SourceFAIL? SourceForge accused of shady practices (again)

Slashdot Media's FLOSS project hosting service is again allegedly naughty -- open-source community up in arms

SourceForge has been caught out "adopting" open-source projects that are "orphaned". Observers accuse the project repository of adding malware to compiled downloads and littering the site with deceptive ads. The two most recent victims seem to have been GIMP and Nmap.

Oh dear. What a mess. And how the once-trusted mighty appear to have fallen.

In IT Blogwatch, bloggers take care where they download stuff from.

Your humble blogwatcher curated these bloggy bits for your entertainment. [Update 2: June 5, 11:41am EDT]

Sean Gallagher tells a sorry tale:

The once-pioneering software repository [continues] attempting to cash in on open-source. [It] has made it a business practice to turn abandoned or inactive projects into platforms for distribution of "bundle-ware" installers. ... Malicious ads are legion on projects that have been taken over by SourceForge's anonymous editorial staff [and] it's nearly impossible for open-source projects to get their code removed from the site.

DevShare, SourceForge's revenue sharing plan for open-source developers [is] supposed to be opt-in only. [But] SourceForge foisted the adware on the [GIMP] project's Windows installer. ... SourceForge's current policy makes pulling a project from the site almost impossible.

GIMP left SourceForge in part because of...deceptive advertisements that try to fool site visitors into downloading something a little with "Download" buttons that are totally unrelated to the software the visitor is best—and malware at worst.  MORE

Other project luminaries have started complaining about SourceForge's actions, such as Nmap's Gordon "fyodor" Lyon:

Of course this goes directly against Sourceforge's promise:.."we want to reassure you that we will NEVER bundle offers with any project without the developers consent." ... So much for that promise! ... Sourceforge has also hijacked the Nmap account [with] fake download buttons.

We haven't caught them trojaning Nmap the way they did with GIMP. But we certainly don't trust them one bit! Sourceforge is pulling the same tried back when they started circling the drain.

Sourceforge now claims they will stop trojaning software without the developer's permission, but they've broken that exact promise before.  MORE

So the anonymous SourceForge "community team" states this statement:

In an effort to address a number of concerns we have been hearing from the media and community at large, we at SourceForge would like to note that we have stopped presenting third party offers. ... We discontinued this practice promptly based on negative community feedback.

We encourage anyone that would like additional information about our practices or specific issues they have to reach out to us directly.  MORE

But Solomonoff's Secret has no love for SourceForge:

I think SF knew that it had already thrown away its credibility and was on the way out and is attempting to squeeze the last pennies out.

There's certainly no recovery from such a scummy cash grab and the sooner it dies, the better.  MORE

Meanwhile, ventomareiro has advice for other projects:

That is why Free SW projects need to trademark their names: so if you don't agree with how somebody is redistributing your code, you can force them to at least not do it in your name.  MORE

Update: R. Taylor Raborn is utterly dismissive:

Sourceforge has gotten so bad that some of my friends in industry say it’s blocked by their companies’ spam filters.  MORE

Update 2: Roberto Galoppini emailed me with this new statement from Slashdot. (It's extremely confusing and much of it's unclear how it relates to the accusations being made, but I think they're claiming it's all a huge misunderstanding):

The Nmap project...web data is housed separately from File Release System data, where we normally serve downloads. ... SourceForge has discouraged the use of project web for distribution of binary data for a number of years.

A separate mirror of nmap releases was made on the nmap.mirror project. ... The current SourceForge bundling program specifically excludes software designed for information security professionals, such as nmap.  MORE

You have been reading IT Blogwatch by Richi Jennings, who curates the best bloggy bits, finest forums, and weirdest websites… so you don't have to. Catch the key commentary from around the Web every morning. Hatemail may be directed to @RiCHi or Opinions expressed may not represent those of Computerworld. Ask your doctor before reading. Your mileage may vary. E&OE.

Copyright © 2015 IDG Communications, Inc.

Shop Tech Products at Amazon