Slashdot Mirror
SourceForge and GIMP [Updated]
New submitter tresf writes: In response to a Google+ post from the Gimp project claiming that "[Sourceforge] is now distributing an ads-enabled installer of GIMP," Sourceforge had this response: "In cases where a project is no longer actively being maintained, SourceForge has in some cases established a mirror of releases that are hosted elsewhere. This was done for GIMP-Win.
Submitter's note: Gimp is actively being maintained and the definition of "mirror" is quite misleading here as a modified binary is no longer a verbatim copy. Download statistics for Gimp on Windows show SourceForge as offering over 1,000 downloads per day of the Gimp software.
In an official response to this incident, the official Gimp project team reminds users to use official download methods. Slashdotters may remember the last time news like this surfaced (2013) when the Gimp team decided to move downloads from SourceForge to their own FTP service. "Therefore, we remind you again that GIMP only provides builds for Windows via its official Downloads page." Note: SourceForge and Slashdot share a corporate parent. Editor's note: I just got back from a busy weekend to see that a bunch of people are freaking out that we're "burying" this story, so here it is. Go hog wild. Sorry it took so long. (And for future reference, user submissions are easily found in the firehose, listed in the order they appear, newest first.)
Update: 06/01 22:37 GMT by T : The SourceForge blog has a welcome update; SourceForge, it says, has effective today "stopped presenting third party offers for unmaintained SourceForge projects. ... At this time, we present third party offers only with a few projects where it is explicitly approved by the project developer, or if the project is already bundling third party offers."
Submitter's note: Gimp is actively being maintained and the definition of "mirror" is quite misleading here as a modified binary is no longer a verbatim copy. Download statistics for Gimp on Windows show SourceForge as offering over 1,000 downloads per day of the Gimp software.
In an official response to this incident, the official Gimp project team reminds users to use official download methods. Slashdotters may remember the last time news like this surfaced (2013) when the Gimp team decided to move downloads from SourceForge to their own FTP service. "Therefore, we remind you again that GIMP only provides builds for Windows via its official Downloads page." Note: SourceForge and Slashdot share a corporate parent. Editor's note: I just got back from a busy weekend to see that a bunch of people are freaking out that we're "burying" this story, so here it is. Go hog wild. Sorry it took so long. (And for future reference, user submissions are easily found in the firehose, listed in the order they appear, newest first.)
Update: 06/01 22:37 GMT by T : The SourceForge blog has a welcome update; SourceForge, it says, has effective today "stopped presenting third party offers for unmaintained SourceForge projects. ... At this time, we present third party offers only with a few projects where it is explicitly approved by the project developer, or if the project is already bundling third party offers."
I am also pleased that they've finally posted it, but still seriously miffed that it took this long.
At last. Now that moron who's been spamming every story with an off topic post of this can shut up.
This behavior should get SourceForge blacklisted as both cyber-squatters and adware, possibly malware vendor.
Aren't we all smart enough to turn off the adware during install? I even know some old people who turn off "add-ons" that they don't need.
Well, given that adware 'offers' still get injected into installers, I'm going to use my incredible mental thinking skills to hypothesize "no, we aren't".
Aside from that, even if you don't get hit by the adware, having to defang an installer just to use a program leaves the indistinguishable taste of pure sleaze in your mouth for the rest of the process(looking at you, Oracle and the Ask.com toolbar...)
Sourceforge is dragging the GIMP project's name through the mud by bundling this shit, even if they don't hit anyone. That alone is more than enough to be displeased by.
I don't buy the /. editors' explanation.
This story has been repeatedly submitted since at least late Wednesday and has been voted to red multiple times in the firehose.
Meanwhile, most other red stories have already appeared on the front page, so clearly some editors were still around...
(And for future reference, user submissions are easily found in the firehose, listed in the order they appear, newest first.)
Just curious here. Does voting a submission up or down have any effect on whether it's accepted? It seems some stories appear on the front page as soon as they're submitted, others languish for days. Gives the impression the editors are selecting stories based on some agenda other than what slashdot readers want to see.
Then why the hell did you blame a busy weekend to start? Smells like BS to me.
Aren't we all smart enough to turn off the adware during install?
No -- most people just keep clicking "OK" until the install is finished. Just like most people keep signing pages or initialing forms when presented with a bunch of paperwork... they stop reading the details.
The number of people who actually stop and read everything they sign is similar to the number that consider all the options during install scripts -- and that number is VERY SMALL.
(Small anecdote -- quite a few years ago I signed the rental agreement for my first apartment. I was told to initial each of the 10 pages or so and sign the final page. I stopped and read the thing before doing so. My landlord -- who managed something like 40 apartments and had been doing so for a couple decades -- said he could only recall one other person who read the whole rental agreement before signing. And I actually discovered some really interesting rental policies while doing so.)
Also, more on point -- there's the rather obvious evidence that companies wouldn't bother bundling adware if no one ever installed it.
I even know some old people who turn off "add-ons" that they don't need.
And I even know many young people who don't seem to pay any attention while installing and end up with all sorts of weird "add-ons" and don't know how they got there. What's your point?
Hard to believe that Sourceforge was once a fairly reputable place to download software from. Seems like a millions years ago now.
SJW's don't eliminate discrimination. They just expropriate it for themselves.
It's just the Nth 'eternal September'.
It's also happening to Little Registry Cleaner. If you don't read every dialog box very, very carefully you end up with crapware (look at the reviews).
The tail end of GenX/Initial GenYs that originally ran Slashdot have moved on with their lives. They sold out (no problem with that, I would have too). Dice put a bunch of kids that grew up on Reddit in charge so you see Slashdot trying to mirror Reddit's content, 'messege', tone & look and it's showing to old hat /.ers.
If anyone is bored and looking for a place to lure my 30s year old self. Redo slashdot, allow markdown, bbedit, html, LaTeX.. editing. Keep the -2 to +5 moderation system because it limits band-wagoning and group think. Now that everyone can have an opinion it shows. I used to revel in the days that little 19 year old me was bestowed with 5 points to vote with (and tried to ration them accordingly).
Design a proper responsive layout (It was not Beta) and keep it about tech
I'm looking for a good place to discuss stuff that is relevant to me like Slashdot used to be. Reddit is good for certain things. Long drawn out posts with actual information isn't one of them. Everyone wants a tl;dr:.
[And this message took longer to type than one in Markdown because HTML is pretty slow now that I use markdown for everything, blog and all. Not that I don't know but ** is easier, ~~~~, ]
Your statement here appears to conflict with your edit in TFS. Both of which look like excuses rather than genuine reasons. As such the damage IS done. You are going to need to be 100% transparent even to start recovering from this debacle.
I am Slashdot. Are you Slashdot as well?
Any at all for being so closely affiliated with a company distributing adware and using deceptive practices riding on the backs of open source?
Look at the amount of pushback it took to defeat Beta and Bennet Hasselton.
I was actually quite surprised at how responsive the owners have been on those two issues. They clearly invested a lot of money and time into beta, and I dread to think what kind of favours Bennet was offering, but in the end they listened to us. I really didn't think it would happen, I expected beta to become the only option and my beloved (in an abusive partner kind of way) Slashdot die a slow and painful death.
So kudos for listening. And yeah, I can buy the weekend excuse. Come on, this is Slashdot, the "editors" seem barely literate at times and can't remember posting the same story a mere 24 hours previously. Never attribute to malice what can be adequately explained by incompetence.
const int one = 65536; (Silvermoon, Texture.cs)
SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
The adware bundling is also happening with Filezilla now too. I recently downloaded the FTP program to my computer at work and it set off a bunch of virus alerts with our system engineers. It was very embarrassing, but the engineers said they fell for it too.
The worst part is that there is no opt-out option in the installation process. By downloading the version of the package with the adware, you are agreeing to install the viruses. I eventually found a clean install of Filezilla on Sourceforge, but it's not obvious.
Google needs to flag Sourceforge as a malware site for these shenanigans.
i ~ Celebrating Science, Cyberspace, Speculation
Decent journalism? You know you're on slashdot, right?
"From the depths of my skeptical and rationalist soul, I ask the Lord to protect me from California touchie-feeliedom."
Thanks for posting it, @Soulskill. Better late than never. I'll support you a bit in saying that the readers are focusing on the wrong point. It is the FOSS malware bundling which is the real issue here. The misrepresentation of a product against the author's/community's will is THE issue. Stop trolling the journalist, he's not the one installing malware on your computer, SF is.
Offering a great product for free should be good enough to drive the traffic and ad revenue that SF needs. Taking a sh** on these great projects does nothing but alienate SF from the very community that helped it gain notoriety in the first place. Sure this is old news, but 1,000 malware installations a day aren't old news. 1,000 malware installations a day should be criminal.
Coincidentally -- the day after posting this article -- a colleague of mine made a similar mistake of installing OpenOffice from a high-ranking search result and is now dealing with the consequences. Long term, I'm not sure how we fix these bait-and-switch problems, but @Soulskill getting the word out is a good start.
On a personal note... I manage the downloads for a QT-based project known as LMMS and we too feared the day that our installers would be compromized. In anticipation of this, LMMS has moved everything off of SF hosting. This took almost a year as it included forums, downloads, bug tracker, et al. We we very fortunate to get corporate sponsoring, but not all projects have success in this regard.
On a personal-side-note, I'd like to add that I've been happy enough with the services over at GitHub that I've chosen them for some of non-free projects (private, paid repositories). Is this not how revenue **should** be generated? Should the exchange of good, honest services for cash not be the norm? Should preying on the innocent and invading privacy, installing viruses for those that would least suspect it NOT be ostracized? SF has become a predator against the unsuspecting.
OzPeter,
Soulskill has apologized. Repeatedly, and professionally. Accept it and move on.
These people are mad, convinced that you are acting against their interests, and are ignoring any evidence which supports a kinder or more reasonable interpretation of your motivations.
Here's my take: The editors saw a story with claims relevant to their own area of expertise. They decided to do some digging before publishing a story with potentially false or incomplete data. The public outcry convinced Soulskill to publish the best of the unverified stories rather than waiting for the analysis to complete. Soulskill noticed the outcry after a busy weekend.
This narrative fits the facts and attributes no malicious motives to anyone.
I suggest that a more open process would avoid recurrent allegations that anyone have acted improperly. I propose this: When a story affecting a company related to /. is submitted, it is posted immediately but bearing the usual related story disclosure and a note saying that the facts have not been verified by /. staff. If there is analysis done that alters the story, then publish that as a separate submission by the editors themselves.
Am I disappointed in SourceFourge? Sure. /. any less? Nope.
Will I use it ever again? Probably not.
Do I trust
I blanked my Mac a few weeks ago and when I started reinstalling software I got some survey crap popping up on my screen asking for my details. Turns out it was the SourceForge installer for FileZilla that had sneaked it through. Googling it threw up enough horror stories to make me just blank the Mac again and start over. I'll never download anything from SourceForge again. A decade of trust destroyed in one stupid move.
Yeah, but I didn't agree to anything.
Saying you had a "very busy weekend", to my eyes, feels just like a euphemism for "management argued a lot before this got posted, and when it did get posted, the expression modified binary had to replace bundled with malware".
Personal Note: "bundled with malware" is what every other place I read the article used to define it.
Personal Note 2: If I happened to stumble on some facts, I want to stress I understand them completely as I also happen to have a very policy-centered full time job. I'm just letting my thoughts fly in a comment, because, well, comment section is still community moderated in full that I know, thus still being free (in the extreme, FSF-like sense of the word "free").