Amazon AWS

Amazon Web Services (AWS) has withdrawn its association with open source project Moq after the project drew sharp criticism for its quiet addition of data collection features, as first reported by BleepingComputer.

Moq, a widely distributed library on the NuGet software registry, was found to be harvesting hashes of developer email addresses on machines it was installed on. This started last week, after Moq's developer bundled his controversial SponsorLink dependency within the project and without notice.

Amazon distances itself from Moq

Moq project, whose maintainers include Daniel Cazzulino (kzu), received severe push back this week after Cazzulino rolled out a 4.20 version that included his SponsorLink package without prior notification.

The inclusion of closed-source SponsorLink package caused Moq to harvest SHA-256 hashes of developer email addresses from local Git configs, and upload these to SponsorLink's CDN

In reaction, several developers either discontinued use of Moq [12] in favor of alternatives, or suggested building tools that would detect and block any projects that run SponsorLink.

Some went a step further, stating they would boycott projects that use SponsorLink or even report SponsorLink as "malware" to the NuGet registry [12].

SponsorLink, previously shipped on NuGet as obfuscated DLLs, generated a hefty push back among open source software users who stated that disclosing the project's source code was "important for transparency and trust."

More than whether Moq or SponsorLink fell foul of the expectations within open source ecosystems, a pressing concern among users was whether the data collection violated privacy legislation, such as GDPR [1, 2]. A German court has previously ruled that SHA-256 hashing is an insufficient means of data anonymization.

The developer has rolled back the controversial change in Moq v4.20.2, stating that it "breaks MacOS restore"—a reason that others have, yet again, mocked.

Despite the developer making these amends, there remains suspicion among users that future Moq releases could reintroduce a similar "feature." 

Amazon Web Services, like many, has distanced itself from Moq and ceased endorsing the open source project.

A code change submitted to Moq by Rich Bowen, AWS' open source advocate, requests that references to AWS be removed from the project, as seen by BleepingComputer.

Amazon AWS requests Moq to remove its name from README
Amazon Web Services withdraws endorsement for Moq (GitHub)

"We acknowledge that we sponsored in the past," writes Bowen.

"However, the addition of SponsorLink means that we will no longer be using this tool, and don't wish to have our implied endorsement prominently displayed in the README. Thanks."

Moq developer Cazzulino welcomed the request and updated the README:

Moq removes Amazon from sponsors
Moq removes Amazon's name from sponsors (GitHub)

"Properly removing the whole section in #1383. Should auto-merge in a bit," responded the developer.

In fact, the developer has replaced the entire manually-written "Sponsors" list with one that's "auto-updated," according to the pull request.

We reached out to Amazon with questions prior to publishing. Cazzulino did not respond to BleepingComputer when approached for comment on the matter this week.

SponsorLink is now open source

On a related note, following persistent feedback from his user base, the developer has now made the SponsorLink project open source.

"Full OSS for SponsorLink (including client and backend) now lives in this same repo, under the src folder," writes Cazzulino.

BleepingComputer verified that an 'src' (source code) directory was made available on SponsorLink's GitHub repository sometime yesterday:

sponsorlink source code
SponsorLink's source code now available on GitHub

The reasoning behind why SponsorLink's .NET implementation was previously kept closed-source was also amended.

The developer admits that, "making the source available might have only made it trivial to circumvent" functionality that would ensure users receive their sponsorship status notification.

The move to make SponsorLink open source, according to the developer, would make it "less effective in contributing to an OSS project long-term sustainability."

SponsorLink now open source
Earlier reasoning for keeping project closed-source (in red) amended (in green) (GitHub)

Despite the developer making much-requested amendments to Moq and SponsorLink, the projects may take a while to regain user trust among open source veterans.

Update, August 11th, 12:17 PM ET: Updated headline and lede to state Amazon has distanced itself from the project.

Related Articles:

Get up to speed on AWS with $395 off this certification prep bundle

CISA: Most critical open source projects not using memory safe code

Plugins on WordPress.org backdoored in supply chain attack

Chrome for Android tests feature that securely verifies your ID with sites

Tor Browser 13.5 brings Android enhancements, better bridge management