Privacy issues with SponsorLink, starting from version 4.20 #1372
Comments
|
This is a nightmare. I'm going to have to swap out Moq everywhere. I'm more than happy for Open Source maintainers to get financial support, but harvesting my details underhandedly is completely unacceptable. I can't build secure software with this embedded in the testing code. |
|
Harvesting developer email addresses without any policy / UELA acceptance is against GDPR regulations. Moq won't be usable anymore within any EU company |
|
I love Moq but this is a no-go for my personal projects and more importantly, most likely a no-go for the large company I work at. Thanks for the effort over the years & hope this can be reverted |
|
I work with clients who (for security reasons) proxy and host their own internal repositories for packages; and disallow unauthorized communication from inside their firewalls; this is going to probably cause Moq to be pulled from some of these clients' list of trusted packages. I know for my part I will now have to caution clients I work with against using Moq, particularly because of the unauthorized communication. |
|
So I did some decompiling and found that the library spawns external git process to get your email and does some hashing and sends to https://cdn.devlooped.com/sponsorlink. private static string \u00a0(string P_0)
{
try
{
Process process = Process.Start(new ProcessStartInfo(
6FA47342-3716-4274-AF01-7A37793E0E97.\u206f(), // this is obfuscated value of "git"
6FA47342-3716-4274-AF01-7A37793E0E97.\u3000() // this is obfuscated value of "config --get user.email"
)
{
RedirectStandardOutput = true,
UseShellExecute = false,
CreateNoWindow = true,
WorkingDirectory = P_0
});
process.WaitForExit();
if (process.ExitCode != 0)
{
return null;
}
return process.StandardOutput.ReadToEnd().Trim();
}
catch
{
}
return null;
} |
|
Im actually surprised that Visual Studio analyzers support process spawning. Seems like a huge security flaw to me |
|
Just came to know about that and I'm already sad. This is a serious GDPR breach, and we won't be able to continue using this lib. |
|
Was this evil-package included "by design"? is it mentioned anywhere in readme's or summaries? how long was this part of the system. EDIT: I even feel like this is a massive troll -> the version number (urgh .. internet, really?) + this vomit-ware dependency... |
You can be sure this is definitely by design. The PR is mentioned in the release notes, yes. Second last one under "Other": https://github.com/moq/moq/releases/tag/v4.20.0 |
|
I just found out that this library loads settings from this url https://cdn.devlooped.com/sponsorlink/settings.ini. Those are current settings Also there is a logic to skip checks if following environment variables exist
|
|
Ok interesting. I get the idea Kzu is wanting to do. Totally. I just feel like I (the developer) has no choice in this. I can't opt in (and I don't think opt-out should ever be a default setting. Defaults should always be 'off' and you should optionally 'opt-in'). tough one, this... |
|
Definitely should have been opt-in only. But this is honestly disgusting and adds some extra work as we review the requirements to move away from Moq now. |
|
Honestly Microsoft should blacklist this package working with the nuget providers. The author can't be trusted. This was an incredibly stupid move that's just created a ton of work for lots of people. |
This is a test-only change. I don't want to risk an upgrade and harvesting PII from anyone who works on our project, so I'm removing Moq immediately. See https://github.com/moq/moq/issues/1372 for details/discussion.
Being an OSS contributor and maintainer, I totally get the intent of the author, however I completely disagree with the way it was implemented. Still, I think the community itself has to vote with its feet, if it does not agree with the author. There are other alternatives to Moq, though I can totally agree that it can be extremely painful to rewrite all tests. |
|
I'm honestly tempted to write an analyzer that detects dependencies that include SponsorLink. I think I found my weekend project. |
I may be more upset that a package install can make network calls and spawn processes without some kind of vetting. It's node all over again. So if any other packages are doing this kind of crap they should be removed as well. |
|
Analyzers and source generators are, by design, executing arbitrary code at compile time. Referencing a package during a build is the same, though one step removed by virtue of being dependent on writing msbuild targets which are more niche. There is nothing new or exciting about the mechanism being used here. |
Moq 4.20 exfiltrates developer email addresses. See: devlooped/moq#1372. This change reverts us to 4.18, which did not include this behavior. Todo: Move to NSubstitute in a future PR.
Moq 4.20 exfiltrates developer email addresses. See: devlooped/moq#1372. This change reverts us to 4.18, which did not include this behavior. Todo: Move to NSubstitute in a future PR.
This is the long-term fix for devlooped/moq#1372 - replace Moq with NSubstitute, so we don't have to stay pinned to an old version of Moq.
|
Am I right in the assumption that #1402 allows us to use moq again without any gdpr / data privacy issues? |
|
You're free to assume so, yes. Until he adds some other (or the same on a different iteration) ransomware. |
|
If you care about which form it may eventually come back, now is the time to provide feedback: devlooped/SponsorLink#100. @azygis "ransomware" LoL. |
|
Hmm... Let's see the definition.
Seems pretty close to what the package was doing by pausing the builds for poor developers who have no say in corporations. Yes, that was definitely funny. |
|
So shareware would be ransomware in your definition because it paused access to the software for a bit or until you clicked something? LoL |
|
Nope, when you use shareware you pretty much already know what you're signing up for. There was no way to "sign up" for your shenanigans as it was pushed as a minor (or even patch? don't remember anymore) version update which maliciously started sending PIIs out of our machines and just annoying devs by increasing build times for no reason even if Moq isn't used directly in the project that's in being built. LoL. |
Clearly you have no idea what you're talking about, just regurgitating something you read somewhere. The pause was ONCE per LIFETIME OF VS. Oh the horror and productivity "killer"! 🤡
if it isn't used why would the package be installed and the analyzer run? Another clueless comment. |
|
This project still alive? Our company moved away months ago to NSubstitude. Took a whole 6 weeks, but now done with this shit. |
|
Oh yes, it's me the clueless one gathering emails without consent 🤡 what difference does it make whether it's once per session or not? It doesn't change the fact that you were pausing the builds. Just so you know, Moq can be installed in shared projects utilizing helpers for any kind of tests. Even integration which are not actively using the moq features. Helpers are there for unit tests. But who cares, right? It's added as a NuGet reference. Pay up. Anyway, I'm not gonna continue this back and forth. You're convinced you did nothing wrong and instead did everything right. Backed down only after the serious backlash from the vocal minority of complainers. @TsengSR I don't expect it to die; as he mentions in the linked issue there's still many who are unaware of what happened and are used to Moq which is a great library on its own. But we all know sponsorlink will be shipped with Moq again, so time will tell. |
Uhm... What about feedback on it not coming back? Should we provide it there or somewhere else? |
|
If you have a great new idea on how to make OSS sustainable, please do! If you can showcase it actually working for successful OSS projects, even better. Oh, wait, perhaps you don't care about it being sustainable, not having a single OSS project yourself :)
|
Nope. Not new. I already shared some before and was ignored. I still have a feedback: don't do what you are planning to do.
Yes, that would be better. I would love to have the software development skills you have. I don't. I would love to have a good idea on an OSS project and time to start it and contribute to the community. I don't.
Thanks. I did not know that. That was definitely needed. You've shown me my place and your superiority. Now I know, that you are the great person, who deserves not only because of their contribution, but especially because of what person they are. I'm hoping you will find the working way for making OSS sustainable or somehow help it happen. Maybe by showing us you were right, (or by failing miserably and showing others not to go that way). There are jerks in the world, who have brought new qualities to the world. They are still considered jerks, but the world did gain from some of what they did. |
Dude, you're just being an ignorant dick. You got plenty enough suggestions how to make it sustainable and get MORE than with this blackmailing shit. Register a small company, hier a few people and offer official support. THIS brings real value to business, and they'd more than gladly pay mid 3 to low 4-digit amount to get a support plan, where they know that "if I run into an issue" or they don't know how to solve something in a specific way, they can open a 1-3 days business ticket and KNOW that they will be helped, rather then be left in uncertain. You just want money, w/o having to put any effort. And your solution for that seems to be blackmailing. If companies and users hate anything most, it is being blackmailed. I'd suggest to get a god damn fucking job, preferably something with where you lead a group of people and get some real world experience on what companies like and more willingly are to pay money for, then when you've grown up come back and we can talk again. |
You seem to think all those are great ways to monetize. Breaking news: they aren't. See https://x.com/James_M_South/status/1744710437449675259?s=20
Yeah, that's original and is working great for (say) ImageSharp. You all seem to assume there's The True Way. I'm not convinced by the evidence, and I'm willing to try something different.
LoL. Yeah, the software just writes itself via AI nowadays :) |
https://www.ag-grid.com/license-pricing/ We got 5 of these, main selling point the support. In 3 years of development, 2 or 3 tickets have been opened for issues that needed a rather fast resolution rather than wait months to get it fixed in the things business w/o support. Quite a nice bucks for them, 15000$ income, 3 support cases in 3 years. Sounds like a gold mine to me. What you don't get it, they provide value. Nothing worse for a company, then having an issue with a piece of software and not getting support and have to spend days, weeks or months till it gets fixed. How many people would you need to blackmail to get the same amount of funding with your model? Single/hobby Devs/hobby proejcts most likely won't bother and just switch to NSubtstitute, not that hard to switch and companies not gonna pay if they don't get any value back. Its nice supporting people, but when you are really stuck with something that's a non-trivial fix (for an unfamiliar code base), a company gonna lose 5 to 6 digit amount in money. |
How is SponsorLink incompatible with getting priotity support for certain sponsor tiers? |
Oh... So a method has failed for some case and this proves, that it can't work for a different one. Hmm... What does it say about your case, where you are planning to try the same method you already did, which has failed for you once already?
Please do. The key thing here being something different. I.e. not something you just did and seem to be planning to repeat again. I'm quite sure I'm wasting my time here. |
That people reject the idea of SponsorLink? Just cause you do it in a shady and intransparent way doesn't mean people approve it. Anyways, I don't care. Moved away from it long ago, that train departed already, and so will more as people and (especially) companies get aware of it. How much did it net you so far? 10$? 20$? Or did you even to manage to get 3-digit? Less than a licence with support from the examples earlier probably. |
|
@kzu I’ve been watching this conversation quietly from my inbox. Some thoughts
I truly wish people could chill tf out because this does need explicit conversation. I don’t think the rollout was executed well, but the core principle seems solid. |
|
Thanks for chiming in! I wish folks could just focus on the future and what SL should be. That's the kind of feedback that's actionable and useful: https://www.devlooped.com/SponsorLink/ I've tried hard to think about the issues raised so they are no longer an issue. I'm pretty sure I've addresses all the concerns raises with the new manifest-based spec: https://www.devlooped.com/SponsorLink/spec.html Happy to hear your thoughts on that at devlooped/SponsorLink#100. Cheers! PS: I'm just a human 🤷🏼♂️, shocking. As such, I make mistakes as much as the next guy. |
|
As requested by a sponsor, I'm locking this thread: https://x.com/sjkilleen/status/1752133435789820209?s=20 |
and others
There's a related discussion on Reddit: https://www.reddit.com/r/dotnet/comments/15ljdcc/does_moq_in_its_latest_version_extract_and_send/
It seems that starting from version 4.20, SponsorLink is included. This is a closed-source project, provided as a dll with obfuscated code, which seems to at least scan local data (git config?) and sends the hashed email of the current developer to a cloud service. The scanning is provided as a .NET analyzer tool, which runs during the build. There is no option to disable this.
I can understand the reasoning behind it, but this is honestly pretty scary from a privacy standpoint.
Any chance this can be reverted?
The text was updated successfully, but these errors were encountered: