The popular open-source project Moq recently made headlines when it included a closed-source addition called SponsorLink in one of its updates. This addition was designed to collect hashes of user email addresses, and it sparked controversy and backlash in the open-source community. Here are the key points about this situation:
- Moq’s Popularity: Moq is a widely used open-source project, with an average of around 100,000 daily downloads and over 476 million downloads in total. It’s primarily known as a mocking framework for .NET development.
- Inclusion of SponsorLink: The controversial change occurred in Moq’s version 4.20.0 when it started including SponsorLink, a closed-source project. This move was made by one of Moq’s owners and maintainers of the SponsorLink project, Daniel Cazzulino.
- Privacy Concerns: Many users raised concerns about privacy and compliance with regulations like GDPR. The SponsorLink DLLs included obfuscated code that went against the principles of open source.
- Explanation from Cazzulino: In response to the backlash, Daniel Cazzulino explained that the email addresses were hashed with SHA256 and then Base62-encoded. The resulting string couldn’t reveal the actual email address, and the email itself was never sent when performing the sponsoring check. He also mentioned that suspending or uninstalling the app would delete all associated records.
- Reversal of the Change: Subsequently, Moq released version 4.20.2, which appeared to reverse the controversial change. However, the damage to its reputation within the open-source community had already been done.
This incident highlights the sensitivity around open-source projects and their commitment to transparency and user privacy. Any deviation from open-source principles can lead to significant backlash and loss of trust from the community.
