For long time the SourceForge was one of the most trusted open source projects repositories, where one could go to download the latest versions of numerous useful applications. They were a site safe from influence of various shady commercial interests, providing the installers and binaries as they are built by the project developers.
Few days ago it was announced on several technical sites that SourceForge has changed its business practice, and that it had went the CNET’s download.com way: they now repackage original installers into their own wrapper installers that (beside starting the contained original installer of the application one is interested in) perform drive-by installations of various cr*pware (adware, shareware, etc).
Following articles illustrate what is know about that change at this moment:
- “SourceForge commits reputational suicide” by Simon Phipps (InfoWorld; 2015.06.03) – http://www.infoworld.com/article/2929732/open-source-software/sourceforge-commits-reputational-suicide.html
- “nmap Maintainer Warns He Doesn’t Control nmap SourceForge Mirror” (SlashDot; 2015.06.03) – http://it.slashdot.org/story/15/06/03/126224/nmap-maintainer-warns-he-doesnt-control-nmap-sourceforge-mirror
- “Black “mirror”: SourceForge has now taken over Nmap audit tool project [Updated]” by Sean Gallagher (ArsTechnica; 2015.06.03) – http://arstechnica.com/information-technology/2015/06/black-mirror-sourceforge-has-now-siezed-nmap-audit-tool-project/
- VLC developer also surprised to find project taken over by SourceForge without notice.
- “Sourceforge Hijacks the Nmap Sourceforge Account” by Gordon Lyon [aka Fodor] – http://seclists.org/nmap-dev/2015/q2/194M
- “SourceForge and GIMP [Updated]” (SlashDot; 2015.06.01) – http://tech.slashdot.org/story/15/06/01/1241231/sourceforge-and-gimp-updated
- “SD Times Blog: SourceForge now a source of malware” by Alex Handy (SD Times; 2015.03.19) – http://sdtimes.com/sd-times-blog-sourceforge-now-a-source-of-malware/
- “What happened to Sourceforge?” (etix’s weblog; 2015.06.02) – https://blog.l0cal.com/2015/06/02/what-happened-to-sourceforge/
- “SourceForge locked in projects of fleeing users, cashed in on malvertising [Updated]” by Sean Gallagher (ArsTechnica; 2015.06.01) – http://arstechnica.com/information-technology/2015/06/sourceforge-locked-in-projects-of-fleeing-users-cashed-in-on-malvertising/
- “Hotel California” of code repositories lets you check out, but you can never leave.
An afterthought: The same company that owns SourceForge is also owner of SlashDot discussion forum/site. So, I expect that they will go down the drain soon, too.
Update: Apparently this is going on for some time now:
- “How far the once mighty SourceForge has fallen…” by Justin Clift (at Gluster community; 2013.08.22) – http://blog.gluster.org/2013/08/how-far-the-once-mighty-sourceforge-has-fallen/
Related: “C|Net’s Download.Com trojans” – https://eikonal.wordpress.com/2011/12/06/cnets-download-com-trojans/