Amazon Web Services (AWS) has withdrawn its association with open source project Moq after the project drew sharp criticism for its quiet addition of data collection features, as first reported by BleepingComputer.
Moq, a widely distributed library on the NuGet software registry, was found to be harvesting hashes of developer email addresses on machines it was installed on. This started last week, after Moq’s developer bundled his controversial SponsorLink dependency within the project and without notice.
The inclusion of closed-source SponsorLink package caused Moq to harvest SHA-256 hashes of developer email addresses from local Git configs, and upload these to SponsorLink’s CDN.
In reaction, several developers either discontinued use of Moq [1, 2] in favor of alternatives, or suggested building tools that would detect and block any projects that run SponsorLink.
SponsorLink, previously shipped on NuGet as obfuscated DLLs, generated a hefty push back among open source software users who stated that disclosing the project’s source code was “important for transparency and trust.”
More than whether Moq or SponsorLink fell foul of the expectations within open source ecosystems, a pressing concern among users was whether the data collection violated privacy legislation, such as GDPR [1, 2]. A German court has previously ruled that SHA-256 hashing is an insufficient means of data anonymization.
Despite the developer making these amends, there remains suspicion among users that future Moq releases could reintroduce a similar “feature.”
Amazon Web Services, like many, has distanced itself from Moq and ceased endorsing the open source project.
A code change submitted to Moq by Rich Bowen, AWS’ open source advocate, requests that references to AWS be removed from the project, as seen by BleepingComputer.
“We acknowledge that we sponsored in the past,” writes Bowen.
“However, the addition of SponsorLink means that we will no longer be using this tool, and don’t wish to have our implied endorsement prominently displayed in the README. Thanks.”
Moq developer Cazzulino welcomed the request and updated the README:
“Properly removing the whole section in #1383. Should auto-merge in a bit,” responded the developer.
In fact, the developer has replaced the entire manually-written “Sponsors” list with one that’s “auto-updated,” according to the pull request.
We reached out to Amazon with questions prior to publishing. Cazzulino did not respond to BleepingComputer when approached for comment on the matter this week.
SponsorLink is now open source
On a related note, following persistent feedback from his user base, the developer has now made the SponsorLink project open source.
“Full OSS for SponsorLink (including client and backend) now lives in this same repo, under the src folder,” writes Cazzulino.
BleepingComputer verified that an ‘src‘ (source code) directory was made available on SponsorLink’s GitHub repository sometime yesterday:
The reasoning behind why SponsorLink’s .NET implementation was previously kept closed-source was also amended.
The developer admits that, “making the source available might have only made it trivial to circumvent” functionality that would ensure users receive their sponsorship status notification.
The move to make SponsorLink open source, according to the developer, would make it “less effective in contributing to an OSS project long-term sustainability.”
Despite the developer making much-requested amendments to Moq and SponsorLink, the projects may take a while to regain user trust among open source veterans.