Skip to content

Why the SourceForge website is dead to me

August 9, 2015
ublock-origin-sourceforge

SourceForge, another bit of Web 2.0, has become an evil embarrassment.

Today (Sunday, August 9) I clicked on a link to the once-great SourceForge website and my Pale Moon browser kicked up an alert  declaring that the Mozilla add-on uBlock Origin had prevented the page from loading because it contained blacklisted code, namely:

||sourceforge.net^$other

The link I clicked on was contained in a post from the University of South Wales security and privacy blog (which I have followed for years), about using Ophcrack, yet another Windows XP password cracker. Ophcrack is a free open source program hosted on the SourceForge website.

Turns out that uBlock Origin isn’t blocking code so much as blocking the SourceForge website itself — something it’s been doing since at least June 24! And I guess I can’t blame it; I haven’t gone near the website for months.

Free download sites certainly feel free to deceive you

Back in March of 2015, SourceForge was caught stealthily distributing a malware browser hijacker called Blinkiland, which was designed to be almost impossible for ordinary Windows users to remove.

Blinkiland was hidden in downloads of the Windows version of the popular and respected open source FTP management program called Filezilla (which I’ve used for years).

While attentive users at least have the opportunity to opt out of the crapware piggybacked on downloads of Adobe Flash Player and Oracle’s Java, there was no warning that Fillazilla came bundled with Blinkiland and once it was installed in Windows, Blinkiland could not be uninstalled without going into the Windows Registry!

And you couldn’t exactly blame the makers of Filezilla; it was SourceForge that was doing the bundling at the installer lever — just like CNET’s Download-dot-com installer (which uBlock also intercepts and which CNET users have a choice to avoid).

There was a bit of an uproar and Blinkiland was removed from the SourceForge installer in late March.

But, as HowToGeeks explained in June, deceptively bundling crapware with legitimate software has become the SourceForge business model, at least since Dice Holdings bought the website in 2012.

The broken promise of SourceForge (not to mention Web 2.0)

SourceForge was created back in 1999 by Slashdot to be a banner-ad-funded website repository for free open source software (FOSS) — this was in the days when proponents of “Web 2.0” said that such large commercial sites would be to the greater good of the free Internet (how did we ever believe that?).

To be fair, it seemed to work for many years. SourceForge grew and grew to become a hugely trusted “store front” of free open source software, reliably hosting hundreds of thousands of quality FOSS projects. It was where you went, both to window shop for FOSS versions of tools that you needed and to get the freshest builds of the FOSS ware that you already used.

Then in 2012 Dice Holdings bought SourceForge and moved the website from a business model of banner ads to bundleware.

In 2013 SourceForge offered FOSS projects the chance to use a new download method called”DevShare” in which makers of crapware would pay SourceForge/Dice Holdings to piggyback their shit on downloads of legitimate FOSS software, like Filezilla and GIMP; in turn, Dice would cut the FOSS developers a piece of the profits.

Two years later, I’m not even sure if developers can opt-out of using DevShare to distribute their software via SourceForge.

Github is now meant to be the preferred central repository of free open source software (FOSS) but name recognition and sheer momentum keeps SourceForge going; that and the fact that GitHub seems to be designed more to be understood and used by software developers than users.

According to the web-ranking company Alexa, GitHit is now the second most poplar open source website behind Wikipedia but SourceForge is still number four, behind Mozilla, the makers of Firefox.

But people should understand that behind its famous and respected name, SourceForge has fallen to become just another deceptive free download site at the deliberate expense of its users; so infected with greed that it will knowingly distribute malware in order to make a buck. Click the image to enlarge it.

Advertisements

From → Gnu Linux, Windows

4 Comments
  1. Reblogged this on University of South Wales: Information Security and Privacy and commented:
    Great article about SourceForge – who have turned to the Dark Side…

  2. xpf permalink

    There’s still a difference how software authors handle the problem: FileZilla’s author deliberately participates in their DevShare malware program (now for roughly 2 years, one of the first major projects to adopt it) and keeps telling victims that nothing unwanted was installed, av software alerts were false positives and the like. So nobody should trust this anymore, not even from a supposedly clean source (it has an auto-update…). Some other developers, who didn’t agree to this, had even been locked out of their projects, with Sourceforge treating them as “abandoned”, but still wrapping their downloads in malware without explicit consent.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: