SponsorLink is now OSS too and no longer bundled #1384
Comments
|
And I thought the npm funding messages were bad. This is worse. |
|
Moq currently has 99 contributors (including a handful of bots) - how are you going to distribute the proceeds from SponsorLInk between them, if at all? As a library author, I would never impact the library users' build process with any delays (this could consume free minutes offered by online services). I wouldn't even annoy them with auto-opening text files on NuGet package installation. Consider a world in which every NuGet package you use, and every dependency, and dependency of dependency, utilized SponsorLink that added just a couple of seconds to each build. Do you want to live in such world? “Don't do unto others what you don't want done unto you.” |
|
This is just strange to me.
|
|
It is clear at this point that Moq needs to be forked and we need come together around a new repository. |
https://github.com/hassanhabib/CleanMoq |
|
Some people here need to take a step back. He's literally done what we asked here. If y'all aren't gonna be constructive here then genuinely why post anything. There's enough people posting the same stuff in his other issues. If you wanna fork the repo, fork it. If you wanna migrate to NSubstitute, then go do that too. Thank you @kzu for open sourcing this. Probably a bit too late, and definitely should have been done from the start, but It's a step which will help some people regain some of the trust that was lost. I hope this continues with a trend of you being able to work with the community on this, rather than dropping something like this as a surprise. Everyone saw how that went the last time! |
|
There is a degree of pointlessness here that adds spice to the myopia. Wanting to be paid (call it what you will) requires an elevated amount of knowledge, consideration, and work. There is no easy button. Sending invoices and stuff is a intentionally ignorant simplification of what providing work for compensation involves. OSS doesn't get a free pass here - ethics, fair value, compliance, taxes (OSS isn't possible without infrastructure), etc. are all part of the ecosystem. So stay "free" and unencumbered or get serious and get paid. Don't try to be "smarter" than the legions before you by ignoring entire concerns you find distasteful but are, in the context of the entire ecosystem, required for everyone's benefit. |
People asked many things. But I clearly got the idea that the vast majority asked for SponsorLink to be completely removed from Moq. And that hasn't been done and clearly isn't going to be done. So I don't know what do you mean by him doing what "we" asked. It's funny you mention "being constructive". It is precisely what has so many people scratching their heads at the destructive suicide of this project as it unrolls before our very eyes. As someone said before, this is Github drama at its best. But no one was asking for it. Like Jake Paul on Netflix we have to wonder why? |
|
@CenturySparkle mentioned NPM, I'd invite people to read through this if they haven't already. Very similar situation, well worth a read. https://github.com/zloirock/core-js/blob/master/docs/2023-02-14-so-whats-next.md |
And the Sherlock prize of the week goes to... |
The wording makes it sound like 'not liking it' was an unexpected side-effect. I'm pretty sure it is behaving exactly as designed but maybe I'm missing something :) |
@Rahtgaz As far as I'm aware, it's been removed no?, Someone posted a screenshot showing it was no longer bundled, and the MOQ packages that did contain it were removed from nuget. That was my impression at least. I'm just personally against kicking someone while they're down, especially when they're actually taking steps in the right direction. People seem to just want to vent more than anything, especially when, as of this issue, all he's done is open source the damn thing. What is there to complain about that? We should be encouraging someone when they make decisions like this. IMO If you wouldn't say it to a colleague you don't know, you shouldn't say it on a GitHub issue. Ofc some people may act like this to colleagues, so who knows. |
|
If you look through the git history on this project, it seems that @kzu hasn't done much of anything at all in the last two years, aside from monetization efforts? What ongoing development are we supporting exactly? |
@TeddMcAdams He was working on https://github.com/moq/labs vNext, among other things. Don't just look in the one repo. I don't actually know where the code for VNext is (it might not all be public), but I'm on my phone rn so search is a bit ass. |
|
@DanielCordell maybe I am missing something, but /src/ seems public over there on labs too? Updated three years ago? Nothing in the last two years aside from updating sponsorship info? Like you said maybe it isn't all public. |
|
I don't actually know where the code for vNext is, looking through repos on my phone isn't ideal. He posted this: So he's not been doing nothing |
|
I am talking about the Moq project specifically. Sure he has a ton of commits elsewhere, like his SponserLink project. But for someone who is complaining about nights and weekends having to maintain such a big project, I'm not sure what actual maintaining is taking place here specifically? |
|
Lots of contribs Contribs in private repo (I assume vNext or work maybe?) An avid open source contributor! @TeddMcAdams I can definitely see the point that sponsorships are weird when a project is deemed "stable" and then a new version is getting worked on in the background. The 'old,' thing is basically in maintenance only mode and the next thing that's taking up all the time isn't public yet. That's more of an issue I have with Githubs implementation than anything. Definitely getting off topic here. |
|
@DanielCordell The removal of SponsorLink from Moq was due to a bug that was showing in Mac and Linux. Not because there is no longer a desire to add it to Moq. @kzu has made it clear he will be adding SponsorLink back to Moq.
Your soulful attitude is not helpful or constructive either. Despite what you might think. There's a time for kumbaya and a time for shouting. The problem at hand is simply this: A completely unannounced tool that aims to collect my email and send it to a third-party without my permission and without an opt-in mechanism is being added to a mocking library used in my company in around 250 individual C# projects which comprise the totality of our in-business toolset. My IT department has already issued a warning, and frozen the Moq version in our private nuget stream server. Management in the meantime is waiting a few days before deciding whether we are going to migrate our code to an alternative, likely NSubstitute. I am now currently on the second day of estimating the cost for us. I don't feel warmth in my heart. |
Pretty sure it's the calling home / exfiltration of personally identifying information (PII) that's the offensive bit. May even violate a few laws. Sure, some may have been asking to have the target open-sourced, but more appear to be questioning why this needs to exist in the first place. See also: reports of test suites blocking on these call-homes. This type of calling-home behavior would get flagged by my local anti-malware protections as unexpected outbound connections are monitored.
This is un-serious. To the degree that I've been forced to add this project to my "never use" list, similar to "is-really-truly-array" (which uses 8 or so NPM libraries such as "is-array", "isarray", "arraylike", … to exhaustively check), "is-even" (basic math fail), and "eslint" (my word). And warn developers within the organization I work for about the PII leakage. Edit to note: thumbs down? Because a few of y'all think this is being serious? It's a phallus measurement contest and belittling session, with the one caught exhibiting the bad behavior pointing and victim blaming. And exhibiting no understanding of the problem of their behavior. I try very hard to not point at my Mars 2020 badge. (The shame is in not recognizing the unacceptability of PII exfiltration, the trust violation that is unexpected code execution, and not worrying about the possible legal jeopardy / violation of laws these entail.) |
|
Without taking any sides (I don't agree how @kzu did what he did), it's pretty clear that the .NET community is full of entitled Karens. "We'll fork your project" is such a laughably empty threat because people ranting for hours on GitHub issues about "million dollars in damages" will be the last ones to enforce it. |
Not mentioning the fact that he's not going to be putting back the exact same version as before, he's clearly listening to feedback on the sorts of changes he could make, and the fact that it's now open source means that there's also accountability here.
I'm sorry you're in that position, I'm literally doing the same thing right now. While I'm also frustrated to be in this position, there's also a time to be constructive here, not just flinging crap at him. One extra angry voice on an issue isn't going to do anything. Why is shoutin on this issue going to help? This isn't twitter, the initial wave I understand completely, but this issue here is supposed to be a first step in the right direction. |
It's still in https://github.com/search?q=repo%3Amoq%2Fmoq+SponsorLink&type=code . Only the "keystone", in the form of a package reference, was removed moq/moq.spikes@a7dcd43 Nevertheless, SponsorLink just needs to be removed completely, this is not the way to get any sustainability for FOSS, it will just force developers away:
And these issues will just increase 1000x fold if this package is used by more (F)OSS developers, to the magnitude that it might kill OSS as we know it. |
how would you feel if the lib you're using all of a sudden introduced a binary obfuscated dll that you have no visibility into what it's doing? |
|
here's some refreshment for individuals who have read down to this point 🥤🍔 🥤🍔 🥤🍔 |
Except they didn't. They open sourced it, sure. But it is still being used, it still harvested data without user consent (which is against the law), and it still slows builds to annoy people into sponsoring. None of that is ok. There's a thing called trust, and it has been broken. You can't just mend it by undoing part of the damage, the very fact they thought this was ok to do is the problem. |
|
Other then the broken privacy laws, you could probably sue for damages, because slowing the build process intentionally causes financial harm. I'm not sure there is legal protection when it's intentional. |
Like I said, I don't agree with what @kzu did. There are ways to bring it up and have a civilized discussion, but this is not it. Threatening the maintainer that you'll "fork their project" or being verbally abusive only creates further antagonization. And if that's your real goal then it's fine, but don't hide under the pretense of "fairness". Especially not if the maintainer already showed that they received your feedback. You expect @kzu to be perfect, while you're all throwing feces at him like a bunch of enraged monkeys 🤷🏻 |
This doesn't even make sense. Who will curate which API usage is low/enough/too high? |
Yeah, not trivial for sure. If it's just a relative number WRT to the total of used code that touched APIs that are SponsorLinked, then it's just a % of total usage. That's one way (kinda like what Spontify does, I suppose, but it should be better). |
|
Who will even curate who is the author of a library? https://github.com/netoffice/netoffice The owner of netoffice org stole the handle from the author of the code and rewrote whole git history of the project and changed authorship. If they opened it for sponsorship the money would go to a different person. |
No one can curate who is the author of a library in that case. If malicious actor rewrote git history and stole stuff no one can help with that. Governance of ethics is outside of domain of governance of materialism. SponsorLink is just a tool for governance of materialism in this context. I could have built in telemetry and read all data from my "customers" Android mobile phones without their consent - I've built custom Android (Linux) kernels about 7y ago. OS Kernel! That's highest level of access - hardware level, OS level, device driver level, even accessing other's telemetries. Heck, I could have streamed their phone calls and simply stolen ideas from my customers and rebranded them as my own. My ethics standards didn't allow me to do this. That's pure ethics issue. And who decides what's ethical or not? That's fundamental dilemma in ethics. You can always be malicious actor if you set your mind to it. I don't know how any software (or person) can mitigate this. |
|
Very valid and thoughtful points @duki994 💯 There won't be a perfect solution that satisfies absolutely everyone. That's also inevitable. I'm just trying to find the right balance and take in the feedback. |
|
I love sponsorlink. Sponsorlink is great. I use sponsorlink in all my projects. Awesome. |
|
An observation @kzu , usually I like to sponsor my favorite libraries and utilities. |
|
I love the fluent API of FakeItEasy! // Creating a fake object is very easy!
// No mocks, or stubs; everything's a fake.
var shop = A.Fake<ICandyShop>();
// Easily set up a call to return a value.
var lollipop = new Lollipop();
A.CallTo(() => shop.GetTopSellingCandy()).Returns(lollipop);
// Exercise your system under test by using the fake as you
// would an instance of the faked type.
var customer = new SweetTooth();
customer.BuyTastiestCandy(shop);
// Asserting uses the same syntax as configuring calls.
A.CallTo(() => shop.BuyCandy(lollipop)).MustHaveHappened(); |
|
@jtanios we are also exploring. compatibility wrappers like |
Why the rush? lock the version to a safe verison of Moq, schedule a task to migrate Moq to anything else and do it slowly... |
|
I worship sponsorlink. I praise this piece of open source software. Sponsorlink solves all my problems. Thank you for giving me an opportunity to send money to random strangers who write code |
|
@kzu - Honestly it would be better if you had just offered a commercial license. I've previously worked in healthcare/pharma, payroll/HR, and am currently working for a bank. Software that is used in those environments will need to be security approved before its made available to us. Software that tries to...
... is probably never going to be approved for use in any Financial or Pharmaceutical environment, and probably most direct and indirect government led projects. I get your intention, but that's a lot of potential sponsors that are being eliminated - isn't the intention to get more sponsorship or at least make it easier to sponsor? I cant guarantee that if Moq were available via a commercial license that we would pay for those licenses, but at least there is a chance that we would, and that is better than the choices that SponsorLink leaves us with. |
I believe companies will do that if they will have a choice of switching to other mocking library or being sued. As far as I understand the need of OS financing I honestly don't understand the model which was implemented here. The idea of running PII-stealing process during the build is crazy. |
I am working for an enterprise decided to switch to IdentityServer4 to Duende Server with proper a commercial license. That license is not cheap in my eye at all. It is not a bad idea to ask commercial companies to pay for quality community software. While putting eye onto sponsoring instead of rigid licensing is understandable, PII obtaining without consent would exceed the red line. Please consider to take a step back. |
|
"how would you feel if the lib you're using all of a sudden introduced a binary obfuscated dll that you have no visibility into what it's doing?" - I wouldn't even notice if there was an obfuscated binary, lol. Why would I? I don't spend my time inspecting packages, lol. In fact, I expect code to be obfuscated usually. I don't know how many products choose not to obfuscate. Obfuscation is a pretty good mechanism to add a bit of security. |
That goes against OSS. |
|
You wouldnt upload a car to azure blob storage |
Obscurity being the opposite of security, is just about the first rule of security. If your relying on obscurity for security, your not secure at all. Transparency is security. If you show what you have, and they still can't break it, that is security. |
Not through lack of trying. That would be really cool. |
why a message that inviting you to financially contribute to open source project when you build is bad? |
An Info message at build time wouldn't be the worst thing in the world - I suspect there'd be some pushback on that but not to the level that we've seen since 4.2.0 was released. What's bad is:
|
About all this, I could not agree more. And indeed, if the author didn't remove this reference to sponsorlink, I would have stopped using Moq. |
|
Ok folks, I think this announcement has run its course. I gathered good feedback that will be acted upon. Please consider voting and offering additional feedback (that hasn't been expressed before, ideally wink😉) at https://github.com/devlooped/SponsorLink/issues. |
kzu
changed the title
and others
After the feedback yesterday, it was clear that even though the goal of SponsorLink is to make it easier for library developers to get sponsored, the fact that a part of an OSS project referenced a non-OSS dependency was concerning to many users.
As such, everyone can now go and inspect the whole thing (analyzer/package as well as backend azure functions) at the SponsorLink repository. Future versions of the package will come from there, will no longer be ofuscated, and will also have an OSS license.
Hopefully you will take this opportunity to help move it forward for the benefit of anyone that wants to be sponsored for their OSS work, and offering a better experience on that front for users too.
A couple comments from the feedback I gathered yesterday on #1374 as well as Twitter/X:
The text was updated successfully, but these errors were encountered: