by on August 22, 2013

How far the once mighty SourceForge has fallen…

[Editor’s note: This post is the opinion of the author and not necessarily that of the Gluster Community]

TLDR: 

SourceForge, once a mighty force for the good of Open Source, has fallen far from its previous lofty heights.

Dice, the new owners, bribe strongly encourage the top projects to use a new (closed source only) installer that pushes spyware / adware / malware.

Developers using SourceForge should migrate away from it if they want to keep their integrity.  End users using projects hosted on SourceForge should immediately find an alternative.

Full version:

When people download software from SourceForge, or any major repository of Open Source software, they expect the software to be trustworthy.  (baring unintentional bugs)

They do not expect the software to be a source of “drive by installer” style malware, spyware, adware, or any other unrelated/unintended software.

SourceForge’s new owners, Dice, have consciously and deliberately moved to a model violating this trust.

With their recent changes, users downloading from SourceForge now receive a special closed source installer which attempts to foist unrelated third party software onto them.

For example, when a user clicks on this:

They instead receive this:

This is a “drive-by installer”, designed to catch less technical users and the unwary, to fill their computers with malware / junk ware / crime ware.  As abused by the notorious ask.com toolbar and others:

FileZilla_drive_by_downloader_smaller

It gets worse.

When SourceForge introduced this, it bribed encouraged the top projects to participate by giving them a cut of the take.  So these co-operating projects are also knowingly selling their users down the river.

I’m not against monetisation at all, we all have lives and need to pay our bills. But not through abusing user trust.  Not through preying on the unskilled or unwary.

To misquote Marge Simpson; “They not only crossed the line, they threw up on it.”

If you’re a developer or contributor to a SourceForge project, please ask them to move to a new project host (there are several).  And cease all further involvement until it’s complete.  I’ve already done so with mine.

If you’re a user of a SourceForge project, please find and use an alternative project instead.

We should all demonstrate our commitment to user safety and personal integrity around this issue.

99 Comments

  1. simonoriordan says:

    Agree. Absolutely. We don’t want or need this shite, and all it will do is damage revenues in the long term. They are idiots.

  2. When i saw that the filezilla setup was ****ed i decided to download its portable version, unfortunately from SF itself :( [i actually downloaded Filezilla before reading this article]

    SF currently hosts my old (abandoned) projects while GitHub is used for hosting source of newer projects and use dropbox/skydrive/google-drive for sharing binary files or my closed source projects

    once you combine dropbox/skydrive/google-drive with github you get a good alternative to SF

    thanks

  3. Thanks for the write up. Do you have any recommended site as the replacement of sourceforge? Do they project website hosting as well? Since I had built up quite a number of traffic for the sourceforge, do you have any advice on the migration plan? Thanks.

  4. Justin Clift says:

    @Yan Cheng Cheok – That’s a good question. It depends on the SourceForge.net pieces you’re using. :)

    GitHub (very good) and Gitorious (not bad) both provide a good alternative, but aren’t a complete replacement for everyone. (eg no forum support)

    JStock doesn’t seem to use forums though, which should make finding the right alternative much easier.

    The one thing GitHub seems to be missing, is an equivalent “hosting for installers”. eg binary releases

    Other people have mentioned code.google.com, which seems like it would do the job too. :)

  5. dan says:

    use bitbucket

  6. Mark says:

    Thanks for this! I just received a new machine at work and was preparing to install FileZilla when I saw a link to this post in my CodeProject Daily News email.

    What SF

  7. Mark says:

    (sorry, hit post by accident…)

    What SF has done is ridiculous and potentially very damaging for many projects. It can also make the part of my life where I serve as tech support for family and friends more difficult since I have pointed them to SF many times in the past – won’t be doing that any more!

  8. Paul Grosse says:

    Does anyone have sources for SF recommending that projects use their installer? I’m not finding any discussion of it in their newsletters nor emails to developers

  9. Edward Snowden says:

    @justin GitHub uses “releases” as an equivalent for “hosting for installers” now. They let you upload either binary assets or source code. https://github.com/blog/1547-release-your-software

  10. Chris Morgan says:

    Valuable discussion of this article is at https://news.ycombinator.com/item?id=6262347. The situation isn’t *quite* as grim as it is painted here.

  11. Dan says:

    If they aren’t giving us the installer executables provided by the project, how do we verify project-supplied cryptographic signatures? In the FileZilla example, if you grab their FileZilla_3.8.3.sha512 file, and try to compare with the apppartners.com served file, it will (of course) not match.

    Is there any way to get the real file out of SourceForge now?

  12. Jeff Jacobson says:

    “The one thing GitHub seems to be missing, is an equivalent ‘hosting for installers’. eg binary releases”

    https://help.github.com/articles/creating-releases

  13. Justin Clift says:

    @Edward Snowden and Jeff Jacobson – Excellent, that’s really good news. +1 for GitHub then. :)

    @Chris Morgan – Looks like my usage of the words “Drive-by installer” isn’t correct then. “Offer based installer” really doesn’t seem to convey the point of “preying on the unwary” though. :(

  14. Justin Clift says:

    @Dan – This is a good question. With at least FileZilla (haven’t checked others), it’s possible with a bit of hunting to locate installer(s) without this crap.

    But there doesn’t seem to be a proper way to ensure that whatever *does* actually get installed matches up. Would probably need checking of hash’s/signatures/ on a per file basis for every file. (unsure)

    Also not seeing a way to tell whether the installer is doing anything else (eg nefarious). It being not open source and all. :(

  15. Justin Clift says:

    @Chris Morgan – JohnTHaller on that article doesn’t seem to address the problem that it’s preying on the unwary. Seems written from the point of view of “lets try and make people think this isn’t a serious problem”.

    It really IS a serious problem.

    Ahh, just saw your follow up comment to him. I’m with you on this. Preying on unsuspecting users is just not on.

    [edit – added the “Ahh …” bit]

  16. Ken says:

    This is truly sad news. Sourceforge was a true inspiration to me and I feel it really showed a lot of programmers a good new way of sharing knowledge. I do find that http://www.codeproject.com is quite useful now and their ways of making money are more acceptable to me. I have seen other open-source sites pop up, we’ll see how it goes I guess.

  17. Rufine says:

    Um, just curious…

    Is that really Edward Snowden of the NSA fame??

  18. Alan says:

    cnet has been doing this on download.com for a long time and I’ve been quite surprised at the lack of coverage regarding it. Sourceforge, on the other hand, announced that they would start doing this a month or so ago… and started doing it and boom… here’s an article all about it. I’m curious why one is getting attention and the other didn’t. That being said, I certainly am not implying I disagree with the author’s intended message… I have lost all trust in both download.com, and sourceforge and will be grabbing utilities I need from elsewhere!

  19. Ryan says:

    Alan, I believe were talking about two different models here. As an IT Network Administrator I know the tactics of CNET and it’s clear thats how they make their money. SourceForge has been held in high regard as the place to go for the Open Source software you need / want and trust. They have now tarnished that and in my opinion ruined it.

  20. David Webber says:

    We have our downloads on both SF.net and download.com – and it is ONLY our installer in all cases – no tampering.

    True download.com is a different ball game – they actively encourage their business model – but they allow you opt out. I was not aware SF.net was doing this for top tier projects now too. But it does as you note require compliance from the project itself – so really why not go and give those projects negative reviews for their installers directly?

    However – there is another very simple answer – don’t use Windows!!!

    Our download packages for MacOS and LINUX/Ubuntu are complete free of potential for this nonsense.

  21. Gates VP says:

    Fortunately, all of this stuff is open source right?

    So it can all be forked & hosted somewhere better?

    Call it the “no-malware” edition and let the internet update their links to the new home. It’s not a perfect democracy, but it’s a democracy none the less.

  22. Rich Algeni says:

    Got burned by this by updating PDF Creator, I just clicked through. Next thing I know, the installed closed my browser windows, reset my homepage, and cleared the history. I had a couple of pages up that I was going to read, but not after the installed got through with them!

  23. FooBar says:

    Thanks for your information!
    I just wanted to delete my project (its obsolete) from SF but I couldn’t find a way. Does s.o. know how to proceed?

  24. Jon Islan says:

    Isn’t this policy “Bait and Switch” and should be covered by some sort of local, state, or federal laws?

    Maybe a class action suit against DICE by everyone who downloaded a file or files and got the installer should join.

    Where is Groklaw when you need it?

  25. FedUpWithJunkware says:

    If you absolutely need that download from SourceForge and can’t find it anywhere else, there’s usually a way to get a direct download link (for now anyway), to the files you want without the junkware added to it.

  26. Maslow Jenkins says:

    So learn to avoid installing the extra bs with these sort of installers. If you actually read them carefully this won’t be an issue.

  27. We stopped distributing VLC from SourceForge because of their bad practices only few months ago but now they’ve reached the point of no return. The full story is on my blog.

    http://blog.l0cal.com/2013/05/02/rethinking-the-vlc-mirrors-infrastructure/

  28. You mean, Sourceforge is no longer part of the outfit that hosts Slashdot?

  29. Shivany says:

    I noticed this on something I downloaded recently. I thought it was an isolated incident, but apparently now it is policy?

    I’m pretty tech savvy but I trust SF so I wasn’t paying attention. I will have to be more diligent now, even with trusted sites.

  30. […] How far the once mighty SourceForge has fallen. […]

  31. joe says:

    Can we report download.com and sourceforge to malware reporting places?

    ie firefox/google/etc

  32. hifloor says:

    @David Webber – Enough, already. Really tired of the “don’t use Windows” BS that gets trotted out all the time. That isn’t an option for a lot of us. Aside from that, I’m not the only one that finds Linux annoying and its community a wee bit arrogant.

    This is seriously disappointing on the part of SF, and the devs who go along with it. I’m glad the majority of what I currently use that I pulled down from SF initially has internal updating mechanisms, and I’ve got the original installers in backups. It was just part of the deal with download.com, and if I couldn’t find something anywhere else, I’d carefully watch the installer process (and run CCleaner, etc afterward if I was feeling paranoid).

    SF is about done, imo – dead projects, half-ass projects that were supposed to be final and stable and were anything but, and now this? No, thanks – I’ll move on.

  33. Bill says:

    I’m using bitbucket for my private projects and github for the open source ones.

    I like free services 😛

  34. Lukas Eder says:

    Wow, that’s horrible. I’ll need to get the jOOQ binaries off there immediately!

  35. […] crapware being installed, or trying to be installed, with routine software updates. Apparently this is going to be the rule, rather than the exception, from here on […]

  36. Dice Holdings, Inc., a leading provider of specialized websites for select professional communities now own SourceForge and these corporate muppets want your money and use the hard work of contributors who freely gave their time to SF.

    SF is now dead to the OpenSource world.

    Richard

  37. Clément says:

    TL;DR: Blame FileZilla for abusing their users’ trust, blame SF for offering the installer, but please don’t suggest developers and users should ditch legitimate and well behaving projects.

    Disclaimer: I’m the publisher of an app on SF that has been downloaded 200k+ times. My own installer does not install any type of adware — I just rely on donations (just to put this in perspective, that’s about 0.007$/download).

    I agreed with your article until the point when you suggested that users and developers should abandon all SourceForge hosted projets. That sounds a lot like “other projects hosted by the same provider are misbehaving, so I’m ditching you”. Especially this:
    “If you’re a user of a SourceForge project, please find and use an alternative project instead.”
    Couldn’t that read “If you’re a user of a SourceForge project, please ask them to move to another platform?”

    I personally wasn’t approached by the SF team to move to another installer. In fact, I suspect the vast majority of developers using SourceForge as their hosting platform is not aware of this, and not interested in bundling adware with their software.

    Sourceforge doesn’t force anyone to move to their closed-source advertising installer. Just because FileZilla has made an unethical move doesn’t mean that other projects hosted on the same platform should suffer from it. You won’t help the open source world by bashing on unrelated projects. Suggesting that users stop downloading ethical and well-behaving apps just because they are served by Sourceforge is actually hurtful to the open source community; and just because we’re relying on Sourceforge for serving the downloads does not mean that we’re supporting projects which chose to serve advertising.

    Interestingly, when self-hosted projects start doing this by themselves, they get bad reviews. On the other hand, when projects hosted on Sourceforge start to do it, SF gets the blame, and you suggest that all other projects should get the blame. We other project developers have nothing to do with this move, and as much as we might dislike the fact that well known apps do this, I hardly see why people should stop downloading our apps because FileZilla bundles adware.

    Sourceforge still has a lot of advantages to this date. They have a worldwide distribution network, which allows for reasonable download speeds everywhere in the world, and they offer you free web hosting, with no advertising.

    Criticize SourceForge and FileZilla for this as much as you want, but please, please, don’t suggest that every project on SourceForge should be immediately abandoned (quote “please find and use an alternative project instead”).

  38. nimd4 says:

    Here’s the *correct* link, for the article image; large size (same location, as the original): http://www.gluster.org/wp-content/uploads/2013/08/FileZilla_drive_by_downloader.png

  39. Alan Ezust says:

    From what I understand, this is an “opt-in” situation, so no projects are getting drive-by installers without project administrators consent.

    I was never asked if I wanted to opt into this for my project, probably because we have not done the “project upgrade” to forge. But if we are not forced to opt into this program, then everything stays the same with the project, right? So it is not a reason enough to host our project elsewhere, is it?

  40. Afamous Author says:

    … but DO continue to use Google’s free code and apps…

  41. Sergey says:

    Also I found for quite awhile already it is hard to find the right download button of SourceForge – you get all sorts of ‘inviting’ green download buttons for some ‘crapwire’. Even I clicked them accidentally couple of times because I trusted SF blindly.
    No ****ing more!
    Burn in hell greedy ****ards! :)

  42. malevolent says:

    I cannot see those behaviour you’re saying. Perhaps because I’m on linux, but in all test I’ve just did, I can download the program without any “drive-by installer”.

    Softonic also uses “drive-by installer” software, and the company do not stop growing, so I guess less techie people prefer this stuff.

    I’m pretty contrary and If one day I find sourceforge is forcing me to install this crapware under linux, it would be a problem.

  43. […] Shortly before the move, I had to do an format and restore on one of the computers. I was surprised that programs that had not, in the past, been bundled with questionable software had suddenly been bundled with questionable software. And not just that, but the same sort of software. CG Hill had noticed it as well, with OpenOffice and Divx. It turns out, there was a reason for it: […]

  44. […] How far the once might Sourceforge has fallne […]

  45. kw frank says:

    I started to download an opensource last night and saw that I was going to get a bunch of junk I did not want. I got out and looked elsewhere and found what I wanted without all the add ons. The website I was on suggested going there to get the file I needed. I will not use either of them now. What a sad way to do business. Can’t sell their product so force people into it.

Leave a Reply

Your email address will not be published.