Post idea: Moq and issues around OSS sponsorship

[SeanKilleen]

Going to workshop my thoughts and turn it into something.

References:

• January: Blog post on Sponsorlink: https://www.cazzulino.com/sponsorlink.html
• April: Concern raised during development (and dismissed): Devlooped.SponsorLink must not perform I/O outside of compiler APIs devlooped/SponsorLink#10
• August: PR that added it - being pretty transparent: https://github.com/moq/moq/pull/1363
• August: Release notes where it was added: https://github.com/moq/moq/releases/tag/v4.20.0
• Reddit thread I initially found: https://www.reddit.com/r/dotnet/comments/15ljdcc/does_moq_in_its_latest_version_extract_and_send/?utm_source=share&utm_medium=android_app&utm_name=androidcss&utm_term=1&utm_content=1
• https://github.com/moq/moq/issues/1370
• https://github.com/moq/moq/issues/1372
• https://github.com/moq/moq/issues/1374
• Removed in 4.20.2: https://github.com/moq/moq/releases/tag/v4.20.2

Thoughts:

Let they who are without OSS sin cast the first stone.

You don't get to call it a supply chain unless you're also doing something to enable your supplier. Supply chains have consumers that pay for the product, usually with money. OSS also allows us to contribute with time. People/groups who are doing none of that probably should reconsider complaining about your supply chain.

My first thought is: this is a terrible idea. But then I also thought: I'm part of the problem and the reason it got to this point. I used Moq a ton. I taught people how to use it. Some of that was for paid courses for an employer. I never donated to Moq. So I think the first thing to do for those of us who are frustrated is to take a breath and try to be a little humble about it.

Every time something like this happens, it's because the project wasn't being funded enough and was trying to find some way of making itself sustainable. I want sustainable OSS and I cannot blame the author for attempting something new.

With that said, I think this is a good example of how not to go about this sort of change. I think the implications of collecting developer email addresses without consent, and introducing a closed source (and obfuscated) binary, were not fully considered. And I think for a change like this, a lot more communication in a lot more formats would be helpful. I think negative-first approach (warning, slowed builds) is bound to frustrate people and make them defensive, which makes them much less likely to donate. Similar with being surprised. And I know the author tried to show how they had no nefarious intent, but they noted that without noting the real frustration that accompanied their actions -- impact matters more than intent.

But -- I have to remember that I as a user of Moq I didn't follow the author to stay up to date, so I didn't read or comment on the announcement post that is 7 months old. And so I didn't provide monetary support OR community support. I'm not holding up my part of the OSS social contract, so it's hard for me to feel mad when I feel that the author missed the mark on it too. To be outraged at this without prior support is to be a direct part of the problem of OSS sustainability, because it assumes we should be nothing but consumers, while never fulfilling the obligation of consumers.

I think it's especially rich for people with security departments secops departments and others they answer to be so mad about this and complain so loudly. On a purely selfish personal level I can understand it, but: you make money, and your company makes money, based in part on the use of this tool that neither you or your company is paying for. Where is your OSS support fund? Where are your dedicated hours to help on the OSS projects you're working for? Until that's in place, maybe let's be a little more humble about the criticism here, because it's a social contract and it doesn't sound like you're holding up your end of the bargain. I want us to look inward on this. Especially so for people who found the energy to go "warn" other OSS libraries about this quickly prior to the discussion playing out, or to report the package to nuget as abusive. We need to understand the merits of proportionate response, and employ it especially in places where we haven't paid for or earned the expectation of being pure consumers of something.

[ChrisMcKee]

With that said, I think this is a good example of how not to go about this sort of change. I think the implications of collecting developer email addresses without consent, and introducing a closed source (and obfuscated) binary, were not fully considered.

I'd say it was considered but no shits were given https://github.com/devlooped/SponsorLink/issues/10

[SeanKilleen]

@ChrisMcKee

I'd say it was considered but no shits were given

I'm not sure I see it the same way. I think someone had an idea for how to maybe address the OSS sustainability crisis within their own sphere of influence and the optimism outweighed the downsides (plus a lack of understanding of the GDPR implications). And my position on this is: since I haven't done a single thing to help this library to this point, I haven't held up my end of the OSS social contract, so my currency is now in understanding and benefit of the doubt on the author's intentions. "Let they who are without OSS sin cast the first stone."

This is yet another situation where the situation for this project became untenable, traditional paths don't seem to have worked, and the author had an idea for something new and novel. Would I have done it myself? No. Do I think it was a successful idea? Absolutely not. Can I fault them for trying? No. Do I think this author deserves our grace and respect after we've all consumed their work for free for years? Yes.

[ObsidianPhoenix]

[It's also poorly thought out. Pulling the git config will get the email address associated with that repo (or global if it's not set locally). But that might not be the email address a user is using the sponsor the project. Even something as simple as the + notation in gmail is going to screw with this check, let alone using your company email for company work, and sponsoring on your private email.

So you might even be putting your money where your mouth is, but you're still going to get nagged.](https://github.com/moq/moq/issues/1372#issuecomment-1671259550)

The entire endevour is so poorly thought out, that he's just burned his entire goodwill capital in one fell swoop.

[SeanKilleen]

@ObsidianPhoenix

It's also poorly thought out.

Sure, I'll allow that -- like I said, I would have rejected such an idea if it came up in my brain. But I only have my context, and this creator only has theirs. So my larger point is: where was the community support & involvement? Where was the jumping in to help support this author? Why wasn't I already following their blog to see it? Why didn't this bubble up to my radar to get my support and attention? Those are things I can fix by being a better member of the community. I see that as part of the social contract that I didn't hold up.

but you're still going to get nagged

I understand personal frustration, but I wish that everyone could take a breath before showing up in such an entitled manner. At a minimum we owe the author our respect and reasonable discourse. Mistakes can be made, and I wasn't there to help prevent them, and from what I can tell, a lot of other people weren't there either.

he's just burned his entire goodwill capital in one fell swoop.

Not with me. And that's my point. If we can't allow someone to learn and grow, after they did something with reasonable intentions, after creating a library that we've used for free for years, what does that say about us as a community? How flimsy is the currency of our political capital that it's tied to someone doing something for free, forever, without attempting to innovate, and also never making a mistake? If I were them, I'd stop caring about that kind of political capital entirely.

It's a bad idea. And we owe this creator the grace of recovering from that bad idea.

[ObsidianPhoenix]

I certainly get your point of view on this. And its a refreshing change from all the comments on the main thread (entertaining though they may be).

You're right, the community can engage more (myself included). But no-one is able to engage on every single OSS project they use. We all have limited time. We each have to decide what time we can devote, and where to devote it. As far as I can tell, Moq had a small but dedicated contributor base beyond just Kzu. I guarantee that Kzu himself is benefitting from OSS projects and not contributing to them. I think it's very difficult to work in todays .Net world and not be.

I'm not personally paying for a product I use for work, but I'd happily recommend that work pay a fee for premium features/support of a project we do use. I did it with Hangfire, I'll do it again with other projects. But that seems anathema to Kzu's views though:

And I’m a firm believer that supporting your fellow developers is something best done personally. Having your company pay for software surely doesn’t feel quite as rewarding as paying from your own pocket, and it surely feels different for me too. We really don’t need to expense our employers for a couple bucks a month, right??
SponsorLink Blog Post

He has the path back from this: revert the change entirely. The longer he delays, the more likely it is for the damage to be irreparable.

I feel for him. He's the owner of a very successful project, and people expect it to be maintained, and developed. And right now he's getting a ton of flak. But this is not the way to make a call for help.

[SeanKilleen]

@ObsidianPhoenix

But no-one is able to engage on every single OSS project they use. We all have limited time. We each have to decide what time we can devote, and where to devote it

Correct. To that extent, I think it's a goal for all of us to get more people involved in the ecosystem to ensure we have "coverage" since we can't be in all places. So let's work on systems that bring other people into these communities.

I guarantee that Kzu himself is benefitting from OSS projects and not contributing to them. I think it's very difficult to work in todays .Net world and not be.

I agree. But I think OSS authors get leeway here as they're playing a big role in the community already, so I give them more understanding from a consumption perspective.

But that seems anathema to Kzu's views though

I read that as "stop using your employer's stance on OSS contributions as an excuse around whether libraries can be supported."

He has the path back from this: revert the change entirely. The longer he delays, the more likely it is for the damage to be irreparable.

This appears to already be done as of 4 hours ago: https://github.com/moq/moq/releases/tag/v4.20.2

But this is not the way to make a call for help.

I agree with you. But my point is, let's find better ways for creators to better ask for help. Let's build models for them to ask for help and ways for them to surface it. Let's build a group where that call for support is met with actual support.

(Also, I appreciate your engagement here as it's a helpful way for me to add nuance to my initial thoughts. Thanks!)

[ObsidianPhoenix]

This appears to already be done as of 4 hours ago: https://github.com/moq/moq/releases/tag/v4.20.2

This was only done because it broke the MacOS builds.

Checking on his twitter, he's still fully committed to adding it. He's looking to fix the GDPR issue.

(Also, I appreciate your engagement here as it's a helpful way for me to add nuance to my initial thoughts. Thanks!)

No problem.

[Joe4evr]

I read that as "stop using your employer's stance on OSS contributions as an excuse around whether libraries can be supported."

While that is a valid take, I think the majority of people would be reading it as "You should make a personal donation even if you manged to convince your employer to make one already."

[SeanKilleen]

@Joe4evr

"You should make a personal donation even if you manged to convince your employer to make one already."

I think that's a absolutely reasonable position for an OSS author to take -- whether or not I myself can fulfill the ask. So even if that's the case, I have no problem with it.

[SeanKilleen]

Published: https://SeanKilleen.com/2023/08/on-moq-and-our-part-in-the-oss-sustainability-social-contract/

Therefore, closing this. Thanks all!