20 comments

[ 2.1 ms ] story [ 72.8 ms ] thread
[flagged]
What do you mean? What does this have to do with Windows?
Please see the guidelines on comment etiquette. This is in poor taste and further, unrelated to OSes.
I use C# and Moq on macO$ (or whatever is the cool way to write it), as does about 3/4 of our dev team.
Hashed emails are not one way functions because the number of possible emails is so low and are trivially bruteforced, this is definitely a privacy leak.
And privacy leaks nowadays trigger CCPA and GDPR, neither of which are optional to adhere to in any way.
I truly believe that all this awareness around "supply chain" security is a fantastic opportunity for FOSS maintainers to gain financial independence.
I doubt it. I think more likely it will actually have people being more choosey in their dependencies and looking at the governance structures of projects so that one guy can't go off the rails and create hundreds of hours of unplanned work.
And "governance structures" is exactly what FOSS maintainers can sell.
In short: author of Moq adds the dependency SponsorLink, which is an obfuscated closed source library that collects and uploads data from the developer's machine when the developer builds a project that includes a dependency on Moq. The collected data happens to be the hash of the globally configured git email address of the user at this point in time.

I simply cannot understand why someone, especially the author, would think this is a good idea. How can you not predict this will create a backlash and push users away?

But he asked his friends and they thought it was a good idea: https://www.cazzulino.com/sponsorlink.html

> I discussed this approach with fellow developers and it sounded unanimously reasonable.

Who would think that entering a GDPR/CCPA hellhole of PII collection is "reasonable"?

"I asked this one guy who's just as ignorant as me and he thought it was totally cool, so no way you should have a problem with it".
The reason is the same reason developers include Bonzi Buddy and similar malware with their software:

Because it earns money. Money talks and bs walks.

We talked about this at $WORK today, it's already on the board to be pulled out and replaced with an alternative.

The guy's got a valid point, especially as many Big Tech companies are using it, but this is a massively fucked up way to go about it. If you're going to do this, what else are you going to exfiltrate under the guise of open source sponsorship?

Pin to 4.18 until you've got a migration plan.

This is the only possible response many of us are able to give to this issue.

Trust has been completely destroyed. What if the next malware attempt isn’t discovered immediately? Anyone continuing to use Moq is opening their company up to possible litigation.

Anyone know of a good drop in replacement? Internally we’ve gotten the ok for our next release to continue with this software pegged to a pre 4.20 release, but we’ve also been given the directive to “dump this guy” as soon as possible.

There’s NSubstitute. Haven’t used it personally but I’ve read good things about. I will have to look into at work as well since we’re also using Moq.
NSubstitute is good, I used it at a previous job.

I've favored Moq in the past because I think there are a couple of things it makes a bit easier or is a bit less opinionated about, but NSub is perfectly cromulent as well.

Someone posted a quick guide to migrating a bunch of it easily in one of the issues in the Moq repo discussing this whole mess: https://github.com/moq/moq/issues/1374#issuecomment-16712411...