Jump to content

Warning: Don’t Download Software From SourceForge If You Can Help It


Batu69

Recommended Posts

ximg_556d01922958c.png.pagespeed.ic.IR0G

“SourceForge are (sic) abusing the trust that we and our users had put into their service in the past,” according to the GIMP project. Since 2013, SourceForge has been bundling junkware along with their installers — sometimes without a developer’s permission.

Don’t download software from SourceForge if you can help it. Many open-source projects now host their installers elsewhere, and the versions on SourceForge may include junkware. If you absolutely have to download something from SourceForge, be extra careful.

Yes, SourceForge Is One of the Bad Download Websites

SourceForge built up a lot of goodwill in the past, being a centralized place for downloading open-source software and hosting software repositories. Over the years, more projects have moved to other repository-hosting services like GitHub.

In 2012, Dice Holdings purchased SourceForge (and Slashdot) from Geeknet. In 2013, SourceForge enabled a feature named “DevShare.” DevShare is an opt-in feature developers can enable for their own projects. If a developer enables this feature, you’ll download their software from SourceForge to find that it’s been wrapped in SourceForge’s own installer, which pushes intrusive junkware onto your system. SourceForge and developers make money by foisting this software on you, just as practically every other download site and freeware distributor does on Windows.

DevShare does require a project owner “opt in” to enable this feature on their project, although they’re now hosting a variety of projects bundled with junkware against the wishes of their developers.

Some projects have chosen to jump onboard the DevShare train on their own, and that’s their own choice. FIleZilla was an early participant, and FileZilla’s developer responded to concerns:

“This is intentional. The installer does not install any spyware and clearly offers you a choice whether to install the offered software.”

Chrome blocked us from downloading FileZilla from SourceForge’s website, warning that it “may harm your browsing experience.”

ximg_556cfef361f99.png.pagespeed.ic.LjEL

SourceForge and GIMP

GIMP is a popular open-source image editor — it’s basically the open-source community’s answer to Photoshop. In 2013, GIMP’s developers pulled the GIMP Windows downloads from SourceForge. SourceForge was full of misleading advertisements masquerading as “Download” buttons — something that’s a problem all over the web. SourceForge then rolled out its own Windows installer filled with junkware, and that was the straw that broke the camel’s back. In response, the GIMP project abandoned SourceForge and began hosting their downloads elsewhere.

In 2015, SourceForge pushed back. Considering the old GIMP account on SourceForge “abandoned,” they took control over it, locking out the original maintainer. They then put GIMP downloads back up on SourceForge, wrapped in SourceForge’s own junkware-filled installer. If you’re downloading GIMP from SourceForge, you’re getting a version filled with junkware, one that GIMP’s developers don’t want you to use. SourceForge says they’re providing a valuable service to people looking to download open-source software, but GIMP’s developers strongly disagree.

Update: After a lot of negative press, SourceForge has changed their stance. “At this time, we present third party offers only with a few projects where it is explicitly approved by the project developer,” SourceForge wrote in a statement. Given their past actions and the “at this time” wording in their statement, we’d recommend you steer clear of SourceForge anyway. They no longer deserve the trust of the open-source community.

ximg_556cff6d7737b.png.pagespeed.ic.XAN6

It’s Not Just the GIMP

Other developers didn’t actually choose to enable DevShare. GIMP is currently listed as “brought to you by: sf-editor1″ on SourceForge. Click through to sf-editor1’s list of projects and you’ll see quite a few projects hosted by SourceForge itself, from Audacity and OpenOffice to Firefox.

Click through to a project’s official website and you’ll find actual download links. For example, Audacity’s homepage redirects you to FOSSHUB to download Audacity, not SourceForge. But searching for “Audacity” on Google still brings up the SourceForge page as the top result.

Although SourceForge may no longer be bundling these applications with junkware for the moment, the SourceForge website is still full of misleading advertisements that point you to installers full of junkware.

ximg_556d0076ac37c.png.pagespeed.ic.99Ip

Avoid SourceForge Downloads

Avoid using SourceForge to download software. Even if it comes up first in a Google search, skip SourceForge and head to the software project’s official download page. Follow the links to download the program from somewhere else — there’s a good chance the project has moved away from SourceForge and offers clean download links elsewhere.

Or, better yet, skip all the usual downloading and install the most useful applications using Ninite. Ninite is the only safe centralized Windows freeware download site we’ve found.

If you do have to download from SourceForge, be careful to avoid the downloads that include the SourceForge installer. Go out of your way to grab the direct downloads instead.

And, by the way, SourceForge is now bundling junkware with their Mac downloads too — just like Download.com and other websites. Even Mac users aren’t safe, although we haven’t seen DevShare extended to Linux PCs just yet. Everyone should avoid SourceForge downloads, whether you’re running Windows or not.

ximg_556cf6ed24de8.png.pagespeed.ic.r-Zn

In our testing, we’ve found that SourceForge’s downloader behaves more nicely in a virtual machine. If you want to see what it actually does, be sure to test it in a real Windows system on a physical machine, not a virtual machine.

This is the same sort of behavior that malicious applications are increasingly using to avoid detection and analysis.

Credit to: http://www.howtogeek.com/

Link to comment
Share on other sites


  • Replies 23
  • Views 2.5k
  • Created
  • Last Reply
Akaneharuka

Thank you for sharing this warning :)

I remember last week I download something from source forge website

after I install that program my browser search page and font-page change from google.jp to ask.com

and I got ask toolbar too :(

I need to use adw-cleaner to remove that toolbar

Link to comment
Share on other sites


Thank you for sharing this warning :)

I remember last week I download something from source forge website

after I install that program my browser search page and font-page change from google.jp to ask.com

and I got ask toolbar too :(

I need to use adw-cleaner to remove that toolbar

Thanks for sharing your experience. :)

Link to comment
Share on other sites


Thanx for the reminder. This issue was mentioned and discussed few days ago. Still it is worth to remind users of this unfortunate situation. I wish SF would go back to its glory days, not far passed. :thumbsdown:

Link to comment
Share on other sites


Sourceforge is ok softpedia is not its been known to host malicious ad links. You can get hijack this from sourceforge hpd (hidden port detector) and pagan ultima eight windows version pentagram..

Link to comment
Share on other sites


jimbojet2011

ximg_556d01922958c.png.pagespeed.ic.IR0G

“SourceForge are (sic) abusing the trust that we and our users had put into their service in the past,” according to the GIMP project. Since 2013, SourceForge has been bundling junkware along with their installers — sometimes without a developer’s permission.

Don’t download software from SourceForge if you can help it. Many open-source projects now host their installers elsewhere, and the versions on SourceForge may include junkware. If you absolutely have to download something from SourceForge, be extra careful.

Yes, SourceForge Is One of the Bad Download Websites

SourceForge built up a lot of goodwill in the past, being a centralized place for downloading open-source software and hosting software repositories. Over the years, more projects have moved to other repository-hosting services like GitHub.

In 2012, Dice Holdings purchased SourceForge (and Slashdot) from Geeknet. In 2013, SourceForge enabled a feature named “DevShare.” DevShare is an opt-in feature developers can enable for their own projects. If a developer enables this feature, you’ll download their software from SourceForge to find that it’s been wrapped in SourceForge’s own installer, which pushes intrusive junkware onto your system. SourceForge and developers make money by foisting this software on you, just as practically every other download site and freeware distributor does on Windows.

DevShare does require a project owner “opt in” to enable this feature on their project, although they’re now hosting a variety of projects bundled with junkware against the wishes of their developers.

Some projects have chosen to jump onboard the DevShare train on their own, and that’s their own choice. FIleZilla was an early participant, and FileZilla’s developer responded to concerns:

“This is intentional. The installer does not install any spyware and clearly offers you a choice whether to install the offered software.”

Chrome blocked us from downloading FileZilla from SourceForge’s website, warning that it “may harm your browsing experience.”

ximg_556cfef361f99.png.pagespeed.ic.LjEL

SourceForge and GIMP

GIMP is a popular open-source image editor — it’s basically the open-source community’s answer to Photoshop. In 2013, GIMP’s developers pulled the GIMP Windows downloads from SourceForge. SourceForge was full of misleading advertisements masquerading as “Download” buttons — something that’s a problem all over the web. SourceForge then rolled out its own Windows installer filled with junkware, and that was the straw that broke the camel’s back. In response, the GIMP project abandoned SourceForge and began hosting their downloads elsewhere.

In 2015, SourceForge pushed back. Considering the old GIMP account on SourceForge “abandoned,” they took control over it, locking out the original maintainer. They then put GIMP downloads back up on SourceForge, wrapped in SourceForge’s own junkware-filled installer. If you’re downloading GIMP from SourceForge, you’re getting a version filled with junkware, one that GIMP’s developers don’t want you to use. SourceForge says they’re providing a valuable service to people looking to download open-source software, but GIMP’s developers strongly disagree.

Update: After a lot of negative press, SourceForge has changed their stance. “At this time, we present third party offers only with a few projects where it is explicitly approved by the project developer,” SourceForge wrote in a statement. Given their past actions and the “at this time” wording in their statement, we’d recommend you steer clear of SourceForge anyway. They no longer deserve the trust of the open-source community.

ximg_556cff6d7737b.png.pagespeed.ic.XAN6

It’s Not Just the GIMP

Other developers didn’t actually choose to enable DevShare. GIMP is currently listed as “brought to you by: sf-editor1″ on SourceForge. Click through to sf-editor1’s list of projects and you’ll see quite a few projects hosted by SourceForge itself, from Audacity and OpenOffice to Firefox.

Click through to a project’s official website and you’ll find actual download links. For example, Audacity’s homepage redirects you to FOSSHUB to download Audacity, not SourceForge. But searching for “Audacity” on Google still brings up the SourceForge page as the top result.

Although SourceForge may no longer be bundling these applications with junkware for the moment, the SourceForge website is still full of misleading advertisements that point you to installers full of junkware.

ximg_556d0076ac37c.png.pagespeed.ic.99Ip

Avoid SourceForge Downloads

Avoid using SourceForge to download software. Even if it comes up first in a Google search, skip SourceForge and head to the software project’s official download page. Follow the links to download the program from somewhere else — there’s a good chance the project has moved away from SourceForge and offers clean download links elsewhere.

Or, better yet, skip all the usual downloading and install the most useful applications using Ninite. Ninite is the only safe centralized Windows freeware download site we’ve found.

If you do have to download from SourceForge, be careful to avoid the downloads that include the SourceForge installer. Go out of your way to grab the direct downloads instead.

And, by the way, SourceForge is now bundling junkware with their Mac downloads too — just like Download.com and other websites. Even Mac users aren’t safe, although we haven’t seen DevShare extended to Linux PCs just yet. Everyone should avoid SourceForge downloads, whether you’re running Windows or not.

ximg_556cf6ed24de8.png.pagespeed.ic.r-Zn

In our testing, we’ve found that SourceForge’s downloader behaves more nicely in a virtual machine. If you want to see what it actually does, be sure to test it in a real Windows system on a physical machine, not a virtual machine.

This is the same sort of behavior that malicious applications are increasingly using to avoid detection and analysis.

Credit to: http://www.howtogeek.com/

https://www.security.nl/posting/430675

Link to comment
Share on other sites


Sourceforge is ok softpedia is not its been known to host malicious ad links. You can get hijack this from sourceforge hpd (hidden port detector) and pagan ultima eight windows version pentagram..

How can you say Sourceforge is ok ? Is this evidence not enough for you ? :angry:

I use to use Softpedia from time to time and have never had any problems with their downloads.

Link to comment
Share on other sites


I use to use Softpedia from time to time and have never had any problems with their downloads.

Same here. This softpedia "review" is entirely biased. It's a shame.

"To be fair, wayyyy down at the bottom of the page they do tell you that it’s ad supported and that you should be careful. Because we all like to read every single word on a page before clicking to download that app that we really wanted."

Wrong! You just need to read one word: AD-SUPPORTED. And this word is not written "at the bottom of the page", but right under the app name, in orange, bold and uppercase. As long as you're not stupid or live in Mars, you know what "ad-supported" means; and if you don't know, softpedia explains it for you.

BTW, the few developpers I follow (in sourceforge) do not wrap their software with junk. This jerk (bottom of the page) wants to convince us that "everybody does the same", but (again) that's not true. There are exceptions and we must pay attention to the exceptions. And, at the same time, forget the self-called "geeks" and their "misinformation".

post-32561-0-67485800-1433787752_thumb.p

Link to comment
Share on other sites


Sourceforge is ok softpedia is not its been known to host malicious ad links. You can get hijack this from sourceforge hpd (hidden port detector) and pagan ultima eight windows version pentagram..

How can you say Sourceforge is ok ? Is this evidence not enough for you ? :angry:

I use to use Softpedia from time to time and have never had any problems with their downloads.

This thread talks about software with junkware to and how many of those include sourceforge as the download site? I have downloaded files from softpedia before and my antivirus caught a infection in one of the files. I have downloaded quite a few programs from sourceforge and havent had any problems:

//www.nsaneforums.com/topic/246411-beware-free-antivirus-isnt-really-free-anymore/

I dont like junkware dont get me wrong but I see many different software with junkware in it and that software got downloaded from sites that are not sourceforge. Im just saying dont slam sourceforge over something that happens on download sites like it to sourceforge isnt by itself and I dont avoid those download sites..

Link to comment
Share on other sites


Sourceforge is ok softpedia is not its been known to host malicious ad links. You can get hijack this from sourceforge hpd (hidden port detector) and pagan ultima eight windows version pentagram..

How can you say Sourceforge is ok ? Is this evidence not enough for you ? :angry:

I use to use Softpedia from time to time and have never had any problems with their downloads.

This thread talks about software with junkware to and how many of those include sourceforge as the download site? I have downloaded files from softpedia before and my antivirus caught a infection in one of the files. I have downloaded quite a few programs from sourceforge and havent had any problems:

//www.nsaneforums.com/topic/246411-beware-free-antivirus-isnt-really-free-anymore/

I dont like junkware dont get me wrong but I see many different software with junkware in it and that software got downloaded from sites that are not sourceforge. Im just saying dont slam sourceforge over something that happens on download sites like it to sourceforge isnt by itself and I dont avoid those download sites..

Sourceforge is ok softpedia is not its been known to host malicious ad links. You can get hijack this from sourceforge hpd (hidden port detector) and pagan ultima eight windows version pentagram..

How can you say Sourceforge is ok ? Is this evidence not enough for you ? :angry:

I use to use Softpedia from time to time and have never had any problems with their downloads.

This thread talks about software with junkware to and how many of those include sourceforge as the download site? I have downloaded files from softpedia before and my antivirus caught a infection in one of the files. I have downloaded quite a few programs from sourceforge and havent had any problems:

//www.nsaneforums.com/topic/246411-beware-free-antivirus-isnt-really-free-anymore/

I dont like junkware dont get me wrong but I see many different software with junkware in it and that software got downloaded from sites that are not sourceforge. Im just saying dont slam sourceforge over something that happens on download sites like it to sourceforge isnt by itself and I dont avoid those download sites..

Sourceforge is ok softpedia is not its been known to host malicious ad links. You can get hijack this from sourceforge hpd (hidden port detector) and pagan ultima eight windows version pentagram..

How can you say Sourceforge is ok ? Is this evidence not enough for you ? :angry:

I use to use Softpedia from time to time and have never had any problems with their downloads.

This thread talks about software with junkware to and how many of those include sourceforge as the download site? I have downloaded files from softpedia before and my antivirus caught a infection in one of the files. I have downloaded quite a few programs from sourceforge and havent had any problems:

//www.nsaneforums.com/topic/246411-beware-free-antivirus-isnt-really-free-anymore/

I dont like junkware dont get me wrong but I see many different software with junkware in it and that software got downloaded from sites that are not sourceforge. Im just saying dont slam sourceforge over something that happens on download sites like it to sourceforge isnt by itself and I dont avoid those download sites..

Is this your way to increase forum post count ? ;)

BTW

If "you have downloaded files from softpedia and your antivirus caught a infection in one of the files" (what program ?, what file ? what AV ? - no details, no evidence) I would recommend you to change your antivirus rather then blame Softpedia. laie_67.gif

Link to comment
Share on other sites


The triple post is accidental and I used avast which according to virus bulletin and av comparatives is very good lawls. ALso gmer which writes one of the best anti-rootkit tools on the planet (anomaly based anti-rootkit) works for avast now and they integrated gmer his anti-rootkit tool in avast which proves again that avast is very good again lawls..

Link to comment
Share on other sites


z3vuLaN.png

Haha owned.

@cody..so is ublock better than adblock in your opinion??

I prefer it, for sure on Chrome.

Can't vouch for other platforms, but I use it there as my config works in all browsers.

I don't just use the standard filters that all ad blockers use. I block everything by default and filter up. Nothing runs unless I allow it, and that works pretty well.

uBlock is adding nice features like being able to easily create AdBlock filters, and even block/allow specific URLs. When I get working on that, I'll be able to not just block/allow JS per domain, but per file.

AdBlock needs to step it's game up. Last I used it, it was just standard ad filters, and used more RAM on Chrome.

Link to comment
Share on other sites


Archived

This topic is now archived and is closed to further replies.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...