Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add 💜 SponsorLink support #1363

Merged
merged 1 commit into from
Aug 4, 2023
Merged

Add 💜 SponsorLink support #1363

merged 1 commit into from
Aug 4, 2023

Conversation

kzu
Copy link
Member

@kzu kzu commented Aug 4, 2023

See https://www.cazzulino.com/sponsorlink.html and https://github.com/devlooped/SponsorLink

Let's thank everyone who supports the project 💜

@kzu kzu merged commit 6057dd2 into main Aug 4, 2023
6 checks passed
@kzu kzu deleted the dev/sponsorlink branch August 4, 2023 19:32
vbreuss referenced this pull request in Testably/Testably.Architecture.Rules Aug 8, 2023
[![Mend
Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com)

This PR contains the following updates:

| Package | Type | Update | Change |
|---|---|---|---|
| [Moq](https://togithub.com/moq/moq) | nuget | minor | `4.18.4` ->
`4.20.0` |

---

### Release Notes

<details>
<summary>moq/moq (Moq)</summary>

### [`v4.20.0`](https://togithub.com/moq/moq/releases/tag/v4.20.0)

<!-- Release notes generated using configuration in .github/release.yml
at main -->

#### What's Changed

##### ✨ Implemented enhancements

- Add `setup.Verifiable(Times times, [string failMessage])` method by
[@&#8203;stakx](https://togithub.com/stakx) in
[https://github.com/moq/moq/pull/1319](https://togithub.com/moq/moq/pull/1319)

##### 🔨 Other

- Add `Mock<T>.RaiseAsync` by
[@&#8203;stakx](https://togithub.com/stakx) in
[https://github.com/moq/moq/pull/1313](https://togithub.com/moq/moq/pull/1313)
- Add `ThrowsAsync` for non-generic `ValueTask` by
[@&#8203;johnthcall](https://togithub.com/johnthcall) in
[https://github.com/moq/moq/pull/1235](https://togithub.com/moq/moq/pull/1235)
- Use PackageLicenseExpression instead of PackageLicenseUrl by
[@&#8203;wismann](https://togithub.com/wismann) in
[https://github.com/moq/moq/pull/1322](https://togithub.com/moq/moq/pull/1322)
- Don't throw away generic type arguments in one
`mock.Protected().Verify<T>()` method overload by
[@&#8203;stakx](https://togithub.com/stakx) in
[https://github.com/moq/moq/pull/1325](https://togithub.com/moq/moq/pull/1325)
- [#&#8203;1340](https://togithub.com/moq/moq/issues/1340) updated
appveyor.yml with workaround to make builds work again by
[@&#8203;david-kalbermatten](https://togithub.com/david-kalbermatten) in
[https://github.com/moq/moq/pull/1346](https://togithub.com/moq/moq/pull/1346)
- Revamp structure, apply oss template, cleanup projects/imports by
[@&#8203;kzu](https://togithub.com/kzu) in
[https://github.com/moq/moq/pull/1358](https://togithub.com/moq/moq/pull/1358)
- Add 💜 SponsorLink support by [@&#8203;kzu](https://togithub.com/kzu)
in
[https://github.com/moq/moq/pull/1363](https://togithub.com/moq/moq/pull/1363)
- fix website url by [@&#8203;tibel](https://togithub.com/tibel) in
[https://github.com/moq/moq/pull/1364](https://togithub.com/moq/moq/pull/1364)

#### New Contributors

- [@&#8203;johnthcall](https://togithub.com/johnthcall) made their first
contribution in
[https://github.com/moq/moq/pull/1235](https://togithub.com/moq/moq/pull/1235)
- [@&#8203;wismann](https://togithub.com/wismann) made their first
contribution in
[https://github.com/moq/moq/pull/1322](https://togithub.com/moq/moq/pull/1322)
- [@&#8203;david-kalbermatten](https://togithub.com/david-kalbermatten)
made their first contribution in
[https://github.com/moq/moq/pull/1346](https://togithub.com/moq/moq/pull/1346)
- [@&#8203;dependabot](https://togithub.com/dependabot) made their first
contribution in
[https://github.com/moq/moq/pull/1360](https://togithub.com/moq/moq/pull/1360)

**Full Changelog**: moq/moq.spikes@v4.18.4...v4.20.0

</details>

---

### Configuration

📅 **Schedule**: Branch creation - At any time (no schedule defined),
Automerge - At any time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR has been generated by [Mend
Renovate](https://www.mend.io/free-developer-tools/renovate/). View
repository job log
[here](https://developer.mend.io/github/Testably/Testably.Architecture.Rules).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNi4yNy4xIiwidXBkYXRlZEluVmVyIjoiMzYuMjcuMSIsInRhcmdldEJyYW5jaCI6Im1haW4ifQ==-->

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
vbreuss referenced this pull request in Testably/Testably.Abstractions Aug 8, 2023
[![Mend
Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com)

This PR contains the following updates:

| Package | Type | Update | Change |
|---|---|---|---|
| [Moq](https://togithub.com/moq/moq) | nuget | minor | `4.18.4` ->
`4.20.0` |

---

### Release Notes

<details>
<summary>moq/moq (Moq)</summary>

### [`v4.20.0`](https://togithub.com/moq/moq/releases/tag/v4.20.0)

<!-- Release notes generated using configuration in .github/release.yml
at main -->

#### What's Changed

##### ✨ Implemented enhancements

- Add `setup.Verifiable(Times times, [string failMessage])` method by
[@&#8203;stakx](https://togithub.com/stakx) in
[https://github.com/moq/moq/pull/1319](https://togithub.com/moq/moq/pull/1319)

##### 🔨 Other

- Add `Mock<T>.RaiseAsync` by
[@&#8203;stakx](https://togithub.com/stakx) in
[https://github.com/moq/moq/pull/1313](https://togithub.com/moq/moq/pull/1313)
- Add `ThrowsAsync` for non-generic `ValueTask` by
[@&#8203;johnthcall](https://togithub.com/johnthcall) in
[https://github.com/moq/moq/pull/1235](https://togithub.com/moq/moq/pull/1235)
- Use PackageLicenseExpression instead of PackageLicenseUrl by
[@&#8203;wismann](https://togithub.com/wismann) in
[https://github.com/moq/moq/pull/1322](https://togithub.com/moq/moq/pull/1322)
- Don't throw away generic type arguments in one
`mock.Protected().Verify<T>()` method overload by
[@&#8203;stakx](https://togithub.com/stakx) in
[https://github.com/moq/moq/pull/1325](https://togithub.com/moq/moq/pull/1325)
- [#&#8203;1340](https://togithub.com/moq/moq/issues/1340) updated
appveyor.yml with workaround to make builds work again by
[@&#8203;david-kalbermatten](https://togithub.com/david-kalbermatten) in
[https://github.com/moq/moq/pull/1346](https://togithub.com/moq/moq/pull/1346)
- Revamp structure, apply oss template, cleanup projects/imports by
[@&#8203;kzu](https://togithub.com/kzu) in
[https://github.com/moq/moq/pull/1358](https://togithub.com/moq/moq/pull/1358)
- Add 💜 SponsorLink support by [@&#8203;kzu](https://togithub.com/kzu)
in
[https://github.com/moq/moq/pull/1363](https://togithub.com/moq/moq/pull/1363)
- fix website url by [@&#8203;tibel](https://togithub.com/tibel) in
[https://github.com/moq/moq/pull/1364](https://togithub.com/moq/moq/pull/1364)

#### New Contributors

- [@&#8203;johnthcall](https://togithub.com/johnthcall) made their first
contribution in
[https://github.com/moq/moq/pull/1235](https://togithub.com/moq/moq/pull/1235)
- [@&#8203;wismann](https://togithub.com/wismann) made their first
contribution in
[https://github.com/moq/moq/pull/1322](https://togithub.com/moq/moq/pull/1322)
- [@&#8203;david-kalbermatten](https://togithub.com/david-kalbermatten)
made their first contribution in
[https://github.com/moq/moq/pull/1346](https://togithub.com/moq/moq/pull/1346)
- [@&#8203;dependabot](https://togithub.com/dependabot) made their first
contribution in
[https://github.com/moq/moq/pull/1360](https://togithub.com/moq/moq/pull/1360)

**Full Changelog**: moq/moq.spikes@v4.18.4...v4.20.0

</details>

---

### Configuration

📅 **Schedule**: Branch creation - At any time (no schedule defined),
Automerge - At any time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR has been generated by [Mend
Renovate](https://www.mend.io/free-developer-tools/renovate/). View
repository job log
[here](https://developer.mend.io/github/Testably/Testably.Abstractions).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNi4yNy4xIiwidXBkYXRlZEluVmVyIjoiMzYuMjcuMSIsInRhcmdldEJyYW5jaCI6Im1haW4ifQ==-->

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
@baynezy
Copy link

baynezy commented Aug 8, 2023

Now I have to replace Moq everywhere 😭😭

@jamierobson
Copy link

This is the build that breaks trust, knowing that data is harvested without consent, and that this as the intent is established to execute code on the developers machine. Even if this change were reverted, it is clear that the developers have the willingness to take this step, and therefore trust is eroded.

My team will be moving away from Moq due to this, and I'd recommend others consider doing the same. NSubstitute is a strong alternitive, for those who need some ideas.

@sja-schleupen
Copy link

This is a serious violation of GDPR - you should remove it

@xiaoxiao921
Copy link

I don't see how it violate gdpr.
The big problem though is that garbage creates a compiler warning (warning as error flag and you can't suddenly build your project 🤣) and for some reason it also stop builds for a certain amount of seconds. The creator really didnt think that through, that alone will make a lot of people switch out.

@CasHil
Copy link

CasHil commented Aug 9, 2023

I don't see how it violate gdpr. The big problem though is that garbage creates a compiler warning (warning as error flag and you can't suddenly build your project 🤣) and for some reason it also stop builds for a certain amount of seconds. The creator really didnt think that through, that alone will make a lot of people switch out.

If you'd like to see how it violates GDPR, look at the discussion in https://github.com/moq/moq/issues/1372.

@aradalvand
Copy link

"Add 💜 SponsorLink support"

Famous last words

@msedi
Copy link

msedi commented Aug 9, 2023

Yes, this is a big problem. There are clear names in our e-mails and I do not accept that the e-mails of our company are made visible.

Also if this is communicated here, sometimes people do a simple nuget update with being informed that something this severe happens.

@dabaus
Copy link

dabaus commented Aug 9, 2023

I don't see how it violate gdpr.
The big problem though is that garbage creates a compiler warning (warning as error flag and you can't suddenly build your project 🤣) and for some reason it also stop builds for a certain amount of seconds. The creator really didnt think that through, that alone will make a lot of people switch out.

The problem with storing a hash of the email is that someone else can hash the users email, compare it to the hash in sponsor link and determine that it is the same person. Thus, the process is reversible and this is personal data, which means you need consent from the user.

@Write
Copy link

Write commented Aug 9, 2023

Like, the audacity of saying thank you while doing that, lmao.

@Misza13
Copy link

Misza13 commented Aug 9, 2023

Nice library suicide

@kzu
Copy link
Member Author

kzu commented Aug 9, 2023

So @dabaus if SponsorLink switches to a GUID generated when you install the GH app, which you then write in some file somewhere, everyone would be happy?

@KeterSCP
Copy link

KeterSCP commented Aug 9, 2023

@kzu everyone would be happy if library they use will not send any data to untrusted third-party servers without any consent, moreover if this will also slow down build process intentionally

@Misza13
Copy link

Misza13 commented Aug 9, 2023

@kzu everyone would be happy if library they use will not send any data to untrusted third-party servers without any consent, moreover if this will also slow down build process intentionally

On top of that, some corporate build servers are set up in such a way that they don't have internet access and rely on on-prem mirrors of NuGet, npm etc.

@Write
Copy link

Write commented Aug 9, 2023

So @dabaus if SponsorLink switches to a GUID generated when you install the GH app, which you then write in some file somewhere, everyone would be happy?

Dude your library is gone, forget about it.
No one will keep using it. You're not trustable. You did the dumbest thing, quite literally.

I'm sorry to say that.

@dabaus
Copy link

dabaus commented Aug 9, 2023

So @dabaus if SponsorLink switches to a GUID generated when you install the GH app, which you then write in some file somewhere, everyone would be happy?

I am no GDPR expert, but generally speaking, any id (like a username, customer id, github account id, ip address) that you can use together with other information in order to identify a person is to be regarded as personal data. It does not matter if it's only you who have access to that information, it's still personal data.

So i think the only reasonable way to build your service would be to do it through a web-app where users need to manually sign up and opt-in. Adding what could be regarded as spyware to your users dev-environments is obviously, even if it is legal, not going to be acceptable.

@AgentBlackout
Copy link

So @dabaus if SponsorLink switches to a GUID generated when you install the GH app, which you then write in some file somewhere, everyone would be happy?

You have just torpedoed your entire reputation and probably fair damage to your future. I think the closest thing to a recovery would be an immediate revert and grovelling apology rather than trying to double down.

@timothyeckert
Copy link

No I believe removing the data farming you snuck in would be the best path forward, followed by a very large apology.

@rwsp
Copy link

rwsp commented Aug 9, 2023

no coming back from this, trust permanently eroded.

@TopSwagCode
Copy link

I know I am going be to downvoted for this.
But I think this was an honest mistake. I have used MOQ for many years and loved it. I don't like this has been added and would agree to this shouldn't have happened. I doubt there was any malicious intend. Try giving his blog post a read here: https://www.cazzulino.com/sponsorlink.html

Screenshot of sponsorlink in action.

VS-SL02

So the good. It's for telling people about sponsorships and they are needed. The bad slowing down builds costing companies money in build time in their CI / CD env.

This is a big topic currently how opensource developers and projects should earn money for the work they do. And I am all in for it. Which brings us back to why I think this was an honest mistake. It was an attempt to bring focus to the sponsorship side of things. Sponsorship is a young project trying to do the right thing, but in a wrong way. I am sure @kzu has learned a lot from this. I think the entire community should take a chill pill and try to understand in @kzu / MOQ's perspective.

DISCLAIMER: I have nothing to do with MOQ and I don't know @kzu - I know that we are all human and we all make mistakes. For me MOQ is not dead. There was a mistake. Killing a project over 1 mistake is insane. It was good it was caught and brought up. But it's also a reminder to check your dependencies and have automated tools to do so.

@psimsa
Copy link

psimsa commented Aug 9, 2023

@TopSwagCode +1. Anyone who has never done anything stupid in their life raise hand. And reading the docs around it, it certainly doesn't seem too bad. From my perspective, 1) It should have been a major version bump bcz by default IDEs will often happily install latest minor versions while you could put it in license you have to accept in IDE when installing major version, 2) the lib itself should be open source - it's about transparency, 3) as others have pointed out, hash itself is not good if it isn't salted - it's still PII (which would be clear if open sourced) and 4) clear info and opt-out option. Like this for example:

Telemetry
---------
The .NET tools collect usage data in order to help us improve your experience. The data is collected by Microsoft and shared with the community. You can opt-out of telemetry by setting the DOTNET_CLI_TELEMETRY_OPTOUT environment variable to '1' or 'true' using your favorite shell.

Read more about .NET CLI Tools telemetry: https://aka.ms/dotnet-cli-telemetry

@remerle
Copy link

remerle commented Aug 10, 2023

This was a terrible decision, but I understand the desire to try to monetize an OSS project. However, there are tons of OSS projects that are able to monetize without stealing data.

One way is to spin off a premium version with features that people want enough to pay for. I wouldn't expect monthly payments - nobody wants to "subscribe" to a mocking library.

Or, charge for support. Or any of a myriad of other ways that don't export PII to an untrusted source.

Time to fork this repo, I guess.

@bastetfurry
Copy link

Time to fork this repo, I guess.

Seems like it.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.