OFFICIAL SECURITY BLOG

Sourceforge Drives off Downloads, Ask why

November 8, 2013 | BY

Are we are starting to see the beginning of an exodus away from SourceForge as a hosting solution for software projects?

Sourceforge is a web-based source code repository. It acts as a centralized location for software developers to control and manage free and open source software development.”  as per their wiki.

It has been a staple of many computer users for a number of years now.

Need to download Filezilla, one of the best FTP clients? It’s hosted on Sourceforge. VLC, one of the most capable video players? Also hosted on there. Apache Open Office, a free alternative to the Microsoft products? You guessed it. It’s on Sourceforge.

At the same time we are seeing some disturbing events taking place. Some projects are leaving Sourceforge, citing changes in their behavior in regards to advertising methods as their reason.

There is a blurb on the business model section of their wiki that I find quite revealing:

“More recently additional revenue generation schemes, such as bundleware models, have been trialled, with the goal of further improving sourceforge’s revenue.”

Sourceforge has recently changed ownership, and it is becoming apparent the new caretakers are trying new things.

A big player to jump ship is “GIMP”. A free and open source graphic editor, similar to Photoshop. Here is an excerpt from their blog:

“In the past few months, we have received some complaints about the site where the GIMP installers for the Microsoft Windows platforms are hosted. SourceForge, once a useful and trustworthy place to develop and host FLOSS applications, has faced a problem with the ads they allow on their sites – the green “Download here” buttons that appear on many, many adds leading to all kinds of unwanted utilities have been spotted there as well. 
The tipping point was the introduction of their own SourceForge Installer software, which bundles third-party offers with Free Software packages. We do not want to support this kind of behavior, and have thus decided to abandon SourceForge.”

The most often mentioned software that is exhibiting this behavior is Filezilla, but only the windows installer. I had to verify this, to confirm these claims.

This slideshow requires JavaScript.

We have recently revisited our stance on PUP’s and as far as adware laden installers go, I’ve seen worse.  Filezilla has mentioned that they opted out of the Ask.com toolbar, showing that they have some control over the offers that are bundled with their product.

I am not against all advertising based sponsors. However, when you navigate dark patterns, such as the emphasised green ‘Accept’ buttons to benefit the partner offer, you potentially paint a poor image of what has otherwise been known as a reputable site.

 


  • Pingback: nbrainfuck – Updates | nXu blog

  • Stijn de Witt

    Yes it is very unfortunate. Once reputable companies are abandoning their reputation and sacrificing the trust relation they built up with their users.

    Sourceforge is not the only one. Oracle, a huge company serving enterprise customers has bought Sun and is now bundling Java with malware too. They will inform you about ‘critical security updates’ and then, when you don’t pay close attention, will install the Ask.com toolbar on your system.

    Read my blog entry about this:
    Oracle turns Java into malware!

  • Pingback: Sub-domain on SourceForge redirects to Flash Pack Exploit Kit | Malwarebytes Unpacked

  • Jonathan Webb

    And its still going on. Just yesterday (2014-10-09) I tried to get some, rather obscure, program and I had to give up. The installer was trying to install numerous unwanted shitware programs. So sourceforge can NOT be trusted.