Florian Hockmann created TINKERPOP-2984:
-------------------------------------------
Summary: Replace Moq mocking library in .NET tests
Key: TINKERPOP-2984
URL: https://issues.apache.org/jira/browse/TINKERPOP-2984
Project: TinkerPop
Issue Type: Improvement
Components: dotnet
Affects Versions: 3.6.5, 3.5.7, 3.7.0
Reporter: Florian Hockmann
Assignee: Florian Hockmann
There has been some controversy around the .NET mocking library that we are
also using in some of our .NET unit tests: Moq.
In short, a project called "SponsorLink" has been added as a DLL to the NuGet
package which sends a hash of the email address of the developer building the
project (meaning our unit test projects) to their server. The email address is
obtained from the git config. This was done to check whether the developer is
already sponsoring the Moq project and nag them otherwise to become a sponsor.
This is of course a privacy issue and probably in violation of the GDPR.
[This
article|https://www.bleepingcomputer.com/news/security/popular-open-source-project-moq-criticized-for-quietly-collecting-data/]
contains a longer explanation.
While SponsorLink has already been removed again, the main author stated the
intent to bring it back at a later point after finding another way without
needing to send hashed email addresses. So, I think we should better switch to
a different mocking library, especially since the introduction of SponsorLink
was done without much (/any?) advance notification or warning.
We have by the way not been affected by this as we haven't updated Moq in our
repository to a version that included SponsorLink.
I suggest that we migrate to [NSubstitute|https://nsubstitute.github.io/] which
is another big mocking library with an even easier to use API (at least in my
opinion) and very similar capabilities.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
