Add 💜 SponsorLink support #1363
Conversation
[](https://renovatebot.com) This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [Moq](https://togithub.com/moq/moq) | nuget | minor | `4.18.4` -> `4.20.0` | --- ### Release Notes <details> <summary>moq/moq (Moq)</summary> ### [`v4.20.0`](https://togithub.com/moq/moq/releases/tag/v4.20.0) <!-- Release notes generated using configuration in .github/release.yml at main --> #### What's Changed ##### ✨ Implemented enhancements - Add `setup.Verifiable(Times times, [string failMessage])` method by [@​stakx](https://togithub.com/stakx) in [https://github.com/moq/moq/pull/1319](https://togithub.com/moq/moq/pull/1319) ##### 🔨 Other - Add `Mock<T>.RaiseAsync` by [@​stakx](https://togithub.com/stakx) in [https://github.com/moq/moq/pull/1313](https://togithub.com/moq/moq/pull/1313) - Add `ThrowsAsync` for non-generic `ValueTask` by [@​johnthcall](https://togithub.com/johnthcall) in [https://github.com/moq/moq/pull/1235](https://togithub.com/moq/moq/pull/1235) - Use PackageLicenseExpression instead of PackageLicenseUrl by [@​wismann](https://togithub.com/wismann) in [https://github.com/moq/moq/pull/1322](https://togithub.com/moq/moq/pull/1322) - Don't throw away generic type arguments in one `mock.Protected().Verify<T>()` method overload by [@​stakx](https://togithub.com/stakx) in [https://github.com/moq/moq/pull/1325](https://togithub.com/moq/moq/pull/1325) - [#​1340](https://togithub.com/moq/moq/issues/1340) updated appveyor.yml with workaround to make builds work again by [@​david-kalbermatten](https://togithub.com/david-kalbermatten) in [https://github.com/moq/moq/pull/1346](https://togithub.com/moq/moq/pull/1346) - Revamp structure, apply oss template, cleanup projects/imports by [@​kzu](https://togithub.com/kzu) in [https://github.com/moq/moq/pull/1358](https://togithub.com/moq/moq/pull/1358) - Add 💜 SponsorLink support by [@​kzu](https://togithub.com/kzu) in [https://github.com/moq/moq/pull/1363](https://togithub.com/moq/moq/pull/1363) - fix website url by [@​tibel](https://togithub.com/tibel) in [https://github.com/moq/moq/pull/1364](https://togithub.com/moq/moq/pull/1364) #### New Contributors - [@​johnthcall](https://togithub.com/johnthcall) made their first contribution in [https://github.com/moq/moq/pull/1235](https://togithub.com/moq/moq/pull/1235) - [@​wismann](https://togithub.com/wismann) made their first contribution in [https://github.com/moq/moq/pull/1322](https://togithub.com/moq/moq/pull/1322) - [@​david-kalbermatten](https://togithub.com/david-kalbermatten) made their first contribution in [https://github.com/moq/moq/pull/1346](https://togithub.com/moq/moq/pull/1346) - [@​dependabot](https://togithub.com/dependabot) made their first contribution in [https://github.com/moq/moq/pull/1360](https://togithub.com/moq/moq/pull/1360) **Full Changelog**: moq/moq.spikes@v4.18.4...v4.20.0 </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View repository job log [here](https://developer.mend.io/github/Testably/Testably.Architecture.Rules). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNi4yNy4xIiwidXBkYXRlZEluVmVyIjoiMzYuMjcuMSIsInRhcmdldEJyYW5jaCI6Im1haW4ifQ==--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
[](https://renovatebot.com) This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [Moq](https://togithub.com/moq/moq) | nuget | minor | `4.18.4` -> `4.20.0` | --- ### Release Notes <details> <summary>moq/moq (Moq)</summary> ### [`v4.20.0`](https://togithub.com/moq/moq/releases/tag/v4.20.0) <!-- Release notes generated using configuration in .github/release.yml at main --> #### What's Changed ##### ✨ Implemented enhancements - Add `setup.Verifiable(Times times, [string failMessage])` method by [@​stakx](https://togithub.com/stakx) in [https://github.com/moq/moq/pull/1319](https://togithub.com/moq/moq/pull/1319) ##### 🔨 Other - Add `Mock<T>.RaiseAsync` by [@​stakx](https://togithub.com/stakx) in [https://github.com/moq/moq/pull/1313](https://togithub.com/moq/moq/pull/1313) - Add `ThrowsAsync` for non-generic `ValueTask` by [@​johnthcall](https://togithub.com/johnthcall) in [https://github.com/moq/moq/pull/1235](https://togithub.com/moq/moq/pull/1235) - Use PackageLicenseExpression instead of PackageLicenseUrl by [@​wismann](https://togithub.com/wismann) in [https://github.com/moq/moq/pull/1322](https://togithub.com/moq/moq/pull/1322) - Don't throw away generic type arguments in one `mock.Protected().Verify<T>()` method overload by [@​stakx](https://togithub.com/stakx) in [https://github.com/moq/moq/pull/1325](https://togithub.com/moq/moq/pull/1325) - [#​1340](https://togithub.com/moq/moq/issues/1340) updated appveyor.yml with workaround to make builds work again by [@​david-kalbermatten](https://togithub.com/david-kalbermatten) in [https://github.com/moq/moq/pull/1346](https://togithub.com/moq/moq/pull/1346) - Revamp structure, apply oss template, cleanup projects/imports by [@​kzu](https://togithub.com/kzu) in [https://github.com/moq/moq/pull/1358](https://togithub.com/moq/moq/pull/1358) - Add 💜 SponsorLink support by [@​kzu](https://togithub.com/kzu) in [https://github.com/moq/moq/pull/1363](https://togithub.com/moq/moq/pull/1363) - fix website url by [@​tibel](https://togithub.com/tibel) in [https://github.com/moq/moq/pull/1364](https://togithub.com/moq/moq/pull/1364) #### New Contributors - [@​johnthcall](https://togithub.com/johnthcall) made their first contribution in [https://github.com/moq/moq/pull/1235](https://togithub.com/moq/moq/pull/1235) - [@​wismann](https://togithub.com/wismann) made their first contribution in [https://github.com/moq/moq/pull/1322](https://togithub.com/moq/moq/pull/1322) - [@​david-kalbermatten](https://togithub.com/david-kalbermatten) made their first contribution in [https://github.com/moq/moq/pull/1346](https://togithub.com/moq/moq/pull/1346) - [@​dependabot](https://togithub.com/dependabot) made their first contribution in [https://github.com/moq/moq/pull/1360](https://togithub.com/moq/moq/pull/1360) **Full Changelog**: moq/moq.spikes@v4.18.4...v4.20.0 </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View repository job log [here](https://developer.mend.io/github/Testably/Testably.Abstractions). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNi4yNy4xIiwidXBkYXRlZEluVmVyIjoiMzYuMjcuMSIsInRhcmdldEJyYW5jaCI6Im1haW4ifQ==--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
|
Now I have to replace Moq everywhere 😭😭 |
|
This is the build that breaks trust, knowing that data is harvested without consent, and that this as the intent is established to execute code on the developers machine. Even if this change were reverted, it is clear that the developers have the willingness to take this step, and therefore trust is eroded. My team will be moving away from Moq due to this, and I'd recommend others consider doing the same. NSubstitute is a strong alternitive, for those who need some ideas. |
|
This is a serious violation of GDPR - you should remove it |
|
I don't see how it violate gdpr. |
If you'd like to see how it violates GDPR, look at the discussion in https://github.com/moq/moq/issues/1372. |
|
"Add 💜 SponsorLink support" Famous last words |
|
Yes, this is a big problem. There are clear names in our e-mails and I do not accept that the e-mails of our company are made visible. Also if this is communicated here, sometimes people do a simple nuget update with being informed that something this severe happens. |
The problem with storing a hash of the email is that someone else can hash the users email, compare it to the hash in sponsor link and determine that it is the same person. Thus, the process is reversible and this is personal data, which means you need consent from the user. |
|
Like, the audacity of saying thank you while doing that, lmao. |
|
Nice library suicide |
|
So @dabaus if SponsorLink switches to a GUID generated when you install the GH app, which you then write in some file somewhere, everyone would be happy? |
|
@kzu everyone would be happy if library they use will not send any data to untrusted third-party servers without any consent, moreover if this will also slow down build process intentionally |
On top of that, some corporate build servers are set up in such a way that they don't have internet access and rely on on-prem mirrors of NuGet, npm etc. |
Dude your library is gone, forget about it. I'm sorry to say that. |
I am no GDPR expert, but generally speaking, any id (like a username, customer id, github account id, ip address) that you can use together with other information in order to identify a person is to be regarded as personal data. It does not matter if it's only you who have access to that information, it's still personal data. So i think the only reasonable way to build your service would be to do it through a web-app where users need to manually sign up and opt-in. Adding what could be regarded as spyware to your users dev-environments is obviously, even if it is legal, not going to be acceptable. |
You have just torpedoed your entire reputation and probably fair damage to your future. I think the closest thing to a recovery would be an immediate revert and grovelling apology rather than trying to double down. |
|
No I believe removing the data farming you snuck in would be the best path forward, followed by a very large apology. |
|
no coming back from this, trust permanently eroded. |
|
I know I am going be to downvoted for this. Screenshot of sponsorlink in action. So the good. It's for telling people about sponsorships and they are needed. The bad slowing down builds costing companies money in build time in their CI / CD env. This is a big topic currently how opensource developers and projects should earn money for the work they do. And I am all in for it. Which brings us back to why I think this was an honest mistake. It was an attempt to bring focus to the sponsorship side of things. Sponsorship is a young project trying to do the right thing, but in a wrong way. I am sure @kzu has learned a lot from this. I think the entire community should take a chill pill and try to understand in @kzu / MOQ's perspective. DISCLAIMER: I have nothing to do with MOQ and I don't know @kzu - I know that we are all human and we all make mistakes. For me MOQ is not dead. There was a mistake. Killing a project over 1 mistake is insane. It was good it was caught and brought up. But it's also a reminder to check your dependencies and have automated tools to do so. |
|
@TopSwagCode +1. Anyone who has never done anything stupid in their life raise hand. And reading the docs around it, it certainly doesn't seem too bad. From my perspective, 1) It should have been a major version bump bcz by default IDEs will often happily install latest minor versions while you could put it in license you have to accept in IDE when installing major version, 2) the lib itself should be open source - it's about transparency, 3) as others have pointed out, hash itself is not good if it isn't salted - it's still PII (which would be clear if open sourced) and 4) clear info and opt-out option. Like this for example: |
|
This was a terrible decision, but I understand the desire to try to monetize an OSS project. However, there are tons of OSS projects that are able to monetize without stealing data. One way is to spin off a premium version with features that people want enough to pay for. I wouldn't expect monthly payments - nobody wants to "subscribe" to a mocking library. Or, charge for support. Or any of a myriad of other ways that don't export PII to an untrusted source. Time to fork this repo, I guess. |
Seems like it. |
](https://renovatebot.com){kind=link}
See https://www.cazzulino.com/sponsorlink.html and https://github.com/devlooped/SponsorLink
Let's thank everyone who supports the project 💜