rtk-ai/rtk

privacy: change telemetry from opt-out to opt-in

Open

#1,154 建立於 2026年4月10日

在 GitHub 查看
 (1 留言) (0 反應) (0 負責人)Rust (2,914 fork)batch import
area:configeffort-mediumenhancementhelp wantedpriority:high

倉庫指標

Star
 (48,085 star)
PR 合併指標
 (平均合併 11天 1小時) (30 天內合併 45 個 PR)

描述

Current behavior

Telemetry is enabled by default and sends a ping every 23 hours to a hardcoded URL. Users must explicitly opt out via `RTK_TELEMETRY_DISABLED=1` or `[telemetry]\nenabled = false` in config.

`src/core/telemetry.rs` lines 19-53:

```rust pub fn maybe_ping() { // No URL compiled in -> telemetry disabled if TELEMETRY_URL.is_none() { return; } // Check opt-out: env var if std::env::var("RTK_TELEMETRY_DISABLED").unwrap_or_default() == "1" { return; } // ... proceeds to send } ```

Data collected

  • Device hash (SHA-256 of hostname + username + random salt stored locally)
  • RTK version, OS, architecture, install method
  • Command count (last 24h) and top 5 command names
  • Token savings percentage

Concerns

  1. Developer tools should not phone home by default. This is a security-sensitive tool that sits between the developer and their shell commands. Default-on telemetry erodes trust.

  2. Device hash is not truly anonymous. SHA-256(hostname:username:salt) is reversible if an attacker knows the target space. For a developer tool used on corporate machines, this is a privacy risk.

  3. Enterprise adoption blocker. Many companies ban tools that make outbound network connections without explicit approval.

Proposed change

  1. Default telemetry to OFF. Only enable if the user explicitly sets `RTK_TELEMETRY_ENABLED=1` or adds `[telemetry]\nenabled = true` to config.

  2. Print a one-time notice at first run explaining what telemetry collects and how to enable it (similar to Rustup, Homebrew, etc.)

  3. Honor the existing opt-out env var for backward compatibility with existing users

Acceptance criteria

  • `maybe_ping()` returns immediately unless explicitly enabled
  • First-run message informs user about optional telemetry
  • All existing opt-out mechanisms continue to work
  • Documentation updated to reflect opt-in default

貢獻者指南