Repository metrics
- Stars
- (48,085 stars)
- PR merge metrics
- (Avg merge 11d 1h) (45 merged PRs in 30d)
Description
Current behavior
Telemetry is enabled by default and sends a ping every 23 hours to a hardcoded URL. Users must explicitly opt out via `RTK_TELEMETRY_DISABLED=1` or `[telemetry]\nenabled = false` in config.
`src/core/telemetry.rs` lines 19-53:
```rust pub fn maybe_ping() { // No URL compiled in -> telemetry disabled if TELEMETRY_URL.is_none() { return; } // Check opt-out: env var if std::env::var("RTK_TELEMETRY_DISABLED").unwrap_or_default() == "1" { return; } // ... proceeds to send } ```
Data collected
- Device hash (SHA-256 of hostname + username + random salt stored locally)
- RTK version, OS, architecture, install method
- Command count (last 24h) and top 5 command names
- Token savings percentage
Concerns
-
Developer tools should not phone home by default. This is a security-sensitive tool that sits between the developer and their shell commands. Default-on telemetry erodes trust.
-
Device hash is not truly anonymous. SHA-256(hostname:username:salt) is reversible if an attacker knows the target space. For a developer tool used on corporate machines, this is a privacy risk.
-
Enterprise adoption blocker. Many companies ban tools that make outbound network connections without explicit approval.
Proposed change
-
Default telemetry to OFF. Only enable if the user explicitly sets `RTK_TELEMETRY_ENABLED=1` or adds `[telemetry]\nenabled = true` to config.
-
Print a one-time notice at first run explaining what telemetry collects and how to enable it (similar to Rustup, Homebrew, etc.)
-
Honor the existing opt-out env var for backward compatibility with existing users
Acceptance criteria
- `maybe_ping()` returns immediately unless explicitly enabled
- First-run message informs user about optional telemetry
- All existing opt-out mechanisms continue to work
- Documentation updated to reflect opt-in default