Sourceforge adds adware-installers to abandoned projects (and removes them again)
Sourceforge, a prominent project hosting website, began to wrap some software downloads on the site in installers that included unrelated third-party offers.
This new way of delivering downloads to users affected only program downloads of projects where the admin of the project enabled the option.
Several popular program hosted on Sourceforge, the ftp client FileZilla for instance, have been offered primarily with download wrappers ever since.
It is clear however that the majority of projects on Sourceforge are not making use of download wrappers. I checked the first three pages of the site's top apps listing and found that most don't use download wrappers right now.
The easiest way to detect if a download is direct or not is to check for the text "installer enabled" on the download button.
Sourceforge displays direct download links on the same page. As is the case on sites that use download wrappers, the "clean" link is always less visible than the adware link.
One can argue at this point that Sourceforge's approach is not that different from other sites such as Download.com that use download wrappers. In fact, the site's opt-in approach ensures that the majority of downloads on the site are still adware free.
Events have taken a turn for the worse recently though as Sourceforge began to take over what it calls abandoned projects on the site.
The developers of GIMP, a popular image editor for various operating systems, noticed several days ago that Sourceforge took over control of the account on the site and started to distribute the program with a download wrapper that included adware offers.
ArsTechnica's investigation revealed that GIMP for Windows was not the only account that SourceForge took over. The list includes popular programs that are not officially hosted anymore on Sourceforge (or never have been but were included in the Sourceforge open source mirror directory) but still available on the site as projects including VLC, Firefox, Thunderbird, Drupal, WordPress, Eclipse, Net Beans or Subversion.
The indicator that a project has been taken over is that its new owner is sf-editor1.
If you check downloads of these projects right now on SourceForge, you will notice that they are not offered with download wrappers.
Even GIMP for Windows, which was offered with download wrappers previously, is offered as a clean download on Sourceforge as of today.
While the projects are still listed under the sf-editor1 user account, it appears that all download wrapper functionality has been removed from all projects owned by that account.
An update posted to the official Sourceforge blog reveals additional details about that:
Since yesterday, SourceForge Gimp-Win mirror downloads only the original software without any offers. We also invite the Gimp-Win developer to take back control of the project if that is his desire, while respectfully asking that he maintain any project updates or allow us to do so.
While Gimp is mentioned exclusively, it is likely that the same has been done for other projects the company too over on Sourceforge. At the very least, all of them are not making use of download wrappers at the time of writing.
It is clear that Sourceforge is in full damage control mode after the story broke and while it removed wrappers from downloads, it did not hand over accounts to previous owners.
While Internet users who became aware of it may distrust Sourceforge now -- if they did not distrust the site before already starting the day it introduced download wrappers -- it is likely that the majority of users on the Internet are unaware of it.
Now You: What's your take on this?
This is why I’m starting to think that self- hosting software projects is the way to go. I never felt that SourceForge was particularly reputable to begin with, but why assume the risk of third-party software hosting at all? Even with as reputable as Github and Bitbucket are, do they actually offer anything developers need? I don’t believe so. At least with self-hosting you can move the domain if your server host screws around with you. It’s not that much extra work to set up a git server.
I can’t imagine GNU/Linux software would be easy to infect with adware, since the installation process can vary greatly from distro to distro. Still, I would be cautions when downloading anything from Source Forge, regardless of whether you are running GNU/Linux, Windows, Macintosh, or whatever else.
I d/l DOSbox (for Linux)
from SourceForge but I see no ads.
Is Linux “immune”
from these SourceForge ad-wrappers?
– Pale Moon 25.4.1 and FF 37.0.2
– Ubuntu Linux 12.04 (32-bit)
– Samsung Tablet Galaxy Tab3 / Android 4.2.2
interstellar, FWIW I’ve followed this topic across the months, and have never found a report that sf has bundled adware into non-windows (exe) downloads.
It’s a bloody shame. SourceForge used to be a trusted place I would go to for software but because of what they and a lot of other repositories are doing I am researching and watching everything I download like a hawk.
Be aware that Slashdot now owns Sourceforge, so it is no longer a non-commercial repository, so you should not be surprised at “interesting” inclusions in installers. Thread going on right now…
http://tech.slashdot.org/story/15/06/01/1241231/sourceforge-and-gimp
Does VirusTotal detect/identify presence of these adware wrappers?
Dice Holdings also acquired the freshmeat.net file-hosting for opensource projects.
Has anyone checked, are downloads there similarly adware-wrapped?
ps: “dice dot com”, the jobsearch site… if you dare, create an account using a throwaway (but unique) email address. Don’t click any “Apply for this job” buttons nor otherwise interact with the site — just create the account. Watch how fast (and the volume!) of targeted spam that email box receives as a result. Yeah, dice is sleazy.
Ah, I recall my sadness way back when TUCOWS began bundling garbageware. Howabout “davecentral”, that sure was a great download & reviews site back in the day… site was sold, and became ??? (webAttack? which was later renamed SnapFiles)
In a rush recently, I was almost tricked into installing crapware bundled with multiple utilities downloaded from “softpedia”. Likewise, “brothersoft” …fuggeddaboutit. My point is that the practice of crapware bundling already seems to BE the norm.
Is anyone here familiar with majorGeeks? Are they too injecting adware?
Which filehosting sites nowadays (I wish Martin’s article would have mentioned a few) still serve untained downloads and don’t lead you clicking through gobs of interstitial banner ad pages on your way to the download?
They only download sites where I have not encountered PUPs and the like are:
https://ninite.com/
&
http://www.filepuma.com/
And as I always say use the program “unchecky” for a second pair of “eyes”
Thanks for highlighting this. I’m worried that with SourceForge going this route, it’s going to become standard practice for download sites across the board. I already have a difficult time trying to get people to use great freeware that generous developers are putting their spare time into without having to add “oh and make sure you uncheck the box where it says install some garbage on your computer.”
Also, it’s more than just sf-editor1. Here’s some of the other profiles used:
http://sourceforge.net/u/sf-editor1/profile/
http://sourceforge.net/u/sf-editor2/profile/
http://sourceforge.net/u/sf-editor3/profile/
(Thanks to romulus for this info http://www.portablefreeware.com/forums/viewtopic.php?p=75194#p75194)
Fortunately projects that have a portable version seem to so far be unaffected.
This is not exactly true. Authors like Tim Kosse approve the adware because they most likely get a kickback per download.
Peter, I think I mentioned this in the article. Some project owners have made the decision to use the download wrapper to benefit from the revenue share system.
It’s a shame Sourceforge is doing this. All download websites must be treated with caution and scepticism. DICE seem to be stifling discussion about this on other comment based websites that have a . and a / in them too.
Github is about the only place I still trust (my default level of trust is still fairly sceptical).
Audacity project is another victim of SourceForge. Their accounts were removed and replaced with the same “sf-editor1”. SourceForge didn’t warned them, they simply removed their accounts and redirected the official homepage which was hosted at SourceForge. They just redirected without any warning. I noticed this when I attempted to download Audacity and landed on SourceForge page which was saying “Hey, this isn’t a SourceForge project!”
Audacity accounts were simply hijacked overnight by SourceForge I asked their team on their forum and confirmed this. GIMP installers were altered and Audacity had their 10 years old site redirected to SourceForge stealing them all their traffic. Who’s next on SourceForge list?
Audacity has moved its distribution platform to FossHub.
Some notable FOSS projects that has Sourceforge still as their official/main distribution platform:
– FileZilla (Tim Kosse has claimed on his software’s official forum that “[n]obody has gone rogue”)
– TortoiseSVN
– Apache OpenOffice (listed in sf-editor1’s profile)
– PortableApps.com
– Media Player Classic – Home Cinema (although its source is hosted on GitHub)
– KeePass (for official Windows versions; mercifully has links to mirrors)
– GParted
– SoapUI
– DeSmuME (emulator)
– ClamWin
– WinDjView
– K-Meleon
– NSIS
– OpenCV (downloads for the Linux and OS X versions are hosted instead on GitHub)
– DOSBox
– VirtualDub
– MediaPortal (although its source is hosted on GitHub)
– Scribus (Windows and OS X versions)
– Process Hacker
– UltraDefrag
– Cool Reader
– PeaZip
– SMPlayer
– Pidgin
Related development: Slashdot (same owner as Sourceforge) buries story submissions about that Sourceforge download wrapper and sf-editor1 takeover debacles.