Amazon AWS has withdrawn its association with open source project Moq after the project drew sharp criticism for its quiet addition of data collection features, as first reported by BleepingComputer.
Moq, a widely distributed library on the NuGet software registry, was found to be harvesting hashes of developer email addresses on machines it was installed on. This started last week, after Moq’s developer bundled his controversial SponsorLink dependency within the project and without notice.
Amazon distances itself from Moq
Moq project, whose maintainers include Daniel Cazzulino (kzu), received severe push back this week after Cazzulino rolled out a 4.20 version that included his SponsorLink package without prior notification.
The inclusion of closed-source SponsorLink package caused Moq to harvest SHA-256 hashes of developer email addresses from local Git configs, and upload these to SponsorLink’s CDN.
In reaction, several developers either discontinued use of Moq [1, 2] in favor of alternatives, or suggested building tools that would detect and block any projects that run SponsorLink.
Some went a step further, stating they would boycott projects that use SponsorLink or even report SponsorLink as “malware” to the NuGet registry [1, 2].
SponsorLink, previously shipped on NuGet as obfuscated DLLs, generated a hefty push back among open source software users who stated that disclosing the project’s source code was “important for transparency and trust.”
More than whether Moq or SponsorLink fell foul of the expectations within open source ecosystems, a pressing concern among users was whether the data collection violated privacy legislation, such as GDPR [1, 2]. A German court has previously ruled that SHA-256 hashing is an insufficient means of data anonymization.
The developer has rolled back the controversial change in Moq v4.20.2, stating that it “breaks MacOS restore”—a reason that others have, yet again, mocked.
Despite the developer making these amends, there remains suspicion among users that future Moq releases could reintroduce a similar “feature.”
Amazon AWS, like many, has distanced itself from Moq and ceased endorsing the open source project.
A code change submitted to Moq by Rich Bowen, Amazon AWS’ open source advocate, requests that references to AWS be removed from the project, as seen by BleepingComputer.
“We acknowledge that we sponsored in the past,” writes Bowen.
“However, the addition of SponsorLink means that we will no longer be using this tool, and don’t wish to have our implied endorsement prominently displayed in the README. Thanks.”
Moq developer Cazzulino welcomed the request and removed Amazon’s AWS name from the project’s README:
“Properly removing the whole section in #1383. Should auto-merge in a bit,” responded the developer.
In fact, the developer has replaced the entire manually-written “Sponsors” list with one that’s “auto-updated,” according to the pull request.
We have reached out to Amazon AWS for comment. Cazzulino did not respond to BleepingComputer when approached for comment on the matter this week.
SponsorLink is now open source
On a related note, following persistent feedback from his user base, the developer has now made the SponsorLink project open source.
“Full OSS for SponsorLink (including client and backend) now lives in this same repo, under the src folder,” writes Cazzulino.
BleepingComputer verified that an ‘src’ (source code) directly was made available on SponsorLink’s GitHub repository sometime yesterday:
The reasoning behind why SponsorLink’s .NET implementation was previously kept closed-source was also amended.
The developer admits that, “making the source available might have only made it trivial to circumvent” functionality that would ensure users receive their sponsorship status notification.
The move to make SponsorLink open source, according to the developer, would make it “less effective in contributing to an OSS project long-term sustainability.”
Despite the developer making much-requested amendments to Moq and SponsorLink, the projects may take a while to regain user trust among open source veterans.
Update, August 11th, 12:17 PM ET: Updated headline and lede to state Amazon has distanced itself from the project.