404 Tech Support

It is time to blacklist SourceForge

SourceForge has been making headlines in recent weeks with a variety of criticisms. The once popular download destination for free software projects was sold off from its golden age and its new owners continue to demonstrate a history of bad decision making in the name of greed and profit. While SourceForge’s popularity and usability has waned as other sites like GitHub and other repository hosts has increased, it is still a common site with popular project downloads surrounded by misleading and confusing ads.

A couple of years ago, SourceForge introduced ‘DevShare’, a program to bundle third-party software such as toolbars and adware with the desired programs. FileZilla was one of the most prominent projects that joined ‘DevShare’ and the developer was defiant in face of the negative feedback. The primary download for FileZilla included adware though a download link buried a few clicks from the homepage offered the software without modification.

Recently, SourceForge has gotten more aggressive with their third-party bundling and making headlines in response. SourceForge hijacked the unmaintained GIMP for Windows account and modified the project downloads to include bloatware. GIMP gave an official response to the event, selected excerpt:

Our decision to move the Windows installers away from SourceForge in 2013 was a direct result of how its service degraded in this respect.

The situation became worse recently when SourceForge started to wrap its downloader/installer around the GIMP project binaries. That SourceForge
installer put other software apart from GIMP on our users’ systems. This was done without our knowledge and permission, and we would never have
permitted it. It was done in spite of the following promise made by SourceForge in November 2013 [2]:

“we want to reassure you that we will NEVER bundle offers with any project without the developers consent.” (emphasis in original)

To us, this firmly places SourceForge among the dodgy crowd of download sites. SourceForge are abusing the trust that we and our users had put into their service in the past.

The GIMP project’s repackaging was not an isolated event. Both Nmap and VLC reported their own instances of losing ownership of their SourceForge accounts. Nmap posted to seclists.org and a VLC developer posted to their own blog with their own accounts and frustration at the experience. Fortunately, their projects’ binaries have not been modified, though the accounts have been taken over.

SourceForge has posted two responses to the negative criticism. They first clarified that the GIMP for Windows project was not hijacked. Instead SourceForge took over the “abandoned” account to monetize the downloads. In their more recent post, they are attempting to address the latest wave of criticism by inserting third party offers into projects on an opt-in only basis.

Statements have been provided like this before. In 2013, after DevShare was introduced, they made similar promises and have clearly broken them since.

Given the track record of SourceForge’s greed coming before their visitors’ privacy and trust and before their hosted projects’ reputations, it is time to realize SourceForge for what it is – a download trap surrounded in ads, hoping for a misclick. The site should be blacklisted to prevent any visits as the downloads they offer are of questionable integrity. More notably, major software projects should move away from SourceForge to a more reliable alternative. Instead of using FileZilla, seek out alternatives that do not encourage questionable installers.

Update: Notepad++ has posted that they are leaving Notepad++ as their hosting.