Also some fun takeaways: it also makes external calls to azure to load configuration and stays silent after updating for 2 weeks before showing warnings.
Moq is unusable. Needs to be forked or repoaced. Time to switch to NSubstitute.
You must log in or register to comment.
Kzu wanted to thank everyone that supports the project. That should be easy, as now nobody does.
Just sent an email to the brass at work letting them know. I imagine this will result in a painful gutting of this library from the entire stack. Might take months.
Moq is going to be a vulgar term for us soon enough.
Maybe it’s time we check to see if there’s a new epidemic that only affects the tech sector, turning them into desperate self sabotaging fools.
Edit: btw thank you op
If your usage is that ingrained, the other option is to fork it and drop the dependency, or swap to any of the already-numerous forks that do so. Unless there’s licensing concerns with that approach?
You’re relying on the fork to remain maintained, or else you risk you run into build/functional issues at some undetermined point in the future when it becomes incompatible with other changes in your environment/project. If you don’t trust the fork will be maintained, you should begin decoupling your project from the library anyway. I would be more willing to trust an alternate (or no) mocking framework over a Moq fork to be supported in the long term. That might change in a couple months if one becomes established.
I would personally wait a couple months, or until the original Moq creator reverses course. (If he does that, I think it’s unlikely a fork will compete with the original, so I’d start removing the dependency as I can’t trust the author anymore.)
So it’s basically a malware
Holy shit. This is so bad. That’s my entire September gone… I actually fought internally for my company to donate to this and a couple of other projects, but I guess this one is off the donation list at this point.
Thanks for trying. I don’t agree with anything this dev did, but if you’d been listened to, none of this would’ve happened.
Now businesses are going to start being much more of a pain in the ass about using OSS.
- argv_minus_one ( @argv_minus_one@beehaw.org ) English2•1 year ago
Now businesses are going to start being much more of a pain in the ass about using OSS.
What, they think commercial products don’t contain malware? Windows contains malware, under the deceptive name of “telemetry”, and I don’t see any businesses complaining too loudly about that.
Your mode of recourse is much better there vs relying on someone’s good will.
- argv_minus_one ( @argv_minus_one@beehaw.org ) English1•1 year ago
Only if you’re a billion-dollar company. Otherwise, Microsoft DGAF about your telemetry-related objections.
Ok. Well that’s a conversation worth having, and we are more than having it here on lemmy, but I’m speaking to the difficulties that normal Joe developers will now face because of apprehension about open source.
Sounds like the dev was unsatisfied with the low sponsorship numbers on his project, which when you consider how many devs only ever interact with Moq via the package manager or command line might be a fair complaint…but the decision to just start harvesting user data like a lowlife as an alternative source of income is some galaxy brain shit.
It’s not like this would even be sustainable. What did he think was going to happen, devs would just blindly accept a new shady looking package appearing in their dependency stack with no further investigation?
As a result of this stupidity Moq will now be on the shit-list of every corporation using .NET, especially those based in Europe due to GDPR implications.
Man fuck that
I knew that software supply chain dependency poisoning was increasing becoming a problem with open source, I just didn’t expect it to be from the original creator.
Update: https://github.com/moq/moq/issues/1374#issuecomment-1671166436
Dev is still defending his action and apparently believes he’s done nothing wrong. Harvesting developers email and extorting them by sabotaging builds is no big deal.
Absolute clown. OSS needs a better solution to funding devs hard work, but it is not a vehicle for an egomaniac to get rich.
I’m still pro-not mocking. Maybe this is a good opportunity to stop using so many mocks in our tests, and write validation on the actual behavior of your code.
No need to rush out and replace Moq, you’re fine if you’re on a lower version. We are using 4.16 or something at work, and I don’t see any need to take any action there. Didn’t have a reason to upgrade anyway.
If the SponsorLink package comes back, and kzu is determined to push forward with it (which is absolutely his right to do) then long term I guess we’ll move to something else. My preference would be to stop using mocks altogether.
This is not the first time it happens with Dotnet Open Source packages, there are some pretty funky things going on namely:
Imagesharp (They re-license from Apache 2 to something like Community/Commercial licenses and threw a huge fit over it)
Fody (It expects the software contributors of Fody to be a patron.)
It expects the software contributors of Fody to be a patron.
As in, you can only contribute source code if you also pay in money?
Interesting, thanks. Well, that’s kind of a good reason, except maybe they should have been more upfront about it.
I think it’s asinine to ask the developer who contribute to your project, literally taking the time of the day writing the code and submit PR to your project, to pay money to you.
I wouldn’t even bother contributing to the project at that point.
Yes, doing this after the fact is a nice way to blow all trust. There is always this attempted lock-in kind of taste.
Damn … There goes the rest of the week replacing it … Thank for the warning
I wonder if it would be possible to force people to pay for usage with licensing instead of what was tried here?
