MOQ AND WHY OPEN-SOURCE WORKS

August 23, 2023

Sogeti Labs

As some of you already know I’m a big supporter of the open-source mindset. I believe it’s a core principle that implements trust, self-correction and accountability. As a freedom architect I rely on these principles to build transparent communities.

On August 4^th, the creator of Moq decided to add SponsorLink – one of his other projects and not open-source – to the Moq package in version 4.20. This software extracts email addresses from the git repository where it’s used and sends this back to the SponsorLink CDN.

At this moment the community exploded, because:

• Moq is a library to create mocks for your unit tests, the added software does nothing to help that.
• It’s added as binary, in the hope people wouldn’t notice. But we did.
• It may even be illegal, at minimum from a GDPR perspective, as there is no valid reason for Moq to collect it.

On August 9^th version 4.20.2 of the Moq software was released where the SponsorLink software got removed – apparently because of some issue on MacOS. In addition, the versions 4.20 and 4.20.1 were removed from Nuget so they can’t be used any more.

It should be noted that – after having already defended his actions – on August 10^th the creator added feedback that he made the SponsorLink project open-source. It seems he’s still adamant on including his email harvester in projects.

Why this is a good thing

Now as mad as we may get, this process shows exactly why open-source filosophy works. Openness builds trust, as it makes the owners and maintainers accountable. As a community we can keep an eye on what happens in the products we use and can correct any abuse.

To further clarify, in a similar situation where there was no open-source software, companies like Google and Facebook have been able to grow using our data as their main fuel. It’s impossible to tell whether this would not have happened had their software been open-source, but at the least we would not have discussions on whether the microphone is listening in on our conversations when our phone is in our pocket or not.

Sources

• https://www.bleepingcomputer.com/news/security/popular-open-source-project-moq-criticized-for-quietly-collecting-data/amp/
• https://www.reddit.com/r/dotnet/comments/15ljdcc/does_moq_in_its_latest_version_extract_and_send/
• https://github.com/moq/moq/issues/1370#issuecomment-1673550123
• https://github.com/moq/moq/releases/tag/v4.20.2

About the author

Edwin van der Thiel

Technology Consultant Microsoft

In 2011, his passion for creating new solutions led him back to the field of software development, where Sogeti offered the opportunity to make this switch. Since then he has worked with different customers at various locations.

Comments