[hansonkd]

Really excited to see this project gain traction.

> Note that this graph is generated remotely with the contents of your `tach.toml`

Isn't shipping off parts of your codebase to a 3rd party without warning in the CLI a security risk? Or in regulatory environments you get audited that your code was only stored on properly vetted services which is why some sales cycles for AI coding assistant tools are so long. It would be kind of frustrating to have something like that happen and get set back on licensing, etc.

Just from the video it doesn't seem like any sort of warning that you are shipping config files to your servers and the URL that you produced doesn't seem to have any authentication.

Maybe i am misunderstanding that functionality, but it gives me pause to use it.

[0x63_Problems]

Co-author here, fair question!

In short, we want to make the visualization UX as smooth as possible, and this is best done with a web app. The URLs use UUIDs, and the contents being sent don't include literal source code, only module names and Tach configuration. We will also delete graphs by UUID on request, and have done so in the past.

That said, we do try to be up-front about this, which is why that disclaimer exists, and when running this command on the CLI, you must supply an explicit `--web` argument to `tach show`. Otherwise, the default behavior is to generate a GraphViz DOT file locally.

[ycombiredd]

If it outputs DOT, I can recommend you visualize your graphs with PHART ( https://github.com/scottvr/phart/ )

I’m mostly kidding but incidentally PHART was born in order to visualize Python dependency graphs in-line in 7-bit ASCII because I wanted the functionality in my dependency analyzing code summarizing concatenator tool I was using to aid in pair-programming with ChatGPT and Claude when codebases started outgrowing useful context lengths. That tool is here https://github.com/scottvr/chimeracat/ (it is nowhere as slick-looking as OP’s app, but also that is by design.)

The first time someone in public said they were curious to see the chimeracat output for his company’s codebase was also the first time I considered “wow.. how do I make sure people know they can trust chimeracat isn’t stealing their code?” and started thinking of ways to give people that surety and safety for any app, because so realized that though it was my first time to think about how “code analysis” tools like this, it even linters, prettifier’s etc. are a fertile ground for subterfuge and espionage, it was no doubt not the first time the thought had occurred elsewhere, and likely to at least a handful of folks who would (and no doubt are) putting such tools out there in the wild.

[airstrike]

> we want to make the visualization UX as smooth as possible

still doesn't explain why you need to ship the data to a third party

> and this is best done with a web app

debatable. you could always write a GUI app. it's not that hard for such a self-contained project

there would be _a lot_ to gain from having this run totally locally without any network access and leaking source code to third parties.

[tyre]

> you could always write a GUI app. it's not that hard for such a self-contained project

beautiful HN comment. They might simply be familiar with web apps and want to focus on the part that provides the most value to users.

The external network requests are optional. It can run fully locally.

They’re a tiny startup that just launched, trying to ship something that helps people. Building a native app is not the most impactful thing they could spend their time on.

[airstrike]

The part that provides most value to users is not shipping data to third parties needlessly. I can write the GUI for this app in a week.

[Majestic121]

Good thing that it is open source then, it means you can fix this issue in a week !

[airstrike]

I totally can! I just won't, because I already have more valuable endeavors on which I plan to spend time over the next... 104 weeks, give or take.

[bmitc]

Why not just let users run the web app locally? There's no reason it needs to be remote.

Also, the mere fact that it sends any data, no matter what you say it contains is a non-starter at many places. And even module names can contain proprietary data.

[0x63_Problems]

I can understand the frustration, but I think there are legitimate reasons to run this remotely.

Tach is an installable Python package, shipping a full web app would have to come in a separate form factor and has significant maintenance implications. Given we are explicit about the remote app before anything is sent, require explicit opt-in, and we provide usable alternatives locally, we prioritize shipping a useful graph experience that is immediately usable.

If you are at an enterprise that cannot tolerate this, then you can use a local viewer with either GraphViz DOT format or Mermaid which is generated by using `tach show` or `tach show --mermaid` respectively.

[byteknight]

I appreciate the attempt but the reasoning of "it requires maintenance" is entirely moot. You have to do this regardless. Its just whether or not you publish it open-source. You are still saying, internally, this is good enough for customers, when you push it out.

This is a (very) thinly veiled attempt at a closed garden of sorts, IMHO. Its a "clean" excuse for not giving away the milk for free, but it falls short on actual reasoning.

[jlg23]

Looking at the license (MIT) we already got much more than what we paid for and the authors don't "have to" do anything but accept thanks of those who chose to be grateful for software they got for free.

[9question1]

This. It's ridiculous how often people complain about the design of free software. If you don't like it, just don't use it! Use something else! Build your own! Or fork it to work in the way you described that you'd prefer - you can do that yourself if you really want since the source is available

[bmitc]

This has nothing to do with being grateful or not.

[cmcconomy]

I am having an allergic reaction too, I don't see any reason this should exfiltrate any information from my machine.

[bolognafairy]

Since you’re being somewhat brigaded by the “everything local!” mob, I just wanna say that this all sounds completely reasonable to me. Some people hate being told that their demographic just isn’t currently being catered to exactly in the way that they want. I’m sure that these people working on things so utterly Top Secret can wait a while for your new little tool to support them. They’re just mad they can’t use it at Meta or whatever.

[bmitc]

To be clear, I'm not frustrated. Just providing feedback.

[globular-toast]

There are hundreds of "full web apps" on PyPI. What's special about yours?