[feross]

> devs I know are very sensitive to ads/privacy, much more so than to paying money

In case it's not clear to other readers: `funding` had no tracking, no data collection, and no code from untrusted third parties. It was a `console.log` with some fancy formatting.

> Despite your good intentions, your ads will involve analytics/tracking, which you ultimately can't control

They certainly would not. I was very clear to the sponsors that there would be no analytics. I even took pains to ensure only plain ASCII (excluding control characters) could be printed out. https://github.com/feross/funding/blob/58b090c51ce94de32107d...

[quantummkv]

> In case it's not clear to other readers: `funding` had no tracking, no data collection, and no code from untrusted third parties. It was a `console.log` with some fancy formatting.

The same was said about the early banner ads, early popup ads, early..... Well I think you get the point.

> They certainly would not. I was very clear to the sponsors that there would be no analytics.

The real danger is not that you are untrustworthy to uphold this on your packages. The real danger here is the normalisation of this behaviour. You might not add tracking. But once the big advertisers jump, they will want analytics. How much time would it take for a fork with tracking to appear? And thanks to the incentives and pressures, this will overtake and become the standard, as it happened across the web.

You might not do it, but there is no guarantee others will not. It's best to not keep the temptation there.

[wakeywakeywakey]

The Ad space has developed an elaborate set of acronyms and jargon (CPC, CPM, ..) precisely because advertisers care to track such things to determine how effectively they are budgeting.

You start with no tracking, then two months later we get another blog post explaining how you still haven't recouped your time investment and now need to do "just a tiny bit of anonymous reporting". This power creep is what turns people off.

[JMTQp8lwXL]

> In case it's not clear to other readers: `funding` had no tracking, no data collection, and no code from untrusted third parties. It was a `console.log` with some fancy formatting.

It starts as that, but is the community right to question where it might ends? Today is plain ASCII -- tomorrow is HTTP requests to ad companies in postinstall. Even if wasn't in 'funding', it could happen somewhere else. Somebody (not you) quietly adds a new NPM dependency to a popular project, and in that new module, the advertiser now has analytics on that package's usage, in addition to the console real estate space.