SourceForge Malware

[nmad]

Perhaps off topic but I recently ended up with malware when downloading and installing OSS from SourceForge and many are voicing their concerns about such issues.  It appears that SourceForge has fallen very low. E.g. http://comments.gmane.org/gmane.comp.audio.muse.user/312

No need to sing FPC/Lazarus' praises her to the choir here, but perhaps a prominent and highly ethical project like Lazarus should seek a new home away from SourceForge and give them well deserved negative publicity.

All the best and thanks for Lazarus/FPC.

Navid

[taazz]

did those malware came from installing lazarus or freepascal? If not then you should post that to OSS project that had the malware. As far as I know the team does everything in there power to keep it clean. And no just because a couple of projects on the SF allow malware that does not mean that every one should abandon SF the same way as all those malware does not mean that you should abandon OSS.

[marcov]

Freepascal/Lazarus has received requests to allow bundling (for a small share of the ad revenue), but we refused. SF leaves the choice to projects. Therefore, the projects that bundle made this choice knowingly and at least share the blame.

It's adware btw. Malware is subjective in this regard.

[nmad]

Certainly a matter of opinion.  However, I certainly consider changing the search engine so users cannot revert back to their preferred search engines without significant effort and administrative account access, hijacking the browser home page and similar socially engineered attacks as malware.

I did not download any malware with Lazarus. Projects such as GIMP have already left SourceForge.  I would personally prefer to see all reputable projects leave SourceForge.

Thanks again.

[marcov]

Certainly a matter of opinion.  However, I certainly consider changing the search engine so users cannot revert back to their preferred search engines without significant effort and administrative account access, hijacking the browser home page and similar socially engineered attacks as malware.

The projects that did that, did so knowingly, AND users checked to install the said component in the installer.

I did not download any malware with Lazarus.

That's because we didn't enrol in this ad-supported revenue program  (we=FPC, but I assume the same goes for Lazarus)

Projects such as GIMP have already left SourceForge. 

That's their choice.

I would personally prefer to see all reputable projects leave SourceForge.

That's an easy statement to make. It is less easy to find long time dedicated volunteers that will maintain such a change, and whatever comes after.

Keep in mind that FPC doesn't use SF.NET for anything critical, just as a mirror. We use own VCS,bugtracker, mailserver and ftp,www etc. The trouble of moving would be disproportionate.

[ChrisF]

The situation is becoming more and more confused. Gimps has abandoned Source Forge as their primary source of download, but it's not as simple ...  See:

"SourceForge, what the...?  2015-05-26" on gimp web site:

- http://www.gimp.org/

and a good summary of the current situation at arstechnica (with Source Forge "explanations"):

- http://arstechnica.com/information-technology/2015/05/sourceforge-grabs-gimp-for-windows-account-wraps-installer-in-bundle-pushing-adware/

Note: this post is only for information purposes concerning this topic, not for arguing about the choice of Source Forge for Free Pascal / Lazarus.

[Basile B.]

this just has been a hot topic on r/programming for 3 days

[marcov]

Well, I guess that simply should be taken as "don't add any assets to a 3rd party site", since even if you decide the service is no longer true, they can keep trying to make money with your assets in ways you wouldn't like (and probably legally covered with Ts&C).

This means moving to another free hoster is no option, since you find yourself in a similar situation when they have to tighten the belt.

Worse, even cancelling SF doesn't matter much (actually that can provide them with the excuse to take over)

[Cyrax]

I hope that GIMP developers uses EFF (https://www.eff.org/) lawyers to solve this kind of malpractice for once and good.

[marcov]

I hope that GIMP developers uses EFF (https://www.eff.org/) lawyers to solve this kind of malpractice for once and good.

I doubt lawyers can do much, since Gimp consented to the terms when they joined.

[Thaddy]

The problem is: the consent wasn't there at the time... They changed their policies without informing the project owners  at least in some cases. They also made efforts that sf repositories would be found higher in search results than the " official"  ones. That means you would end up with old versions.
 This goes for more than one important project.
I strongly suggest moving somewhere else.

[marcov]

The problem is: the consent wasn't there at the time... They changed their policies without informing the project owners  at least in some cases.

I haven't seen anything concrete. But what exactly changed and was not there?

I strongly suggest moving somewhere else.

That seems to actually trigger that kind of behaviour, so while it might be a principled stance it is not a solution to avoid this happening to projects now hosted on SF.

[ChrisF]

Update for information purposes only ...

SourceForge Acquisition and Future Plans:
https://sourceforge.net/blog/sourceforge-acquisition-and-future-plans/

[...]
Our first order of business was to terminate the “DevShare” program. As of last week, the DevShare program was completely eliminated.
[...]

[Zath]

Update for information purposes only ...

SourceForge Acquisition and Future Plans:
https://sourceforge.net/blog/sourceforge-acquisition-and-future-plans/

[...]
Our first order of business was to terminate the “DevShare” program. As of last week, the DevShare program was completely eliminated.
[...]

This can only be good news.
I never understood how they got away with all the conning download buttons.