The Context
Moq is a very popular, open-source project that provides a mocking library for .NET developers.
It has come under fire for quietly collecting data without the knowledge or consent of its users.
Crux of The Matter
Moq is was everything we love about open source.
It is a high-quality library, with over 470M downloads. Heavily used by companies including very large enterprises.
Creator of Moq
For more than 10 years, Daniel Cazzulino (or @kzu) has been diligently building and refining it.
The storm of criticism erupted when Moq’s 4.20.0 release quietly incorporated the SponsorLink project.
SponsorLink is was shipped on NuGet as closed-source software, containing obfuscated DLLs that gather hashed email addresses of users and transmit them to SponsorLink’s cloud service.
This deceptive act of Sponsorlink has received backlash from open-source software enthusiasts who felt betrayed by what they deemed a breach of trust.
Daniel Cazzulino has now removed Sponsorlink from the project, not because there is no longer a desire to add it to Moq, but due to a bug that was showing in Mac and Linux.
There is no guarantee yet that the removal of SponsorLink is a permanent decision.
While Daniel's intentions might not have been malicious, the manner in which it was executed is unjustified and simply WRONG.
However, many developers showed disappointment in how the developer community reacted to this issue.
The damage is irreversible now as many companies and developers are already contemplating migrating their tests to other libraries.
For devs, the next best option after Moq is NSubstitute - another open-sourced project.
And here lies the problem.
There is a reason “free” packages like Moq are in demand.
Companies and developers save a lot of time and money by simply using these projects.
The time, effort, and money required for creating an in-house project similar to Moq can, in many cases, surpass the effort needed to develop the projects in which the library would be employed
Maintaining OSS projects is a lot of work and maintainers like Daniel Cazzulino depend on sponsors to keep the project running.
The Other Side of the Story
Many open-source maintainers struggle to make a living from their work, despite the fact that their software is used by millions of people around the world.
This is because open-source software is often developed and maintained by volunteers who are not compensated for their work.
Marc Gravell, author of some very important OSS projects like Dapper and StackExchange.Redis, has come out in support of Daniel Cazzulino.
Marc makes a solid point that “Organizations (using the library) should sponsor not individuals”
He has poured his heart out in this Twitter thread.
The Conclusion
Open-source software relies on trust between developers and users. When a project like Moq collects data without users' knowledge or consent, it erodes that trust.
This can have a ripple effect throughout the open-source community, as users become more skeptical of other projects and developers become more hesitant to contribute their time and expertise.
However, it is important to understand why this issue has cropped up in the first place.
Many maintainers struggle to make a living from their work, and companies that rely on their software often do not provide adequate support.
To address this issue, companies should allocate funds to support open-source maintainers and provide recognition and support to the maintainers who develop and maintain the software they use.
I write about System Design, UX, and Digital Experiences. If you liked my content, do kindly like and share it with your network. And please don't forget to subscribe for more technical content like this.