Moq and why open-source works
Moq and why open-source works
BY : Edwin van der Thiel
As some of you already know I’m a big supporter of the open-source mindset. I believe it’s a core principle that implements trust, self-correction and accountability. As a freedom architect I rely on these principles to build transparent communities.
On August 4th, the creator of Moq decided to add SponsorLink – one of his other projects and not open-source – to the Moq package in version 4.20. This software extracts email addresses from the git repository where it’s used and sends this back to the SponsorLink CDN.
At this moment the community exploded, because:
- Moq is a library to create mocks for your unit tests, the added software does nothing to help that.
- It’s added as binary, in the hope people wouldn’t notice. But we did.
- It may even be illegal, at minimum from a GDPR perspective, as there is no valid reason for Moq to collect it.
On August 9th version 4.20.2 of the Moq software was released where the SponsorLink software got removed – apparently because of some issue on MacOS. In addition, the versions 4.20 and 4.20.1 were removed from Nuget so they can’t be used any more.
It should be noted that – after having already defended his actions – on August 10th the creator added feedback that he made the SponsorLink project open-source. It seems he’s still adamant on including his email harvester in projects.
Why this is a good thing
Now as mad as we may get, this process shows exactly why open-source filosophy works. Openness builds trust, as it makes the owners and maintainers accountable. As a community we can keep an eye on what happens in the products we use and can correct any abuse.
To further clarify, in a similar situation where there was no open-source software, companies like Google and Facebook have been able to grow using our data as their main fuel. It’s impossible to tell whether this would not have happened had their software been open-source, but at the least we would not have discussions on whether the microphone is listening in on our conversations when our phone is in our pocket or not.
Sources
- https://www.bleepingcomputer.com/news/security/popular-open-source-project-moq-criticized-for-quietly-collecting-data/amp/
- https://www.reddit.com/r/dotnet/comments/15ljdcc/does_moq_in_its_latest_version_extract_and_send/
- https://github.com/moq/moq/issues/1370#issuecomment-1673550123
- https://github.com/moq/moq/releases/tag/v4.20.2
About Edwin van der Thiel
Freedom has been a guiding factor throughout Edwin's career, it drives his ambition and gives meaning, in different ways. In the form of Personal Freedom it's the ability for every person to be themselves. He embrace it in himself, in his development plan, building his career. To others he strives to be as open, fair and welcoming as possible, and defend each one's right to be themselves. In software freedom, through Open Source and Open Standards, He's a big advocate of the ideology. Not only in the open source community, but bringing the culture of openness and sharing wherever he works. Openness is the basis of trust, and it can be a guide to the future. Through freedom of teams, He's a big fan of Agile working. His vision on Agile is centered around the triangle of Trust, Responsibility and Commitment. It brings guidance on collaboration and enablement rather than focussing on processes, managers and templates. Freedom of data, or rather the ability to own your own data. Currently this centers heavily on Decentralization, Web3, Blockchain and the Metaverse. To him the important issue is on building an internet where everyone can be owner of their data, they control it, no governing platform, institution or country can take it. Much like the ideas in your head, you hold what's yours. He loves the south-american culture, in particular Brasil. In his spare time he is a husband to Jacy, father to Amy, a dancer and Capoeira instructor, and loves to explore the world.
More on Edwin van der Thiel.
