this post was submitted on 09 Aug 2023

197 points (99.5% liked)

.NET

1464 readers

1 users here now

Getting started

Useful resources

IDEs and code editors

Visual Studio (Windows/Mac)
Rider (Windows/Mac/Linux)
Visual Studio Code (Windows/Mac/Linux)

Tools

Decompilers: ILSpy, dotPeek
Scratchpad: LINQPad
Online playground and IL viewer: SharpLab

Rules

Rule 1: Follow Lemmy rules
Rule 2: Be excellent to each other, no hostility towards users for any reason
Rule 3: No spam of tools/companies/advertisements

Related communities

Wikipedia pages

.NET (open source & cross platform)
.NET Framework (proprietary & Windows-only)

founded 1 year ago

MODERATORS

[email protected]

197

Moq now ships with a closed-source obfuscated dependency that scrapes your Git email and phones it home (github.com)

submitted 1 year ago by [email protected] to c/[email protected]

25 comments fedilink hide all child comments

Also some fun takeaways: it also makes external calls to azure to load configuration and stays silent after updating for 2 weeks before showing warnings.

Moq is unusable. Needs to be forked or repoaced. Time to switch to NSubstitute.

all 31 comments

sorted by: hot top controversial new old

[+] [email protected] 31 points 1 year ago* (last edited 1 year ago) (1 children)

[deleted]

[–] [email protected] 4 points 1 year ago (1 children)

If your usage is that ingrained, the other option is to fork it and drop the dependency, or swap to any of the already-numerous forks that do so. Unless there's licensing concerns with that approach?

[–] [email protected] 2 points 1 year ago* (last edited 1 year ago)

You're relying on the fork to remain maintained, or else you risk you run into build/functional issues at some undetermined point in the future when it becomes incompatible with other changes in your environment/project. If you don't trust the fork will be maintained, you should begin decoupling your project from the library anyway. I would be more willing to trust an alternate (or no) mocking framework over a Moq fork to be supported in the long term. That might change in a couple months if one becomes established.

I would personally wait a couple months, or until the original Moq creator reverses course. (If he does that, I think it's unlikely a fork will compete with the original, so I'd start removing the dependency as I can't trust the author anymore.)

[–] [email protected] 19 points 1 year ago

So it's basically a malware

[–] [email protected] 19 points 1 year ago* (last edited 1 year ago)

Sounds like the dev was unsatisfied with the low sponsorship numbers on his project, which when you consider how many devs only ever interact with Moq via the package manager or command line might be a fair complaint...but the decision to just start harvesting user data like a lowlife as an alternative source of income is some galaxy brain shit.

It's not like this would even be sustainable. What did he think was going to happen, devs would just blindly accept a new shady looking package appearing in their dependency stack with no further investigation?

As a result of this stupidity Moq will now be on the shit-list of every corporation using .NET, especially those based in Europe due to GDPR implications.

[–] [email protected] 18 points 1 year ago

Man fuck that

[–] [email protected] 16 points 1 year ago (1 children)

Holy shit. This is so bad. That's my entire September gone... I actually fought internally for my company to donate to this and a couple of other projects, but I guess this one is off the donation list at this point.

[–] [email protected] 14 points 1 year ago* (last edited 1 year ago)

Update: https://github.com/moq/moq/issues/1374#issuecomment-1671166436

Dev is still defending his action and apparently believes he's done nothing wrong. Harvesting developers email and extorting them by sabotaging builds is no big deal.

Absolute clown. OSS needs a better solution to funding devs hard work, but it is not a vehicle for an egomaniac to get rich.

I'm still pro-not mocking. Maybe this is a good opportunity to stop using so many mocks in our tests, and write validation on the actual behavior of your code.

[–] [email protected] 12 points 1 year ago* (last edited 1 year ago)

I knew that software supply chain dependency poisoning was increasing becoming a problem with open source, I just didn’t expect it to be from the original creator.

[+] [email protected] 9 points 1 year ago (2 children)

[deleted]

[–] [email protected] 18 points 1 year ago (1 children)

It's in line with their delusional rationalization on their blog:

And I’m a firm believer that supporting your fellow developers is something best done personally. Having your company pay for software surely doesn’t feel quite as rewarding as paying from your own pocket, and it surely feels different for me too. We really don’t need to expense our employers for a couple bucks a month, right??

Just in case you felt that passionate about your enterprise-themed boilerplate work equipment.

I still find it hard to tell if it's malice or ineptitude, though.

[–] [email protected] 13 points 1 year ago* (last edited 1 year ago) (1 children)

There was some concern that SponsorLink might be collecting your email without your explicit consent. This is incorrect [...] The email on your local machine is hashed with SHA256 [before being sent] The resulting opaque string (which can never reveal the originating email) is the only thing used.

It's hard for me to believe someone who spent time implementing such a system would fall for such an obvious fallacy of what hashing can do. It's like hashing phone numbers, completely worthless - if the list of values it could be is limited you can simply brute force it. Take some available lists of known emails, take all known domains or mail servers and try github@domain, try some basic password cracking methods, dictionary attacks and simply append @gmail.com etc., I'd be surprised if you couldn't de"anonymize" 99.9% of mails pretty much instantly.

But right at the start of the projects readme we have "The resulting opaque string (which can never reveal the originating email) is the only thing used". "never" is something you wouln't say about salted passwords hashed with sha512, for unsalted emails it's asenine

[–] [email protected] 6 points 1 year ago

The more details I read, the better this gets.

[–] [email protected] 13 points 1 year ago (1 children)

Looks like SponsorLink is written by the same guy who wrote Moq. Feels like he's been planning this for a while.

I'm sympathetic to the cause as I know it can't be easy trying to find open source work, but I think he's gone about this all wrong

[–] [email protected] 8 points 1 year ago

I have many issues with this, but I don't know why you would assume I'd rather pay a few bucks of my own money vs much more of my companies. Paying for useful software in a revenue generating business is more common than not.

[–] [email protected] 7 points 1 year ago

FFS why does this need telemetry????? why can't we have nice things for more than 5 minutes

[–] [email protected] 7 points 1 year ago

No need to rush out and replace Moq, you're fine if you're on a lower version. We are using 4.16 or something at work, and I don't see any need to take any action there. Didn't have a reason to upgrade anyway.

If the SponsorLink package comes back, and kzu is determined to push forward with it (which is absolutely his right to do) then long term I guess we'll move to something else. My preference would be to stop using mocks altogether.

[–] [email protected] 5 points 1 year ago* (last edited 1 year ago) (1 children)

This is not the first time it happens with Dotnet Open Source packages, there are some pretty funky things going on namely:

Imagesharp (They re-license from Apache 2 to something like Community/Commercial licenses and threw a huge fit over it)

Fody (It expects the software contributors of Fody to be a patron.)

[–] [email protected] 4 points 1 year ago (1 children)

It expects the software contributors of Fody to be a patron.

As in, you can only contribute source code if you also pay in money?

[–] [email protected] 5 points 1 year ago* (last edited 1 year ago) (1 children)

See for yourself and you can see this details in the FAQ.

[–] [email protected] 1 points 1 year ago (1 children)

Interesting, thanks. Well, that's kind of a good reason, except maybe they should have been more upfront about it.

[–] [email protected] 11 points 1 year ago (1 children)

I think it's asinine to ask the developer who contribute to your project, literally taking the time of the day writing the code and submit PR to your project, to pay money to you.

I wouldn't even bother contributing to the project at that point.

[–] [email protected] 5 points 1 year ago

Yes, doing this after the fact is a nice way to blow all trust. There is always this attempted lock-in kind of taste.

[–] [email protected] 4 points 1 year ago

Damn ... There goes the rest of the week replacing it ... Thank for the warning

[–] [email protected] 3 points 1 year ago

I wonder if it would be possible to force people to pay for usage with licensing instead of what was tried here?