Hashed emails are not one way functions because the number of possible emails is so low and are trivially bruteforced, this is definitely a privacy leak.
I doubt it. I think more likely it will actually have people being more choosey in their dependencies and looking at the governance structures of projects so that one guy can't go off the rails and create hundreds of hours of unplanned work.
In short: author of Moq adds the dependency SponsorLink, which is an obfuscated closed source library that collects and uploads data from the developer's machine when the developer builds a project that includes a dependency on Moq. The collected data happens to be the hash of the globally configured git email address of the user at this point in time.
I simply cannot understand why someone, especially the author, would think this is a good idea. How can you not predict this will create a backlash and push users away?
We talked about this at $WORK today, it's already on the board to be pulled out and replaced with an alternative.
The guy's got a valid point, especially as many Big Tech companies are using it, but this is a massively fucked up way to go about it. If you're going to do this, what else are you going to exfiltrate under the guise of open source sponsorship?
This is the only possible response many of us are able to give to this issue.
Trust has been completely destroyed. What if the next malware attempt isn’t discovered immediately? Anyone continuing to use Moq is opening their company up to possible litigation.
Anyone know of a good drop in replacement? Internally we’ve gotten the ok for our next release to continue with this software pegged to a pre 4.20 release, but we’ve also been given the directive to “dump this guy” as soon as possible.
I've favored Moq in the past because I think there are a couple of things it makes a bit easier or is a bit less opinionated about, but NSub is perfectly cromulent as well.
20 comments
[ 2.1 ms ] story [ 72.8 ms ] threadThat's really assholish
I simply cannot understand why someone, especially the author, would think this is a good idea. How can you not predict this will create a backlash and push users away?
> I discussed this approach with fellow developers and it sounded unanimously reasonable.
Who would think that entering a GDPR/CCPA hellhole of PII collection is "reasonable"?
Because it earns money. Money talks and bs walks.
The guy's got a valid point, especially as many Big Tech companies are using it, but this is a massively fucked up way to go about it. If you're going to do this, what else are you going to exfiltrate under the guise of open source sponsorship?
Pin to 4.18 until you've got a migration plan.
Trust has been completely destroyed. What if the next malware attempt isn’t discovered immediately? Anyone continuing to use Moq is opening their company up to possible litigation.
Anyone know of a good drop in replacement? Internally we’ve gotten the ok for our next release to continue with this software pegged to a pre 4.20 release, but we’ve also been given the directive to “dump this guy” as soon as possible.
I've favored Moq in the past because I think there are a couple of things it makes a bit easier or is a bit less opinionated about, but NSub is perfectly cromulent as well.
Someone posted a quick guide to migrating a bunch of it easily in one of the issues in the Moq repo discussing this whole mess: https://github.com/moq/moq/issues/1374#issuecomment-16712411...
https://github.com/devlooped/SponsorLink/issues/9
https://github.com/devlooped/SponsorLink/issues/13
https://github.com/devlooped/SponsorLink/issues/16
And the original blog post.
https://www.cazzulino.com/sponsorlink.html
His opinions make me feel a bit worse that I went for Moq for work-related projects.
...because it completely broke builds on macOS and Linux [0]
[0] https://github.com/moq/moq/issues/1371