by on August 22, 2013

How far the once mighty SourceForge has fallen…

[Editor's note: This post is the opinion of the author and not necessarily that of the Gluster Community]

TLDR: 

SourceForge, once a mighty force for the good of Open Source, has fallen far from its previous lofty heights.

Dice, the new owners, bribe strongly encourage the top projects to use a new (closed source only) installer that pushes spyware / adware / malware.

Developers using SourceForge should migrate away from it if they want to keep their integrity.  End users using projects hosted on SourceForge should immediately find an alternative.

Full version:

When people download software from SourceForge, or any major repository of Open Source software, they expect the software to be trustworthy.  (baring unintentional bugs)

They do not expect the software to be a source of “drive by installer” style malware, spyware, adware, or any other unrelated/unintended software.

SourceForge’s new owners, Dice, have consciously and deliberately moved to a model violating this trust.

With their recent changes, users downloading from SourceForge now receive a special closed source installer which attempts to foist unrelated third party software onto them.

For example, when a user clicks on this:

They instead receive this:

This is a “drive-by installer”, designed to catch less technical users and the unwary, to fill their computers with malware / junk ware / crime ware.  As abused by the notorious ask.com toolbar and others:

FileZilla_drive_by_downloader_smaller

It gets worse.

When SourceForge introduced this, it bribed encouraged the top projects to participate by giving them a cut of the take.  So these co-operating projects are also knowingly selling their users down the river.

I’m not against monetisation at all, we all have lives and need to pay our bills. But not through abusing user trust.  Not through preying on the unskilled or unwary.

To misquote Marge Simpson; “They not only crossed the line, they threw up on it.”

If you’re a developer or contributor to a SourceForge project, please ask them to move to a new project host (there are several).  And cease all further involvement until it’s complete.  I’ve already done so with mine.

If you’re a user of a SourceForge project, please find and use an alternative project instead.

We should all demonstrate our commitment to user safety and personal integrity around this issue.

99 Comments

  1. Chris Nehren says:

    This is not at all surprising. How come no one remembers when SourceForge went closed source about ten or so years ago? That they’d do something like this seems entirely natural (and, of course, absolutely insidious).

  2. silence dogood says:

    The funny part of that is that a guy actually made the new installer that adds all the crap in the real installer. When you know how boring windows installers are in the first place, I hope he was paid like a hundred thousand dollars to suffer in silence and still scam once more poor windows users.

  3. BeckzZ says:

    Thx for the write up!

    as you linked FileZilla as an example and it looks like many people still using it: FileZilla stores the server credentials in plain text…which is no problem, if you encrypt your home directoy, but most people don’t do that… so its better to use another FTP client…like WinSCP for example..

    in my opinion FileZilla is unusable until it’s possible to encrypt the credentials without the need of extra software…

  4. void says:

    This, Maslow Jenkins, is indeed an issue – and it’s alarming.

  5. Freeflight says:

    Maslow Jenkins that’s not really an solution, it just leaves the problem to itself, making it potentially even worse.

    At some point they gonna add so many hoops to jump trough, that the whole thing becomes an chore that nobody wants to do anymore. There is also the fact that after over a decade of this crap getting worse, i’m getting tired of constantly having to “keep up”. It’s bad for usability, it’s bad for workflow, it’s bad efficiency in general and shouldn’t be tolerated.

    This crap has gotten way out hand by now, when has been the last time you did surf the web without any kind of ad- or script blockers? Have you tried that in recent times?

    The last time i tried it, by accident, i didn’t recognize the damn internet anymore. Because by now everything is buried below dozens of layers of flashing, annoying advertising/pop up’s and malware that’s out to get you, in every way possible.

  6. Joe says:

    @Maslow Jenkins: This works just as long as the companies do not violate ‘just another’ rule and drop one ore another file on your system they don’t tell you.
    “You cannot trust whom you cannot trust”

  7. Claymore says:

    http://userscripts.org/scripts/show/174951

    This will get rid of the new method, sourceforge is trying.

  8. Gaurav Panchal says:

    I like softpedia instead download.com. softpedia has no addition of malware.
    Now I cant believe SF is promoting adware nuisiance

  9. Why is everyone only barking at SF and nobody looking at how the FileZilla people opted in to this shady business and are defending it on their own forum?

    https://forum.filezilla-project.org/viewtopic.php?t=30240

    I think it takes two to tango – the company offering a shitty monetization program and the developer who takes their offer.

  10. Uranoxyd says:

    @FooBar, write them, and tell them why you would delete your project. ;)

  11. mcnesium.com says:

    […] sieht so aus als müsste man in zukunft aufpassen, wenn man software von sourceforge runterlädt: How far the once mighty SourceForge has fallen… […]

  12. […] ist tot. die neuen betreiber haben jetzt nen driveby installer aufgedrückt. malware galore http://www.gluster.org/2013/08/how-far-the-once-mighty-sourceforge-has-fallen/ /via […]

  13. Christoph says:

    It’s sad to see this great project using shitty foo just to increase profit.

  14. Rick says:

    Maslow,

    Not true. That’s what I used to think before I downloaded and installed FileZilla this morning; that as long as you read very carefully what those tricky installers hope to fool you into installing, anyone who is tech savvy could easily avoid them. Well, I was careful not to install the bloat/malware that came with FileZilla and I still got something that proved detrimental to my brand new computer. In short, it didn’t run correctly immediately after I installed FileZilla and every time I reboot, I get this window that appears saying “Connecting to application” and I have NO IDEA what that is. I’ve uninstalled FileZilla but it keeps happening. I am not at all a tech novice and actually make a living in IT support but this sh*t has got me stumped and am now seriously considering reinstalling my entire OS and definitely going to boycott every and all software from SourceForge and spread the word.

  15. […] How far the once mighty SourceForge has fallen […]

  16. […] How far the once mighty SourceForge has fallen… ::: Gluster […]

  17. […] 9:32 – Sourceforge pushing open source projects to use their “drive-by” installers […]

  18. John says:

    Sourceforge is not the only one. Took me a whole day to clean up a machine after downloading a program from CNET. Despite the fact that these days I do not blindly accept the defaults when installing software the installer still managed to smuggle a load of rubbish onto my laptop. Spent a day cleaning it up and still felt uneasy. Do they not realise that these tactics damage their reputation?

  19. […] das stimmt was in diesem Artikel steht, wäre Sourceforge imho in Zukunft besser zu meiden, sowohl von Entwicklern, als auch von […]

  20. Avinash Machado says:

    Great article. I too am quite dismayed that SourceForge has become like CNET.

  21. Mike says:

    How about FossHub.com ? they claim to offer “downloads and hosting for the free projects”. I can see that there are quite a few projects that use them and compared to CNET and SF their website seems to be pretty clean.

  22. cyborg molotov says:

    take a tour to Apache server, they are all linked up by the Oracle[my ass], sun micro system,java, python, Linux, IBM,just Google it you will also find the answer, they are a group of credit card thief…just pure bastard

  23. cyborg molotov says:

    they can even penetrate your bios as well, what u think? i am a mad? i used Easius partition Master software, and it fucked my even powerful 64 GB ssd.
    all job done by a simple notepad…think people think deeper, you would find more interesting stuff, from now buy.

  24. ALdbeign says:

    ” But it does as you note require compliance from the project itself – so really why not go and give those projects negative reviews for their installers directly?”

    I would call this a perfectly reasonable point except, I just spent 2 hours trying to get signed up to do just that, and kept getting error messages when attempting to provide such feedback for an app I attempted to download, I got the installer, 5 “click accept to agree to these terms and install” (the first of which I fell for, maybe 2, they all looked like license agreements…but I got suspicious and didn’t click all of them)(also, couldn’t find a cancel button to just get rid of the install altogether)I’m still trying to get all the malware out of my system, can use the open id option on sourceforge to log in and leave said review (it lets me log in, wont let me review unless I give them a lot of personal info which…I just got malware from the site…not giving them personal info to boot)… gone down the path of evil at this point.. p.s. how do i get rid of this crap? ran my AV software (not AVG, it was one of the malware items installed) but keywords now link to popups…

  25. […] How far the once mighty SourceForge has fallen… | Gluster Community Website SourceForge ist jetzt auch zur Spyware-Schleuder mutiert. Wer da noch was hosted, sollte dringend migrieren. […]

  26. Anonymous says:

    Don’t download software from that web server.
    I seem to have received a small friend along the way when downloading
    the latest filezila client. Seems to be a RAT, remote administrator program of some sort so this is just a warning to all you guys.

  27. […] Que bajo ha caído el una vez mítico SourceForge […]

  28. Obama C says:

    @Rufine: of course he is the real Edward Snowden.

    - Obama

  29. Mark W says:

    It is not just SourceForge that has gone this route. CNET, on some downloadable applications, now uses a “downloader” that behaves in same way. No thanks… If I wanted to use an app to download I’d use uTorrent… :(

  30. […] Jednak decydującym punktem było wprowadzenie przez właścicieli sourceforge własnych instalatorów (‘ad-ware’, ‘pay-ware’), które podstawiane są zamiast oryginalnych. […]

  31. […] SourceForge является проприетарным продуктом, который воспринимается некоторыми пользователями, как spyware/adware/malware, так как […]

  32. […] unos meses ya me la intentaron meter doblada con el instalador de Filezilla. Como explican en este artículo, el enlace de descarga de Filezilla en Sourceforge realmente apunta a otra URL de descarga que […]

  33. Leo Linden says:

    They will crash and burn… We Open Source lovers will stop using the service… It is a shame.

  34. Edan Tal says:

    @Justin Clift / @Yan Cheng Cheok- You welcome to try Bintray.com, it’s a smart and social binary distribution platform where you can publish your binaries from your build server/build tool and where your users download from.

  35. […] punto di svolta è stata l’introduzione dell’Installer proprietario di SourceForge, che include prodotti di terze parti con pacchetti di software libero. Non vogliamo sostenere […]

  36. Jason says:

    Thanks, I have moved my projects to GitHub now. FU SF and Dice! >:(

  37. Jerzy says:

    Have you considered Google Code? They support SVN, Git and Mercurial and provide hosting for binaries.

  38. Josh R. Dunlavy says:

    Integrity in the world, especially on the Internet, is rather hard to find these days. My respect and appreciation goes out to individuals and groups who contribute their talent to open source causes.

    I would expect this behavior from a P2P client’s site or CNet. SourceForge, though, always seemed above that. Always the “trusted uncle,” it’s like he’s showed up drunk to Thanksgiving this year, took off his shirt and shouted racist jokes during dinner.

  39. […] GIMP non digerisce soprattutto l’installer adottato dal repository e scritto con codice proprietario, che reca con sé software indesiderato, […]

  40. Hmm, the article here seems misleading. It says: “users downloading from SourceForge now receive a special closed source installer which attempts to foist unrelated third party software onto them.”

    But as far as I can tell, developers have to OPT-IN to allow their executables to be modified: http://sourceforge.net/blog/advertising-bundling-community-and-criticism/

    I certainly don’t want the executables *I* release to be modified. But allowing it appears to be the decision of the developers, who could insert their own malware anyway.

  41. joje says:

    thx for the heads up; greedy bastards everywhere these days; cheers

  42. access2godzilla says:

    Everything can be reversed, so let’s reverse this crap. Results are here: http://pastebin.com/bYbZrT90

  43. Alexandre Torres says:

    Blame Filezilla developers for accepting the deal!
    Sourceforge is not forcing then to monetize nothing.
    Or is? if so, show some proof.
    Don´t blame the guy who makes guns for the acts of a killer.

  44. Thaddeus Smith says:

    Hi,

    A suggestion. If the license is GPL or similar, is is possible to collate earlier binaries or source code in a different place. For example, I still have all of the earlier projects that I’ve followed, such as CloneZilla, VLC etc before the changes were made to SourceForge. In some cases I also have the source code. Would anyone else be likely to contribute if something like this could be organised ?

  45. Yes it is a shame! One also has to wonder where the ‘services’ that are being installed on unsuspecting users’ computers get the money from to pay all these companies to install it. Are people really using ask.com?

    Oracle has also opted in for it. They are now distributing the Ask.com toolbar with Java. I wonder how much money Ask had to pay them to bundle their malware.

    Read more in my blog post:
    http://stijndewitt.wordpress.com/2013/03/20/oracle-turns-java-into-malware/

  46. […] I found this, for what it is worth. It urges caution. http://www.gluster.org/2013/08/how-f…ge-has-fallen/ […]

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>