Controversy arises as moq incorporates closed source dependency collecting user data
The widely used open source project Moq has found itself embroiled in controversy after it was revealed that its latest release included a controversial dependency known as SponsorLink. Moq, pronounced “Mock,” is a prominent player in the open source software ecosystem, boasting over 476 million lifetime downloads and a staggering 100,000 daily downloads from the NuGet software registry. The storm of criticism erupted when Moq’s 4.20.0 release quietly incorporated the SponsorLink project, prompting backlash from open source software enthusiasts who felt betrayed by what they deemed a breach of trust.
The root of the criticism lies in SponsorLink’s deceptive nature—it is shipped on NuGet as closed source software, containing obfuscated DLLs (Dynamic Link Libraries) that surreptitiously gather hashed email addresses of users and transmit them to SponsorLink’s Content Delivery Network (CDN). A prominent software developer, Georg Dangl, expressed his concerns, stating, “This is a closed-source project, provided as a DLL with obfuscated code, which seems to at least scan local data (git config?) and sends the hashed email of the current developer to a cloud service.” This scanning capability is integrated into the .NET analyser tool during the build process, raising significant privacy concerns.
The move to bundle SponsorLink with Moq drew ire not only for its lack of prior user notification but also due to the closed source and obfuscated nature of the dependency. Mike (d0pare), a GitHub user, decompiled the DLLs and shared a reconstructed version of the source code, revealing that SponsorLink leverages external git processes to obtain email addresses and then computes SHA-256 hashes of these addresses, which are subsequently sent to SponsorLink’s CDN. The inclusion of such telemetry code within Moq and SponsorLink has raised questions about privacy and transparency within the open source community. Concerns have also been raised about the ethics of distributing a closed source dependency via open source channels, potentially compromising user data privacy.
While Moq’s owner, Daniel Cazzulino, defended the decision to incorporate SponsorLink, stating that he had been testing the waters with the project, users were quick to criticise the lack of transparency and the potential implications for user data privacy. In response to the backlash, Cazzulino updated SponsorLink’s README with a detailed ‘Privacy Considerations’ section, asserting that only hashed email addresses were collected and that the actual email addresses were never transmitted. Despite the rollback of the controversial change in Moq’s version 4.20.2, concerns linger about the possibility of similar occurrences in future releases. Developers who had trusted Moq have voiced their disappointment and frustration, with some considering alternatives to Moq and even boycotting projects associated with SponsorLink.