[jira] [Commented] (TINKERPOP-2984) Replace Moq mocking library in .NET tests

Wed, 01 Nov 2023 09:49:40 -0700 


    [ 
https://issues.apache.org/jira/browse/TINKERPOP-2984?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17781825#comment-17781825
 ] 

ASF GitHub Bot commented on TINKERPOP-2984:
-------------------------------------------

vkagamlyk commented on PR #2319:
URL: https://github.com/apache/tinkerpop/pull/2319#issuecomment-1789301318

   Missing changelog entry
   
   otherwise VOTE+1




> Replace Moq mocking library in .NET tests
> -----------------------------------------
>
>                 Key: TINKERPOP-2984
>                 URL: https://issues.apache.org/jira/browse/TINKERPOP-2984
>             Project: TinkerPop
>          Issue Type: Improvement
>          Components: dotnet
>    Affects Versions: 3.7.0, 3.5.7, 3.6.5
>            Reporter: Florian Hockmann
>            Assignee: Florian Hockmann
>            Priority: Major
>
> There has been some controversy around the .NET mocking library that we are 
> also using in some of our .NET unit tests: Moq.
> In short, a project called "SponsorLink" has been added as a DLL to the NuGet 
> package which sends a hash of the email address of the developer building the 
> project (meaning our unit test projects) to their server. The email address 
> is obtained from the git config. This was done to check whether the developer 
> is already sponsoring the Moq project and nag them otherwise to become a 
> sponsor.
> This is of course a privacy issue and probably in violation of the GDPR.
> [This 
> article|https://www.bleepingcomputer.com/news/security/popular-open-source-project-moq-criticized-for-quietly-collecting-data/]
>  contains a longer explanation.
> While SponsorLink has already been removed again, the main author stated the 
> intent to bring it back at a later point after finding another way without 
> needing to send hashed email addresses. So, I think we should better switch 
> to a different mocking library, especially since the introduction of 
> SponsorLink was done without much (/any?) advance notification or warning.
> We have by the way not been affected by this as we haven't updated Moq in our 
> repository to a version that included SponsorLink.
> I suggest that we migrate to [NSubstitute|https://nsubstitute.github.io/] 
> which is another big mocking library with an even easier to use API (at least 
> in my opinion) and very similar capabilities.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to