SourceForge's new Installer bundles program downloads with adware
If you have been downloading programs from SourceForge in the last days, you may have noticed that some do not provide you with direct downloads of the programs anymore. Instead, you download something called SourceForge Installer which bundles the software with third party offers used for monetization.
This is in fact similar to how some download portals are offering downloads right now. Programs like FileZilla or Hotspot Shield have joined SourceForge's DevShare program which is currently in beta. It aims to offer a new funding option for Open Source projects.
While that is a legitimate cause, it at the same time puts the site into a shady corner of the Internet right next to other illustrious sites such as Download.com. The core difference here is that on SourceForge, software developers profit from the inclusion, while they do not profit at all from it on third party download sites.
SourceForge Installer
There is no mentioning of the SourceForge Installer when you click on a file to download it to your system. You won't notice any difference if you are download versions for Linux or Mac, as they do not come with the installer included. So, no changes for those operating systems.
Windows users who click on the default download option will however receive the message on the download page that the "SourceForge Installer download will start". It is a small installer that bundles the program with the advertisement. A download wrapper of sorts which means that you do need an Internet connection when you run it.
The offer is displayed on the second page of the installer. The first page informs you about the program that you downloaded in first place, and links to the end user license agreement and privacy policy.
The offer is displayed on the screen, and below that a gray decline button, a green accept button, and a link to a FAQ page on SourceForge that explains why the offer is displayed. According to that page, it is done exclusively for developers who may opt-in to make their projects sustainable.
Offers include trial of commercial software programs such as WinZip and the Ask Toolbar among other options.
Issues
Users may have two issues with the bundled installer.
- Only a small net installer is downloaded by default, which means that an Internet connection is required to complete the download. The installation won't proceed if you do not have an Internet connection.
- Some offers may install toolbars on the system or make modifications to the Internet browser's home page or search provider. This is usually not wanted by users.
How to bypass the SourceForge Installer
If you prefer to install the program without installer included, you can do so at least for some projects. Click on the browse all files link underneath the big green download link on the project's homepage on the SourceForge website.
You need to browse to the folder containing the last version of the application, which can be done with a couple of clicks.
Now, the main Windows download leads to the SourceForge Installer even though it is not displayed here. But there may be another download. For FileZilla, that is a zip download of the application that you can download as well.
Closing Words
I can definitely see the benefit of including an installer with third party offers, especially since the money (all of it?) goes right into the funding of the software projects. There needs to be a better option to download the real setup or program file right away though to provide users with the full download of the software as well.
While you may pay attention to all installers anyway, you should now do so even more for SourceForge downloads.
Advertisement
Spoke way too soon. There is now Mac .dmg installer — yikes, even more hidden and dangerous.
I will refuse to mount these disk images, let alone run the installer.
Bad, Bad move SourceForge !!!!
I used without SourceForge Installer option see blog’s embedded image. It works fine. No headeche. But when I used installer event decline for 3rd party DEV SHARE program it installed on my laptop. So pitty!!!
./Nikhil
Another developer leaving SourceForge- http://news.softpedia.com/news/PyDAW-Developer-Leaves-Sourceforge-Accusing-Hosting-Service-of-Bundling-Adware-436095.shtml
Downloaded and updated filezilla via ninite (today)no problems at all.
An end-user got hit with this today after downloading and installing Filezilla. The “Hotspot Shield” was automatically enabled and redirecting all of her searches from Canada Canad to Google Pakistan *AND* had banner ads above the Google Page.
Even attempts to connect to the intranet Sharepoint were being redirected to RSS2Search and, guess what, failing with Bad Gateway… You don’t say…
Sigh: Scumware.
you have to watch these installers with something like SmartSniff because even when you are just unchecking boxes and you think you’ve declined their offer, they’re uploading your data like a calculated machine ID number, CPU ID, HDD serial numbers, the programs installed, etc – my guess is this might be used for tracking you on the internet also (thru javascript + WMI)
Just great… another site that deploys stub adware installers… Thanks for the heads up!
Let’s hope we can stick to the ZIP downloads to avoid those installers.
DevShare is not better than OpenCandy.
Today I downloaded many programs from Source Forge and all were the actual installers, not any stubs, so it seems that the FileZilla stub installer has been offered with the collaboration of FileZilla’s developer Tim Kosse.
Yes, project owners on Sourceforge decide whether to use it or not.
Found the latest installer for filezilla on http://download.filezilla-project.org/ just in case people are still looking.
Thanks really appreciate this.
From the SF page:
” During the installation of projects participating in the SourceForge installer program, users are presented with an option of downloading the Ask Toolbar. If you do not wish to install the Ask Toolbar, you can remove the check in the box.”
Am I missing something here? Why all of this vitriol toward and condemnation of SF? One click -> Uncheck -> Install and enjoy your free goodies.
Btw I just d/led Avidemux 2.6.1 from SF and it was a direct d/l with no “installer”. I’m curious what % of projects are jumping onto this Cnet-style gimmick.
I sympathize with the protesters to some degree having had to abandon my long-time Windows “repository” (download.com) when they went for that monetization scheme.
Plus I was betrayed once a while ago by some treacherous project with a phony opt-out step. I’m hyper-vigilant with those installers, study each window carefully, uncheck or decline and still – POW – got hit with some spyware/system changes.
So it was Revo to the rescue plus some nasty feedback on the project homepage.
“Am I missing something here? Why all of this vitriol toward and condemnation of SF? One click -> Uncheck -> Install and enjoy your free goodies. ”
I have heard – hope it can be either verified or proven untrue – that people are experiencing issues where things get installed anyways even if it is unchecked, or if an offer is denied.
Actually, happened to me too.
IMO, that is a bug that NEEDS to be addressed.
Total scumbaggery is what is going on here with sourceforge, how depressing. If I can’t get around the stub in one way or another, then it’s goodbye sourceforge! I’m glad there are alternative ways to download such as FTP and Sandboxie!
I suppose there will be an userscript in place, but still there should be some form of “opt-out” for advanced users that keep up with a high number of repositories, such that those users instead of resorting to alternatives can still use SF.
i will add to smagdus’ list :
FireFTP (https://addons.mozilla.org/en-US/firefox/addon/fireftp/) a free, secure, cross-platform FTP/SFTP client for Mozilla Firefox
Softpedia is the file repository I trust most, In fact it is always better to download from Softpedia than from the developer’s site since some ad-ware developers build special ‘clean’ versions od their apps especially for Softpedia. Often these ‘clean’ releases are not listed at all at the product’s page or they are carefully hidden.
As for FileZilla, although a capable FTP client I will no longer recommend it. It seems that the developer of FileZilla should be involved too since on FileZilla’s official site there is no link to the actual installer. In fact I prefer to download a full installer bundled with ad-ware like WinSCP than downloading a stub.
FileZilla and WinSCP have ‘clean’ free alternatives, some of which are even better.
FTP Rush- my all times favourite- free both for personal and commercial use, offers both an installer and a portable version.
Xftp – installer only, free and fully functional for private use only.
Staff-FTP – installer only, clean, free for personal and commercial use.
FTP Voyager – now freeware, requires free registration. If there are people who (like me) can’t stand the ribbon, they can download the last ribbonless version- FTP Voyager 15.2.0.19, the free license key works with this version as well:
http://www.ftpvoyager.info/produktinfo/download.php
http://www.heise.de/download/ftp-voyager-1127531.html
AnyClient – Java-based, simple but efficient FTP client with a huge protocol support, it can handle even WebDAV and Amazon S3. AnyClient has x86 and x64 versions (x64 requires Java x 64).
Cyberduck – not bad at all if you can stand the one-panel interface.
There are other free tools that can do the job: ALFTP, BitKinex, BlazeFtp, Core FTP Lite, FFFTP, Fresh FTP, JFTP, FTP Wanderer, etc.
Although i am rarely surprised by this behavior, from a site like sourceforge i didn’t expected this..
Well luckily the internet is still full with many alternatives so i will be avoiding sourceforge.
To DanTe or whoever else:
It is not about being cheap at all, if a developer decides to start a freeware (or open source) project he should stand by it, he made the decision to offer something free, the user didn’t force it. A user may or may not donate voluntarily but if you start a freeware understand the consequences.
“Only a small net installer is downloaded by default, which means that an Internet connection is required to complete the download. The installation won’t proceed if you do not have an Internet connection.”
When is an Internet connection NOT required to complete a download from a site on the Internet? The only people this could affect are people on a local network segment with the sourceforge server itself.
I backup my software regularly, I generally am always connected but having the installer ready whenever situation arise when I need it while I don’t have any connection is nice.
You can justify SF’s choice all you want (while I’d like to ask, if developer intend to make money for their software why don’t they just, you know, make it a payware? But I digress). I probably will stop downloading from SF altogether if I can help it.
Well the problem arises if you want to install the file on a computer without permanent Internet connection (or flaky, or slow).
All Hail Sandboxie.
O I thought that was for Porn – jeez double duty
I didn’t know about this, so thanks for sharing the information… As others said, this is a huge disappointment.
With CNET and SourceForge having gone their commercial ways we are, fortunately, still left with Softpedia. Nine times out of ten I will find what I’m looking for. No mess, no fuss…no virus.
I have my doubts about Softpedia- I used to trust them but after a couple of ‘sneaky’ downloads and a crashed HD after trying to delete the stupid programs I am not so
sure. Also,Malwarebytes list them as a PUP now. Thought you should know.
What a disappointment. SourceForge was a site I thought I could trust. But I don’t consent to the unnecessary installation of “installers” and potential crapware, so bye-bye SourceForge.
Sure, we might not like getting adware offers, but some folks try to make a living on providing quality free software through donations etc.
The kicker on the sourceforge change: It isn’t the adware offer … it is that you download a stub – not the app itself. It’s only after the 1Mb download that you get to really download the app you wanted in the first place.
This practice is completely unnecessary as you can deliver the “offers” without a stub download.
Here is my solution (I’m sure the ftp method will be taken off the table soon):
– grab the stub
– run it in sandboxie
– when the first screen of the installer comes up, head over to your temp directory and voila – the real installer.
– copy it out of the sandbox and feel free to give sourceforge the one finger solute!
– if you have the capacity, make sure to offer the real download to others without having to use sourceforge
I quit using Cnet’s download.com for this reason, so I guess I’ll quit using SF too. Bummer. I’ve found a lot of useful software there over the years.
I donate and pay where I can, but this kind of installer is only going to make me look elsewhere. In the end the number of install of these apps will go down as others do the same.
So no thanks SourceForge – on your bike.
If so many people had actually made a donation by clicking on the DONATE button on those SourceForge pages, than I don’t understand why developers will need to resort to advertising to get fed.
DEEP SARCASM HERE
Yes, the problem is with advertising, not HOW they go about getting it.
*facepalms*
For somebody who likes to criticize those critical of this move, you do come off as – at least partially – clueless.
The seemingly deceptive nature of it – combined with bugs mentioned in other forums – including issues where someone declines an offer, but it gets installed anyways – are two issues I see being made, and are IMO legitimate.
@DanTe: I guess they didn’t find the option to pay so they can opt-out of getting malware.
I love these whiners: They are Greedy They are Greedy.
Well maybe if you actually pay some money once in a while, the programmers can afford to devote time to the project versus time to get money for food.
@DanTe – I’m a programmer, and we programmers have this crazy thing we do when we want our software to be used by everyone at no cost: we call it freeware. If we need people to pay us for something, we don’t put it on the internet for anyone to download; we make them pay for it.
Even so, there is no excuse for any developer to bundle their software with shitware. They are preying on users who don’t know to click “Advanced Installation” and uncheck a bunch of boxes just to avoid installing five toolbars that do nothing but choke your PC to death. It is racketeering, plain and simple, and people should be jailed for distributing these kinds of subversive, useless, and detrimental softwares.
Excellent comment! I totally agree but most people- both developers and users think, that bundling products with ad-ware is quite normal and just fine. Once a friend of mine exclaimed- “Programmers need to make money too so for me it is acceptable that they bundle their products with toolbars and all kind of PUPs. I cannot accept such a way of thinking. If a programmer creates a good product they will be able to sell it. But falling in the trap of installation options might be a good lesson- once I virtually destroyed my system by installing a program (QIP messenger)- it hijacked all the browsers, the home page and the search provider and the infection was so deep that a re-installation of the OS was the only solution. Since then I am extremely careful with every installation- the cheating tricks the developers use are now more deceptive than ever- sometimes the user have to negate the so called ‘Free Offers’ two times. What is even more unacceptable for me is that developers of paid apps bundle their products with ad-ware,a practice now typical for even big and rich companies like Avast!, AVG, Avira, etc. Developers of expensive commercial anti-virus products trying to hijack and infect your system- this is an abomination and a disgrace, but users accept and tolerate this malevolent practice.
Partially justifiable comment – I purchase software and use freeware also .
What I object to and im sure this is a biggy among us” whiners”is the covert nature of the aforementioned.
Truly if filezilla where not free any more I would probably buy it because I’m so comfortable with o it now -same with notepad++
That’s disturbing news.
This is unbelievable but true. I never expected that Source Forge would do that. Yes, there is no way to download the actual installer of FileZilla neither from FileZilla Home Page – https://filezilla-project.org/ , nor from FileZilla Project Page – http://sourceforge.net/projects/filezilla/.
The only option are FTP mirrors of Source Forge, for example ftp://ftp.heanet.ie:21/mirrors/download.sourceforge.net/pub/sourceforge/f/fi/filezilla
So many universities and other organizations give Source Forge free hosting and mirrors yet Source Forge is greedy. I will never use such an ad-ware installer.
At least I was able to download the actual installer of WinSCP which in fact is ad-ware.
It seems FTP will soon become the only possible choice to download apps from Source Forge.
in short you are wrong, there is and always has been a direct link to download the filezilla installer.
If you had bothered to go to the Sourceforge site, Myles, you’d see that the setup offered is the “bundled” installer, and not the pure installer provided by Filezilla. Based on the 400,000+ downloads of the bundled version versus the 9,000 of the non-bundled version, LOTS of people are installing (or at least being offered) search engine redirection from what’s supposed to be a “safe” source.
If someone is wrong, this is you- the real clean installer of FileZilla cannot be downloaded from of FileZilla’s project page at sourceforge.net.
Did you try ninite.com ?ive been using it more and more to avoid forgeries but I’m pretty sure I just updated filezilla without the shiteware.
“ninite.com/‎
The easiest, fastest way to update or install software. Ninite downloads and installs programs automatically in the background.”
Ninite is great for new system installs and stuff, but I prefer Chocolatey. It is a package manager for windows, like the ones on various Linux systems. The GUI interface is optional and, I’ll be honest, not great, but other than that it’s awesome. It’s just like apt-get, for instance. You can download apps and install them silently from the command prompt, with not crapware. You can also just type ‘cup all’ and silently update all your chocolatey-managed software.
If no business plan is available to handle freeware then let the plan be shareware or what could become participation-ware, rather than, once again making advertisement the eternal winner.
Today I downloaded FileZilla. It shows me agrrement for some 3rd party software. Obviously I decilined that and agree only for FileZilla.
Still I surprized to see Optimizer PC Utilities installed on my laptop. This is purely bad play. If some one don’t want install these free trials then there should be way.
I will say this is CUT PRACTICE. Please stop this.