Docker desktop, unlike the docker command line tool and dockerd server, is not free software, and isn't even source available. It also transmits a HUGE amount of sensitive data about your system to Docker without your consent, so it's spyware.
I can't really recommend avoiding this software any higher than I do. If you work on any sort of private codebases or under NDA, this thing is a liability magnet.
Install the free software command line tool via a package manager (not brew, that one is also spyware) and set
> It also transmits a HUGE amount of sensitive data about your system to Docker without your consent, so it's spyware. [...] If you work on any sort of private codebases or under NDA, this thing is a liability magnet.
Can you please share a full list of what gets transmit with and without having the "Send usage statistics" option enabled? I'm assuming you have this data available because the wording of your reply is so specific.
sneak, the commenter didn't ask how to reproduce it, they asked what it sends. What is in the zip file and what exactly does it upload when it crashes? Are you certain that it uploads the whole zip file upon a crash?
The commenter asked for free research, which I'm not about to reproduce for them (at a minimum it takes the time to format/reinstall a machine), so rather than not answer I told them precisely what they need to do to get the data they desire.
> The commenter asked for free research, which I'm not about to reproduce for them
Not really. You specifically wrote that anyone using Docker Desktop is now liable for breaking NDAs and that a "HUGE" amount of sensitive data about your system is being sent to Docker without consent.
I mean, I'm taking for granted here that you didn't wake up yesterday with intent to write those sentences without having ever done the research yourself at least once. You're the one making these claims. If you've done the research, why not just post it here so other folks can verify what you're saying?
What I'm getting from your latest reply is you're trying to make it sound way worse than it is and are using a lack of information to guide folks into thinking the worst case scenario by filling in the gaps with their own interpretation of what you wrote.
Transmitting a crash dump is much different than them sending sensitive data without your consent, especially considering you can turn the "send usage stats" option off which no longer sends crash dumps, and the dump itself is only sent on a crash. Also the help text under the option says that it sends crash dumps too.
Your original reply made it seem like every time you run a container with a volume, the contents of your source code is sent to Docker because in a lot of people's minds that's a "HUGE" amount of sensitive data and ties into your "private code base" and NDA liability sentence before.
> I'm taking for granted here that you didn't wake up yesterday with intent to write those sentences without having ever done the research yourself at least once. You're the one making these claims. If you've done the research, why not just post it here so other folks can verify what you're saying?
I have provided specific instructions for verifying precisely what I'm saying. I'm not going to spend hours reproducing this simply because I'm being cross-examined in a comment. It is immaterial to me if you believe my reports of the truth or not.
It's been a long time since I had Docker Desktop crash on me (it seems to be very stable these days), but I was sure there was an optional "send crash report" button?
Don't try to dictate to others how they should work, as though you're some kind of oracle on the topic.
I'll decide (together with my employer, when appropriate) what software and tools to use, based on a range of factors. Free-ness may be one of those factors, but it doesn't get to unconditionally veto everything else.
It's just a strong recommendation, GP isn't pretending to have authority over HN commenters. This type of 'command as suggestion' construct is pretty common in modern english.
No, it's not a suggestion, it's definitely a command.
Don't use nonfree tools, or you'll become a sharecropper ripe for abuse, such as the complete and utter "it's our computer now, fucko, even though you paid for it" nonsense demonstrated in TFA.
Free software can't behave like this because the moment it tries we'll simply patch it out.
Wow, I had no idea this existed. Thanks for mentioning it. I block the telemetry with settings and with Little Snitch, but this is what I needed from the beginning.
Sure but not everyone is a "free software only" person either. VSCodium comes at a price if you invested time in learning those extensions which won't work in it.
It transmits your on-device activity to Google without consent. It includes a unique tracking identifier generated on install that never changes, like a supercookie. Every time you run brew, it transmits this to Google, which allows Google to assemble a city-level tracklog of your device based on client IP geolocation, along with a list of all the packages you have installed, and when.
It does this silently, and without obtaining any sort of consent, which is why most people are unaware that homebrew is spying on them.
> You will be notified the first time you run brew update or install Homebrew. Analytics are not enabled until after this notice is shown, to ensure that you can opt out without ever sending analytics data.
I'm confused- the brew developers say you can run `brew analytics off` to "prevent analytics from ever being sent" [1]. Is this not accurate? Are analytics still being sent? Is your concern with the consent, or are the brew developers lying when they say this command prevents analytics from being sent?
I think what he means is that there isn't explicit consent given for the analytics, as in opt-in rather than opt-out. You can disable it but that's not the same.
When they implemented it, they opted everyone in and buried the notice in a wall of text. I only caught it when Little Snitch notified me that brew was reaching out to Google.
The project still doesn't seem to understand how bad of a mistake this was and how bad their response to it was. But as the project lead told us while playing the victim, if we're not contributors, our opinions on the matter mean nothing.
Every time I've ever seen anyone question their decision to embed Google spyware in their product, however, the GitHub issues are closed and locked, so I don't know if you'll have very good luck. I stopped trying to convince them
to behave ethically and simply use nixpkgs now instead (which incidentally in my experience works better) and do my best to inform people about the facts so they can make their own decisions (something I wish homebrew would do, instead of deciding for them to use their computer to spy).
What is spyware to you? If it's spying on me without consent and sending private information about my computer it is definitely spyware, regardless of the database they use.
Since they don't ask for consent and uses PII, it is illegal under GDPR, probably CCPA and other laws too. It's also Not Nice™.
What private information about your computer is it sending? Browser, OS, screen size, location, ISP. Under GDPR, and the way i see things, none of that is PII.
It generates a unique identifier which it transmits on each invocation. The identifier uniquely identifies the installation of homebrew, linking all of those other bits of data together across time and space.
I can't really recommend avoiding this software any higher than I do. If you work on any sort of private codebases or under NDA, this thing is a liability magnet.
Install the free software command line tool via a package manager (not brew, that one is also spyware) and set
in your environment.Don't develop with nonfree software and tools.