rtk-ai/rtk

privacy: change telemetry from opt-out to opt-in

Open

#1.154 aberto em 10 de abr. de 2026

Ver no GitHub
 (1 comment) (0 reactions) (0 assignees)Rust (2.914 forks)batch import
area:configeffort-mediumenhancementhelp wantedpriority:high

Métricas do repositório

Stars
 (48.085 stars)
Métricas de merge de PR
 (Mesclagem média 11d 1h) (45 fundiu PRs em 30d)

Description

Current behavior

Telemetry is enabled by default and sends a ping every 23 hours to a hardcoded URL. Users must explicitly opt out via `RTK_TELEMETRY_DISABLED=1` or `[telemetry]\nenabled = false` in config.

`src/core/telemetry.rs` lines 19-53:

```rust pub fn maybe_ping() { // No URL compiled in -> telemetry disabled if TELEMETRY_URL.is_none() { return; } // Check opt-out: env var if std::env::var("RTK_TELEMETRY_DISABLED").unwrap_or_default() == "1" { return; } // ... proceeds to send } ```

Data collected

  • Device hash (SHA-256 of hostname + username + random salt stored locally)
  • RTK version, OS, architecture, install method
  • Command count (last 24h) and top 5 command names
  • Token savings percentage

Concerns

  1. Developer tools should not phone home by default. This is a security-sensitive tool that sits between the developer and their shell commands. Default-on telemetry erodes trust.

  2. Device hash is not truly anonymous. SHA-256(hostname:username:salt) is reversible if an attacker knows the target space. For a developer tool used on corporate machines, this is a privacy risk.

  3. Enterprise adoption blocker. Many companies ban tools that make outbound network connections without explicit approval.

Proposed change

  1. Default telemetry to OFF. Only enable if the user explicitly sets `RTK_TELEMETRY_ENABLED=1` or adds `[telemetry]\nenabled = true` to config.

  2. Print a one-time notice at first run explaining what telemetry collects and how to enable it (similar to Rustup, Homebrew, etc.)

  3. Honor the existing opt-out env var for backward compatibility with existing users

Acceptance criteria

  • `maybe_ping()` returns immediately unless explicitly enabled
  • First-run message informs user about optional telemetry
  • All existing opt-out mechanisms continue to work
  • Documentation updated to reflect opt-in default

Guia do colaborador