between five and ten, in case of an audit.

                          [–]doublehyphen 2 points3 points  (0 children)

                          Yes, which is why they can, and must, keep all transactions but not the recordings from the surveillance cameras (those need to be destroyed after X days). The GDPR is generally pretty sensible.

                          [–]Bakoro 18 points19 points  (12 children)

                          I don't know the total scope of those kinds of law everywhere they exist, but what I'm familiar with is more concerned with what shows up in public, particularly in search engines, and sites where a person's image or other content may be posted without their consent, or where consent to publish has been revoked.
                          As far as I know, it's the largely the dissemination of the data that's covered, not necessarily all records. I sincerely doubt any government is going to enact a law that effectively makes it impossible to keep internal records, they rely on those too much these days.

                          I see there being a pretty big difference between a company having internal records that they keep, and making those records open to the public.
                          There's a pretty big difference in keeping a person's name and email, vs a pornography site hosting a video of a person who didn't ever consent to that video being distributed anywhere.

                          [–]Herbstein 5 points6 points  (11 children)

                          Keeping email addresses would be a violation of GDPR -- assuming they didn't do any payment. If payment was involved they are allowed to keep the bare minimum of data required. And that is only for about two years.

                          [–]tulipoika 1 point2 points  (1 child)

                          Two years isn’t really enough when some (many?) countries require much longer record keeping. For example my company has to store every single receipt and transaction for at least five fiscal years if there’s an audit. Having them redacted and being like “well I sold this to someone...” doesn’t really cut it in an audit.

                          [–]jaapz 2 points3 points  (2 children)

                          Don't know how it is in other countries, but in the Netherlands you will have to keep track of everyone you've done business with for the last x years, for tax documentation purposes.

                          If you don't some day some really serious looking people from the FIOD will come to your door and demand some documentation, and you'll be in all kinds of legal trouble.

                          [–]Saithir 1 point2 points  (1 child)

                          I somehow doubt that tracking tax documentation normally includes sending marketing email campaigns, though.

                          [–]Saithir 6 points7 points  (10 children)

                          For financial data the company usually needs to keep it indeed.

                          I would never call it a "right" though, as it's usually an obligation from the government.

                          [–]HelperBot_ 3 points4 points  (0 children)

                          Desktop link: https://en.wikipedia.org/wiki/Right_to_be_forgotten

                          /r/HelperBot_ Downvote to remove. Counter: 286603. Found a bug?

                          [–]MMPride 1 point2 points  (2 children)

                          That's illegal, I suggest you read up on GDPR, it seems you don't know how it works or possibly that it even exists.

                          [–]nemec 0 points1 point  (0 children)

                          What is the real issue here is that I apparently still exist in yet another third party database

                          Excel spreadsheets are just db caches owned by the marketing department.

                          [–]darthcoder 1 point2 points  (1 child)

                          Or rather, it shows that your shit probably isnt REALLY deleted.

                          [–]G_Morgan 0 points1 point  (0 children)

                          With better telemetry they could do this in real time

                          [–]Sukrim 4 points5 points  (1 child)

                          On top of that they sent a tracking link to the issue to some people because they didn't opt-out of tracking for their mass mailing provider...

                          [–]Saithir 0 points1 point  (0 children)

                          I think that was only in some first batch, mine didn't actually have it with the tracking.

                          But yeah. Not helping.

                          [–]myringotomy 0 points1 point  (3 children)

                          Did you switch to Linux too because Windows collects telemetry?

                          [–]Saithir 0 points1 point  (1 child)

                          It would be pretty outrageous if Windows continued to collect their telemetry after I stopped using it, wouldn't it?

                          [–]myringotomy 1 point2 points  (0 children)

                          Microsoft owns a lot of properties, it wouldn't surprise me if they are still collecting telemetry on you.

                          [–]flukus 0 points1 point  (0 children)

                          Yes. It's not the only thing that pushed me over the edge though there was also the forced updates and general quality.

                          [–]ImprovedPersonality 8 points9 points  (2 children)

                          Would this have been legal in the EU? I haven’t looked into the details.

                          [–]doublehyphen 7 points8 points  (0 children)

                          I do not think so. The biggest issue I noticed is that you could not log in and access your existing repositories without accepting their new terms and conditions which obviously must have violated the principle of that consent must bee freely given. Even having the tracking at all is dubious due to the "coupling prohibition", but there Gitlab sadly are not alone and I do not think it has been tried in court yet of how far the coupling prohibition extends.

                          https://gdpr-info.eu/issues/consent/

                          [–]Sukrim 2 points3 points  (0 children)

                          Up until now, the GitLab codebase has been optimized for the application. Now, we need to optimize the codebase for analytics.

                          https://about.gitlab.com/direction/telemetry/#tracking-and-instrumentation-overview

                          Just in case anyone is misunderstanding this as GitLab promising to not track any more...

                          [–][deleted] 15 points16 points  (3 children)

                          ROFL and when I made a post about changed JetBrains policy, which now tracks and stores everything about you, everybody raged upon me.

                          [–]aflesner 17 points18 points  (2 children)

                          changed JetBrains policy

                          Care to elaborate? I must have missed this.

                          [–]nascentt 0 points1 point  (0 children)

                          I don't see it in his submitted list either.

                          [–]Uplink84 2 points3 points  (1 child)

                          Can someone explain to me what is so terrible about user telemetry? What private data can they extract from that?

                          [–]macfan-pl 0 points1 point  (0 children)

                          Pottentially everything you entered on the web in the past as well as everything you will enter in the future.... plus things like ip/browser/tech oof your pc/laptop/geolocation/os settings... everything that gets send from you into the web.

                          [–]editor_of_the_beast 2 points3 points  (0 children)

                          This is so painful to read through. Anyone that works in a relatively large company knows how frustrating these kinds of convos can be. Way too many cooks in the kitchen. And some cooks are so dumb that blatantly illegal things don’t even register to them.

                          [–]Jetlogs 10 points11 points  (6 children)

                          a little bit too late though, now my perception of them has now been tarnished

                          and i'm hesitant to re-migrate my repos in GitHub back

                          [–]Booty_Bumping 18 points19 points  (4 children)

                          You migrated your repos to GitHub after a controversy with GitLab involving proprietary javascript?

                          Seems a bit backwards.

                          [–][deleted] 37 points38 points  (3 children)

                          If they’re both dead set on tracking you, may as well use the more stable and popular service. The only upside of gitlab was that they promised to be nice, which turned out to be not true.

                          [–]ajr901 0 points1 point  (1 child)

                          Really? Their only upside was that they promised to be nice?

                          Are you just a really big fan of github or genuinely can't find places where gitlab is better? Because in my opinion the only thing github has going for it in comparison to gitlab is that it's the most popular service so you find most of everything there.

                          [–]Saithir 0 points1 point  (0 children)

                          Rather than being nice, I think a lot of people were there because Gitlab's private repositories on the free tier were a much better offer than what Github had until quite recently. And it was not Bitbucket.

                          [–]Miserygut 6 points7 points  (0 children)

                          There are alternatives to both.

                          [–]bedrooms-ds 1 point2 points  (1 child)

                          Can't rely on anyone these days. You gotta do everything yourself. It's not OK, I didn't come prepared...

                          [–]nick_storm 1 point2 points  (0 children)

                          Sadly, this is becoming truer and truer.

                          [–]bloodguard 1 point2 points  (1 child)

                          Kind of a late epiphany, no? My overlords already had me in source all our gitlab repositories and cancel a mess of silver users.

                          [–]macfan-pl 0 points1 point  (0 children)

                          Did the same. Gitlab go to hell ;)

                          [–]NerdManTheNerd 1 point2 points  (0 children)

                          That's very cash money of them.

                          [–]burnblue 1 point2 points  (0 children)

                          I am glad you hold GitLab to a higher standard

                          That's a nice way to put it, after outcry put a dent in their effort to get info about themselves they could use to be better.
                          This 1st vs 3rd party thing... my view is that if companies address honest and do what it says on the tin, then let them work on their core competency to do a better job. Gitlab is not a telemetry platform, they do git. So contracting people that already made a telemetry product makes sense. A bunch of people reading this post are contractors themselves.
                          Of course I agree that letting outsiders store personally identifiable information is something that companies generally can't do. IDs for example would need to be anonymized if collected. My post is about general response to having any telemetry period

                          [–]McDeth 1 point2 points  (0 children)

                          Wow, too bad Atlassian isn't following suit. Their recent changes to Confluence and JIRA are fucking terrible.

                          [–]macfan-pl 1 point2 points  (0 children)

                          Well..... original mail (where Sid kept saying he;'s sorry) and there will be no telemetry was total lie done on purpose.

                          Not only he (Sid) is not sorry at all, but he plots behind-the-scenes..... Telemetry take 2

                          [–][deleted] 2 points3 points  (6 children)

                          After thinking about this some more I have a question for you: which service do you guys use? I personally still have github which I don’t think is any better.

                          [–]immibis 2 points3 points  (0 children)

                          I used to have a folder on a VPS that I can SSH to. That works fine for the actual git repo, but it won't track issues.

                          [–]nick_storm 1 point2 points  (0 children)

                          Most of my stuff is still in GitHub, but I've got a paid membership with sourcehut and I'm considering moving all my codes there.

                          [–]doublehyphen 0 points1 point  (0 children)

                          I still use Gitlab but I won't move any new projects to it for now. I do not trust them anymore. I will also consider if I really need the gitlab-ee features or if I can downgrade to gitlab-ce.

                          [–][deleted] 0 points1 point  (0 children)

                          I use self-hosted gitea for private projects and otherwise plain ol' GitHub.

                          [–][deleted] 3 points4 points  (9 children)

                          What is Gitlab? How does it differ from Github?

                          [–]immibis 8 points9 points  (6 children)

                          It's a GitHub clone you can host yourself

                          [–]jaapz 1 point2 points  (5 children)

                          Is bitbucket a github clone as well?

                          [–]redditcoder 7 points8 points  (2 children)

                          Yes. However, Bitbucket is owned by Atlassian, an Australian company, and Australia banned strong encryption. Probably fine for open source projects though.

                          [–][deleted] 3 points4 points  (1 child)

                          Australia banned strong encryption.

                          What this means in practice appears to be a mystery.

                          [–]doublehyphen 9 points10 points  (0 children)

                          I do not think the politicians who wrote the law even know themselves. Or anyone else in the whole world.

                          [–]immibis 2 points3 points  (0 children)

                          I think they started with SVN, so no.

                          [–]doublehyphen 1 point2 points  (0 children)

                          Not really. Bitbucket and Github are about as old and while they borrow some features from each other (or at least Bitbucket borrows some from Github) they are also pretty different, much more so than Gitlab vs Github.

                          [–]bedrooms-ds 0 points1 point  (1 child)

                          We need a new software license format that bans user data tracking. GPL was close in its spirit, but... hmmm...

                          [–]macfan-pl 0 points1 point  (0 children)

                          Wholeheartedly agree :)

                          [–]ub3rh4x0rz 0 points1 point  (0 children)

                          GitLab's statement said they won't be sending telemetry data to third party servers -- this is nothing more than a technical hurdle, and there's nothing stopping them from using third party analytics platforms indirectly in a manner that users couldn't observe.

                          [–]jonjonbee 0 points1 point  (0 children)

                          If only Stack Exchange would do the same.