Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Privacy issues with SponsorLink, starting from version 4.20 #1372

Closed
GeorgDangl opened this issue Aug 8, 2023 · 414 comments · Fixed by #1402
Closed

Privacy issues with SponsorLink, starting from version 4.20 #1372

GeorgDangl opened this issue Aug 8, 2023 · 414 comments · Fixed by #1402

Comments

@GeorgDangl
Copy link

There's a related discussion on Reddit: https://www.reddit.com/r/dotnet/comments/15ljdcc/does_moq_in_its_latest_version_extract_and_send/

It seems that starting from version 4.20, SponsorLink is included. This is a closed-source project, provided as a dll with obfuscated code, which seems to at least scan local data (git config?) and sends the hashed email of the current developer to a cloud service. The scanning is provided as a .NET analyzer tool, which runs during the build. There is no option to disable this.

I can understand the reasoning behind it, but this is honestly pretty scary from a privacy standpoint.

Any chance this can be reverted?

@baynezy
Copy link

baynezy commented Aug 8, 2023

This is a nightmare. I'm going to have to swap out Moq everywhere. I'm more than happy for Open Source maintainers to get financial support, but harvesting my details underhandedly is completely unacceptable.

I can't build secure software with this embedded in the testing code.

@njannink
Copy link

njannink commented Aug 8, 2023

Harvesting developer email addresses without any policy / UELA acceptance is against GDPR regulations. Moq won't be usable anymore within any EU company

@LarsWesselius
Copy link

LarsWesselius commented Aug 8, 2023

I love Moq but this is a no-go for my personal projects and more importantly, most likely a no-go for the large company I work at. Thanks for the effort over the years & hope this can be reverted

@gortok
Copy link

gortok commented Aug 8, 2023

I work with clients who (for security reasons) proxy and host their own internal repositories for packages; and disallow unauthorized communication from inside their firewalls; this is going to probably cause Moq to be pulled from some of these clients' list of trusted packages. I know for my part I will now have to caution clients I work with against using Moq, particularly because of the unauthorized communication.

@d0pare
Copy link

d0pare commented Aug 8, 2023

So I did some decompiling and found that the library spawns external git process to get your email and does some hashing and sends to https://cdn.devlooped.com/sponsorlink.

private static string \u00a0(string P_0)
{
	try
	{
		Process process = Process.Start(new ProcessStartInfo(
6FA47342-3716-4274-AF01-7A37793E0E97.\u206f(), // this is obfuscated value of "git"
6FA47342-3716-4274-AF01-7A37793E0E97.\u3000() // this is obfuscated value of "config --get user.email"
)
		{
			RedirectStandardOutput = true,
			UseShellExecute = false,
			CreateNoWindow = true,
			WorkingDirectory = P_0
		});
		process.WaitForExit();
		if (process.ExitCode != 0)
		{
			return null;
		}
		return process.StandardOutput.ReadToEnd().Trim();
	}
	catch
	{
	}
	return null;
}

@njannink
Copy link

njannink commented Aug 8, 2023

Im actually surprised that Visual Studio analyzers support process spawning. Seems like a huge security flaw to me

@fabricioferreira
Copy link

Just came to know about that and I'm already sad. This is a serious GDPR breach, and we won't be able to continue using this lib.
Also, having an obfuscated package included means that we can't (easily) know what is happening. It could harvest any other information from a developer's machine without any user consent.
Remember that a big number of developers are still running Visual Studio and Rider in an elevated process.

@PureKrome
Copy link

PureKrome commented Aug 8, 2023

Was this evil-package included "by design"? is it mentioned anywhere in readme's or summaries?

how long was this part of the system.

EDIT: I even feel like this is a massive troll -> the version number (urgh .. internet, really?) + this vomit-ware dependency...

@davidwengier
Copy link

davidwengier commented Aug 8, 2023

Was this evil-package included "by design"? is it mentioned anywhere in readme's or summaries?

You can be sure this is definitely by design. The PR is mentioned in the release notes, yes. Second last one under "Other": https://github.com/moq/moq/releases/tag/v4.20.0

@d0pare
Copy link

d0pare commented Aug 9, 2023

I just found out that this library loads settings from this url https://cdn.devlooped.com/sponsorlink/settings.ini.

Those are current settings

# days to remain quiet with no warnings
quiet = 15
# whether to report misconfiguration as an error
report-broken = true

Also there is a logic to skip checks if following environment variables exist

  • CI
  • TF_BUILD
  • TRAVIS
  • BUDDY
  • TEAMCITY_VERSION
  • APPVEYOR
  • JENKINS_URL

@PureKrome
Copy link

Ok interesting. I get the idea Kzu is wanting to do. Totally. I just feel like I (the developer) has no choice in this. I can't opt in (and I don't think opt-out should ever be a default setting. Defaults should always be 'off' and you should optionally 'opt-in').

tough one, this...

@CryoMyst
Copy link

CryoMyst commented Aug 9, 2023

Definitely should have been opt-in only. But this is honestly disgusting and adds some extra work as we review the requirements to move away from Moq now.

@codenesium
Copy link

Honestly Microsoft should blacklist this package working with the nuget providers. The author can't be trusted. This was an incredibly stupid move that's just created a ton of work for lots of people.

NickCraver referenced this issue in StackExchange/StackExchange.Redis Aug 9, 2023
This is a test-only change. I don't want to risk an upgrade and harvesting PII from anyone who works on our project, so I'm removing Moq immediately.

See https://github.com/moq/moq/issues/1372 for details/discussion.
@RussKie
Copy link

RussKie commented Aug 9, 2023

Honestly Microsoft should blacklist this package working with the nuget providers.

  • Microsoft hasn't blacklisted a new package the community doesn't like? Microsoft doesn't care about the .NET ecosystem!
  • Microsoft blacklisted a new package the community doesn't like? Microsoft is evil!

Being an OSS contributor and maintainer, I totally get the intent of the author, however I completely disagree with the way it was implemented. Still, I think the community itself has to vote with its feet, if it does not agree with the author. There are other alternatives to Moq, though I can totally agree that it can be extremely painful to rewrite all tests.

@Atulin
Copy link

Atulin commented Aug 9, 2023

I'm honestly tempted to write an analyzer that detects dependencies that include SponsorLink. I think I found my weekend project.

@codenesium
Copy link

Honestly Microsoft should blacklist this package working with the nuget providers.

  • Microsoft hasn't blacklisted a new package the community doesn't like? Microsoft doesn't care about the .NET ecosystem!
  • Microsoft blacklisted a new package the community doesn't like? Microsoft is evil!

Being an OSS contributor and maintainer, I totally get the intent of the author, however I completely disagree with the way it was implemented. Still, I think the community itself has to vote with its feet, if it does not agree with the author. There are other alternatives to Moq, though I can totally agree that it can be extremely painful to rewrite all tests.

I may be more upset that a package install can make network calls and spawn processes without some kind of vetting. It's node all over again. So if any other packages are doing this kind of crap they should be removed as well.

@davidwengier
Copy link

Analyzers and source generators are, by design, executing arbitrary code at compile time. Referencing a package during a build is the same, though one step removed by virtue of being dependent on writing msbuild targets which are more niche. There is nothing new or exciting about the mechanism being used here.

bill-long added a commit to microsoft/EventLogExpert that referenced this issue Nov 18, 2023
Moq 4.20 exfiltrates developer email addresses. See:
devlooped/moq#1372. This change
reverts us to 4.18, which did not include this behavior.

Todo: Move to NSubstitute in a future PR.
jschick04 pushed a commit to microsoft/EventLogExpert that referenced this issue Nov 18, 2023
Moq 4.20 exfiltrates developer email addresses. See:
devlooped/moq#1372. This change
reverts us to 4.18, which did not include this behavior.

Todo: Move to NSubstitute in a future PR.
jschick04 pushed a commit to microsoft/EventLogExpert that referenced this issue Nov 22, 2023
This is the long-term fix for
devlooped/moq#1372 - replace Moq with
NSubstitute, so we don't have to stay pinned to an old version of Moq.
Vivelin added a commit to Vivelin/Libraries that referenced this issue Dec 7, 2023
@meiswjn
Copy link

meiswjn commented Jan 10, 2024

Am I right in the assumption that #1402 allows us to use moq again without any gdpr / data privacy issues?

@azygis
Copy link

azygis commented Jan 10, 2024

You're free to assume so, yes. Until he adds some other (or the same on a different iteration) ransomware.

@kzu
Copy link
Member

kzu commented Jan 29, 2024

If you care about which form it may eventually come back, now is the time to provide feedback: devlooped/SponsorLink#100.

@azygis "ransomware" LoL.

@azygis
Copy link

azygis commented Jan 29, 2024

Hmm... Let's see the definition.

Ransomware: a type of malicious software designed to block access to a computer system until a sum of money is paid.

Seems pretty close to what the package was doing by pausing the builds for poor developers who have no say in corporations. Yes, that was definitely funny.

@kzu
Copy link
Member

kzu commented Jan 29, 2024

So shareware would be ransomware in your definition because it paused access to the software for a bit or until you clicked something? LoL

@azygis
Copy link

azygis commented Jan 29, 2024

Nope, when you use shareware you pretty much already know what you're signing up for.

There was no way to "sign up" for your shenanigans as it was pushed as a minor (or even patch? don't remember anymore) version update which maliciously started sending PIIs out of our machines and just annoying devs by increasing build times for no reason even if Moq isn't used directly in the project that's in being built. LoL.

@kzu
Copy link
Member

kzu commented Jan 29, 2024

by increasing build times

Clearly you have no idea what you're talking about, just regurgitating something you read somewhere. The pause was ONCE per LIFETIME OF VS. Oh the horror and productivity "killer"! 🤡

Moq isn't used directly

if it isn't used why would the package be installed and the analyzer run? Another clueless comment.

@TsengSR
Copy link

TsengSR commented Jan 29, 2024

This project still alive? Our company moved away months ago to NSubstitude. Took a whole 6 weeks, but now done with this shit.

@azygis
Copy link

azygis commented Jan 29, 2024

Oh yes, it's me the clueless one gathering emails without consent 🤡 what difference does it make whether it's once per session or not? It doesn't change the fact that you were pausing the builds.

Just so you know, Moq can be installed in shared projects utilizing helpers for any kind of tests. Even integration which are not actively using the moq features. Helpers are there for unit tests.

But who cares, right? It's added as a NuGet reference. Pay up.

Anyway, I'm not gonna continue this back and forth. You're convinced you did nothing wrong and instead did everything right. Backed down only after the serious backlash from the vocal minority of complainers.

@TsengSR I don't expect it to die; as he mentions in the linked issue there's still many who are unaware of what happened and are used to Moq which is a great library on its own. But we all know sponsorlink will be shipped with Moq again, so time will tell.

@hilari0n
Copy link

If you care about which form it may eventually come back, now is the time to provide feedback: devlooped/SponsorLink#100.

Uhm... What about feedback on it not coming back? Should we provide it there or somewhere else?

@kzu
Copy link
Member

kzu commented Jan 29, 2024

If you have a great new idea on how to make OSS sustainable, please do! If you can showcase it actually working for successful OSS projects, even better.

Oh, wait, perhaps you don't care about it being sustainable, not having a single OSS project yourself :)

image

@hilari0n
Copy link

hilari0n commented Jan 29, 2024

If you have a great new idea on how to make OSS sustainable, please do!

Nope. Not new. I already shared some before and was ignored. I still have a feedback: don't do what you are planning to do.
Maybe re-consider what people already suggested: selling commercial licenses to your software (maybe versions with added functionality), offer paid support plans, encourage people to contribute to your project, so you can spend your time on any other commercial (paying) work.

If you can showcase it actually working for successful OSS projects, even better.

Yes, that would be better. I would love to have the software development skills you have. I don't. I would love to have a good idea on an OSS project and time to start it and contribute to the community. I don't.

Oh, wait, perhaps you don't care about it being sustainable, not having a single OSS project yourself :)

image

Thanks. I did not know that. That was definitely needed. You've shown me my place and your superiority. Now I know, that you are the great person, who deserves not only because of their contribution, but especially because of what person they are.

I'm hoping you will find the working way for making OSS sustainable or somehow help it happen. Maybe by showing us you were right, (or by failing miserably and showing others not to go that way). There are jerks in the world, who have brought new qualities to the world. They are still considered jerks, but the world did gain from some of what they did.

@TsengSR
Copy link

TsengSR commented Jan 29, 2024

If you have a great new idea on how to make OSS sustainable, please do! If you can showcase it actually working for successful OSS projects, even better.

Dude, you're just being an ignorant dick. You got plenty enough suggestions how to make it sustainable and get MORE than with this blackmailing shit. Register a small company, hier a few people and offer official support.

THIS brings real value to business, and they'd more than gladly pay mid 3 to low 4-digit amount to get a support plan, where they know that "if I run into an issue" or they don't know how to solve something in a specific way, they can open a 1-3 days business ticket and KNOW that they will be helped, rather then be left in uncertain.

You just want money, w/o having to put any effort. And your solution for that seems to be blackmailing.

If companies and users hate anything most, it is being blackmailed. I'd suggest to get a god damn fucking job, preferably something with where you lead a group of people and get some real world experience on what companies like and more willingly are to pay money for, then when you've grown up come back and we can talk again.

@kzu
Copy link
Member

kzu commented Jan 29, 2024

@hilari0n

selling commercial licenses to your software

You seem to think all those are great ways to monetize. Breaking news: they aren't. See https://x.com/James_M_South/status/1744710437449675259?s=20

@TsengSR

Register a small company, hier a few people and offer official support.

Yeah, that's original and is working great for (say) ImageSharp.

You all seem to assume there's The True Way. I'm not convinced by the evidence, and I'm willing to try something different.

You just want money, w/o having to put any effort.

LoL. Yeah, the software just writes itself via AI nowadays :)

@TsengSR
Copy link

TsengSR commented Jan 29, 2024

@TsengSR

Register a small company, hier a few people and offer official support.

Yeah, that's original and is working great for (say) ImageSharp.

You all seem to assume there's The True Way. I'm not convinced by the evidence, and I'm willing to try something different.

https://www.ag-grid.com/license-pricing/

We got 5 of these, main selling point the support. In 3 years of development, 2 or 3 tickets have been opened for issues that needed a rather fast resolution rather than wait months to get it fixed in the things business w/o support.

Quite a nice bucks for them, 15000$ income, 3 support cases in 3 years. Sounds like a gold mine to me.

What you don't get it, they provide value. Nothing worse for a company, then having an issue with a piece of software and not getting support and have to spend days, weeks or months till it gets fixed.

How many people would you need to blackmail to get the same amount of funding with your model?

Single/hobby Devs/hobby proejcts most likely won't bother and just switch to NSubtstitute, not that hard to switch and companies not gonna pay if they don't get any value back. Its nice supporting people, but when you are really stuck with something that's a non-trivial fix (for an unfamiliar code base), a company gonna lose 5 to 6 digit amount in money.

@kzu
Copy link
Member

kzu commented Jan 29, 2024

weeks or months till it gets fixed.

How is SponsorLink incompatible with getting priotity support for certain sponsor tiers?

@hilari0n
Copy link

hilari0n commented Jan 29, 2024

selling commercial licenses to your software

You seem to think all those are great ways to monetize. Breaking news: they aren't. See https://x.com/James_M_South/status/1744710437449675259?s=20

Oh... So a method has failed for some case and this proves, that it can't work for a different one. Hmm... What does it say about your case, where you are planning to try the same method you already did, which has failed for you once already?

I'm not convinced by the evidence, and I'm willing to try something different.

Please do. The key thing here being something different. I.e. not something you just did and seem to be planning to repeat again.

I'm quite sure I'm wasting my time here.
You claim to be asking for feedback, but any feedback not confirming your ideas is either ignored or worse. Thank you very much, but no, thank you.
My last comment to you: don't waste your time pretending to gather feedback, as you are wasting not only yours, but also the time of others. Apparently you'll do whatever you want to do anyway.

@TsengSR
Copy link

TsengSR commented Jan 29, 2024

weeks or months till it gets fixed.

How is SponsorLink incompatible with getting priotity support for certain sponsor tiers?

That people reject the idea of SponsorLink? Just cause you do it in a shady and intransparent way doesn't mean people approve it.

Anyways, I don't care. Moved away from it long ago, that train departed already, and so will more as people and (especially) companies get aware of it.

How much did it net you so far? 10$? 20$? Or did you even to manage to get 3-digit? Less than a licence with support from the examples earlier probably.

@tkellogg
Copy link

@kzu I’ve been watching this conversation quietly from my inbox. Some thoughts

  • This thread is out of hand, in all directions
  • They have a point, a github ID is PII and can be very easily converted to an email address.
  • SponsorLink is a cool idea. I think it’s great to innovate, especially around sustainability
  • It sounds like SponsorLink was added with hardly any communication. I’m not sure this is illegal, but it certainly feels unethical.

I truly wish people could chill tf out because this does need explicit conversation. I don’t think the rollout was executed well, but the core principle seems solid.

@kzu
Copy link
Member

kzu commented Jan 30, 2024

Thanks for chiming in! I wish folks could just focus on the future and what SL should be. That's the kind of feedback that's actionable and useful: https://www.devlooped.com/SponsorLink/

I've tried hard to think about the issues raised so they are no longer an issue. I'm pretty sure I've addresses all the concerns raises with the new manifest-based spec: https://www.devlooped.com/SponsorLink/spec.html

Happy to hear your thoughts on that at devlooped/SponsorLink#100.

Cheers!

PS: I'm just a human 🤷🏼‍♂️, shocking. As such, I make mistakes as much as the next guy.

@kzu
Copy link
Member

kzu commented Jan 30, 2024

As requested by a sponsor, I'm locking this thread: https://x.com/sjkilleen/status/1752133435789820209?s=20

@devlooped devlooped locked as resolved and limited conversation to collaborators Jan 30, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

Successfully merging a pull request may close this issue.