[ninjin]

Thank you, that could be it. Then again, there would at least have to be a separate log somewhere on the same box with IPs to counter abuse. I think creating and using a UUID without explicit opt-in is still a red line for me, but I do concede that I could very well be too paranoid for the good of myself and the community as a whole.

I should probably get back into the Discourse thread to see if I can contribute constructively, but the amount of back and forth between mostly “My freedom!” and “Tū quoque!” [1] in the thread over the weekend – apart from me being far too busy to take the time to summarise it all – has kept me away, although it looks way better over the last few hours. With the little free time I have I would rather work on my Julia code. '^^

[1]: https://en.wikipedia.org/wiki/Tu_quoque

[fiddlerwoaroof]

Yeah, it sounds like they’re designing a way for package authors to get usage stats: imo, this extra piece of data doesn’t really help the server owners de-anonymize because it’s less identifying than the data the server is already collecting as an http server (especially if it’s in an unlogged part of the request like a header or a post body). But, even if it is a privacy risk relative to the server owners, it’s preferable that data derived from this uuid be shared with package authors, rather than IP-based data, because it’s based on a less-identifying datasource, which means that even if someone were to breach the database, they’d have less ability to de-anonymize people.

Also, I find this whole discussion to be somewhat irrelevant when talking about a service serving up arbitrary code to be executed on your machine: if you don’t trust the server owners, you really shouldn’t be executing the code they serve up.