Pierre BouillonRecently on the r/dotnet Reddit community, a new post has been published with an alarming title: Does Moq in it's latest version extract and send my email to the cloud via SponsorLink?.
Since then, there have been a lot of discussions around it, but what is this all about?
Starting from the beginning
To gain a proper understanding of the situation, let's begin by providing an overview of Moq itself.
Moq was is a popular .NET mocking library that has accumulated over 475.7 million downloads as of now.
For more than 10 years, Daniel Cazzulino (or @ksu) has been diligently building and refining it.
When comparing it to one of its most well-known alternatives, NSubstitute, which has "only" reached 85.6 million downloads, it is fair to say that Moq is the most widely used mocking library in the .NET ecosystem.
Setting the scene
Earlier this year, @ksu released a new project named SponsorLink in a blog post named SponsorLink: trying something new-ish for OSS sustainability.
The primary objective of this project, as outlined by the author, is to establish a direct connection between projects and your GitHub account:
So the goal of SponsorLink is to connect in the most direct way possible your sponsorship with your library author’ sponsor account. And since the place where you spend most of the time enjoying your fellow developers’ open source projects is inside an IDE (..), I figured that’s the first place where you should be reminded that either
This approach allows sponsors of a GitHub library through the GitHub Sponsorship program to potentially access additional features, receive thank-you messages within their IDE, or more.
However, an alternative perspective on SponsorLink, albeit less flattering, is that the project is capable of identifying individuals running a project containing it by transmitting their email addresses to the cloud.
Worse: it doesn't merely capture your email address; it also extracts all email addresses present in the git history of your project. Depending on your project's lifespan, this could involve a significant number of addresses.
Claims have been made that these addresses are hashed and so forth, but the DLL is closed-source and obfuscated. Given the nature of this project, such practices raise suspicions, to say the least.
In the blog post itself, people raised concerns about its ethical considerations:
What went wrong
By now, you have likely guessed what went awry.
A couple of days ago, @kzu submitted a Pull Request, announcing that SponsorLink was now integrated into Moq, thereby harvesting email addresses of the developers utilizing it in their projects:
Add 💜 SponsorLink support
#1363
See https://www.cazzulino.com/sponsorlink.html and https://github.com/devlooped/SponsorLink
Let's thank everyone who supports the project 💜
This Pull Request received a largely negative reception and prompted a significant number of projects to replace Moq within their codebases.
Shortly after, various issues raising privacy concerns has been opened:
Privacy issues with SponsorLink, starting from version 4.20
#1372
There's a related discussion on Reddit: https://www.reddit.com/r/dotnet/comments/15ljdcc/does_moq_in_its_latest_version_extract_and_send/
It seems that starting from version 4.20, SponsorLink is included. This is a closed-source project, provided as a dll with obfuscated code, which seems to at least scan local data (git config?) and sends the hashed email of the current developer to a cloud service. The scanning is provided as a .NET analyzer tool, which runs during the build. There is no option to disable this.
I can understand the reasoning behind it, but this is honestly pretty scary from a privacy standpoint.
Any chance this can be reverted?
What now?
This update has some questionable points such as collecting the user's data by default without an opt-in/out option (defying GDPR) or adding closed source and obfuscated add-on without any consent of the community.
For now, it seems that people are running away from it and companies are blocking the library. Some are also reporting the 4.20 version, which introduced SponsorLink.
However, it's important to also take into account the perspective of the maintainer, especially given the challenging landscape many open-source maintainers face in sustaining their projects. Open-source maintainers often struggle to find sustainable ways of supporting their work.
In a new issue, the maintainer of Moq expresses the desire to gather feedback on how their Open Source projects could receive better support:
SponsorLink and supporting OSS more broadly
#1374
Trying to aggregate the various issues into one to collect feedback.
I invite everyone to read the SponsorLink announcement to understand the intention behind it. No nefarious purpose, I promise!
With that in mind, I'm obviously open to suggestions that help achieve both your goals and mine :)
NOTE: 4.20.2 removes SponsorLink since it breaks MacOS/Linux restore. I'll take the opportunity to collect more feedback. The underlying issue still needs addressing, IMHO.
Despite the apparent goodwill, SponsorLink remains included in Moq as of now and, I think, its reputation permanently damaged as the implicit trust most people had in it has been broken.
If you are more of a listener than a reader, check out @elfocrash video on the subject, who did a great job summarizing everything:
I hope that you learnt something useful there!
Photo by Jason Blackeye on Unsplash
