Moq's controversial integration of SponsorLink sparks privacy concerns in Open Source community

The open source project, moq, has been criticized for including a contentious dependency, SponsorLink, in its recent 4.20.0 release. Moq, with 476 million lifetime downloads via the NuGet registry, has been accused of betraying trust by the open source community due to this move.

SponsorLink, which seems to be open source but is actually closed source on NuGet, has raised eyebrows due to the collection of hashed user email addresses through obfuscated DLLs. This addition by Moq's owner, Daniel Cazzulino, has caused concern due to the absence of prior user notification. The obfuscated code in SponsorLink has led to doubts about its real purpose, as it not only integrates GitHub Sponsors but also collects hashed emails for cloud service recognition.

Cazzulino has defended the inclusion of SponsorLink as an experimental move, but has received criticism for the lack of transparency. The README for SponsorLink has been updated to address privacy issues and clarify data usage and hashing. However, the integration of closed-source SponsorLink into popular OSS projects has raised ethical and legal privacy issues, with potential risks of email hash database comparison and user identification. Some developers have threatened to stop using Moq, build detection tools, or even label SponsorLink as malware. Despite Moq's 4.20.2 version removing the controversial feature, concerns about the future reintroduction of similar features remain.