In the world of open-source software, there’s a balance between creating freely available tools and finding ways to sustain the hard work that goes into developing them. One recent solution that’s gaining traction is SponsorLink, introduced with the aim of promoting the sponsorship of open-source projects, specifically with the popular .NET testing library, Moq, in its 4.20 version.
What is SponsorLink?
In essence, SponsorLink was created by Daniel Cazzulino aka kzu the creator of Moq, is an initiative to encourage developers to financially support their fellow developers who produce valuable open-source tools. By embedding SponsorLink in a library, developers can send gentle reminders to their users about the possibility of sponsorship, straight within the development environment, like Visual Studio or Rider.
Link to SponsorLink blog post: SponsorLink: trying something new-ish for OSS sustainability (cazzulino.com)
How does it work? ***
The operation seems straightforward at first glance:
- If a developer is using an editor and there’s network connectivity, SponsorLink runs
git config --get user.emailduring the build to retrieve the developer’s configured email. - This email (hashed and encoded, not in its raw form) is then used to check if the developer has installed the SponsorLink GitHub app (this happens using an HTTP call to Azure).
- Further, it checks if the developer is sponsoring the particular open-source project.
If the developer isn’t sponsoring, they’re offered links to install the app and then sponsor the account.
*** Update by kzu on SponsorLink and the future of Moq:
SponsorLink: feedback and moving forward (cazzulino.com)
The Potential Issue
While the intent behind SponsorLink is noble – supporting the hard-working developers behind essential open-source projects – there’s a potential privacy concern. Even though the actual email isn’t sent directly (it’s hashed and encoded), there’s an inherent access to a developer’s local git configuration. For some, this might be a cause for concern. Lastly, we need to keep in mind the GDPR in Europe which this library might not be compliant.
Why should you care?
Moq is a highly popular .NET library used for testing. With its vast reach in the .NET community, many developers will be interacting with SponsorLink, possibly without being fully aware of it. Raising awareness about SponsorLink is not to demonize it or its creators but to ensure that developers are making informed decisions.
Final Thoughts
Open-source sustainability is a complex issue and there’s no one-size-fits-all answer. SponsorLink represents a genuine effort to tackle this problem, but as with any new tool or initiative, it’s essential to approach it with a keen awareness. As developers, we should be proactive in understanding the tools we use, the permissions they require, and the implications of those permissions. In the ever-evolving world of tech, informed decision-making remains our most valuable asset.
Daniel Cazzulino’s perspective offers a valuable look into the real challenges faced by open-source developers. While the path to sustainability is rocky, the emphasis on fostering connections between developers and sponsors may yet pave the way forward. The debate around OSS sustainability is far from over, but dialogues like this push the community closer to finding a middle ground.
***Update***
SponsorLink is now open source devlooped/SponsorLink: Public samples, issues and discussions repo for SponsorLink (github.com)
kzu has said that he will change the way he checks if you are a sponsor and won’t use your email.
***Update 2***
SponsorLink: feedback and moving forward (cazzulino.com)
Moq library pull request that implemented SponsorLink:
Add 💜 SponsorLink support by kzu · Pull Request #1363 · moq/moq (github.com)
You can find an intro to Moq here: Introduction to Moq – Coding Bolt
You can also check out my post that introduces you to NSubstitute
Coding Bolt 
Leave a comment