SourceForge and GIMP [Updated]

New submitter tresf writes: In response to a Google+ post from the Gimp project claiming that "[Sourceforge] is now distributing an ads-enabled installer of GIMP," Sourceforge had this response: "In cases where a project is no longer actively being maintained, SourceForge has in some cases established a mirror of releases that are hosted elsewhere. This was done for GIMP-Win.

Submitter's note: Gimp is actively being maintained and the definition of "mirror" is quite misleading here as a modified binary is no longer a verbatim copy. Download statistics for Gimp on Windows show SourceForge as offering over 1,000 downloads per day of the Gimp software.

In an official response to this incident, the official Gimp project team reminds users to use official download methods. Slashdotters may remember the last time news like this surfaced (2013) when the Gimp team decided to move downloads from SourceForge to their own FTP service. "Therefore, we remind you again that GIMP only provides builds for Windows via its official Downloads page." Note: SourceForge and Slashdot share a corporate parent. Editor's note: I just got back from a busy weekend to see that a bunch of people are freaking out that we're "burying" this story, so here it is. Go hog wild. Sorry it took so long. (And for future reference, user submissions are easily found in the firehose, listed in the order they appear, newest first.)

Update: 06/01 22:37 GMT by T : The SourceForge blog has a welcome update; SourceForge, it says, has effective today "stopped presenting third party offers for unmaintained SourceForge projects. ... At this time, we present third party offers only with a few projects where it is explicitly approved by the project developer, or if the project is already bundling third party offers."

Took long enough for you to post this Slashdot

[NotDrWho]

I remember seeing a submission on this early last week.

Re:Took long enough for you to post this Slashdot

[weilawei]

I am also pleased that they've finally posted it, but still seriously miffed that it took this long.

Not ignoring the story is a good start!

[rmdingler]

Issuing an opinion on something the umbrella corporation did that you may have no control over would be a solid follow up.

Re:Not ignoring the story is a good start!

[Luxemburg]

Additionally, offering such a weak*) excuse for sitting on this story (apparently) for a week actually rings all my alarm bells. Please slashdot editors, explicitly deny (or confirm) there has been any kind of pressure influencing your treatment of this topic.

*) Weak to react to it cynically, dismissively, the editor just had a busy weekend, and how dare the readers ever even imagine there might be some sort of hesitation on your part for not publishing this article promptly. After all, it's only a very grave accusation to a service run by the same company for the same audience.

Re:Not ignoring the story is a good start!

Then why the hell did you blame a busy weekend to start? Smells like BS to me.

Re:Not ignoring the story is a good start!

[rmdingler]

Hmmm...

/. being slower than everyone else to report on a story.

That is suspicious.

Re:Not ignoring the story is a good start!

[Soulskill]

I acknowledge that this was a fuck up. As I said in my note on the story, I'm sorry it took so long for this post to go up.

Re:Not ignoring the story is a good start!

[tresf]

Thanks for posting it, @Soulskill. Better late than never. I'll support you a bit in saying that the readers are focusing on the wrong point. It is the FOSS malware bundling which is the real issue here. The misrepresentation of a product against the author's/community's will is THE issue. Stop trolling the journalist, he's not the one installing malware on your computer, SF is.

Offering a great product for free should be good enough to drive the traffic and ad revenue that SF needs. Taking a sh** on these great projects does nothing but alienate SF from the very community that helped it gain notoriety in the first place. Sure this is old news, but 1,000 malware installations a day aren't old news. 1,000 malware installations a day should be criminal.

Coincidentally -- the day after posting this article -- a colleague of mine made a similar mistake of installing OpenOffice from a high-ranking search result and is now dealing with the consequences. Long term, I'm not sure how we fix these bait-and-switch problems, but @Soulskill getting the word out is a good start.

On a personal note... I manage the downloads for a QT-based project known as LMMS and we too feared the day that our installers would be compromized. In anticipation of this, LMMS has moved everything off of SF hosting. This took almost a year as it included forums, downloads, bug tracker, et al. We we very fortunate to get corporate sponsoring, but not all projects have success in this regard.

On a personal-side-note, I'd like to add that I've been happy enough with the services over at GitHub that I've chosen them for some of non-free projects (private, paid repositories). Is this not how revenue **should** be generated? Should the exchange of good, honest services for cash not be the norm? Should preying on the innocent and invading privacy, installing viruses for those that would least suspect it NOT be ostracized? SF has become a predator against the unsuspecting.

Absolutely unacceptable behaviour

[sinij]

This behavior should get SourceForge blacklisted as both cyber-squatters and adware, possibly malware vendor.

Re:Absolutely unacceptable behaviour

Cnet irreparably destroyed the reputation of both download.com and the cnet brand.

Sourceforge's brand is probably damaged to a similar level for me.

I'm about ready to DNS blackhole sourceforge because it cannot be trusted at all anymore. 10 years ago, it was my go-to site.

I don't buy the /. editors' explanation.

[pop+ebp]

I don't buy the /. editors' explanation.

This story has been repeatedly submitted since at least late Wednesday and has been voted to red multiple times in the firehose.

Meanwhile, most other red stories have already appeared on the front page, so clearly some editors were still around...

Seems to Be a Pattern of Behavior

[Kunedog]

Anyone buying the "busy weekend" excuse? Can't say I am, since the story broke near the middle of last week, and we've seen /. willfully ignore the community so many times. Look at the amount of pushback it took to defeat Beta and Bennet Hasselton.

Wonder if they'll ever drop the anti-Gamergate narrative too (probably not, since they have most of the tech media circling wagons with them on the pro-corruption side)?

Re:Seems to Be a Pattern of Behavior

[sinij]

>>>Bennet Hasselton cannot be defeated. He's merely resting.

Bennet Hasselton article shows up only if someone mentions Bennet Hasselton three times in a single post.

Re:Seems to Be a Pattern of Behavior

[0100010001010011]

It's just the Nth 'eternal September'.

It's also happening to Little Registry Cleaner. If you don't read every dialog box very, very carefully you end up with crapware (look at the reviews).

The tail end of GenX/Initial GenYs that originally ran Slashdot have moved on with their lives. They sold out (no problem with that, I would have too). Dice put a bunch of kids that grew up on Reddit in charge so you see Slashdot trying to mirror Reddit's content, 'messege', tone & look and it's showing to old hat /.ers.

If anyone is bored and looking for a place to lure my 30s year old self. Redo slashdot, allow markdown, bbedit, html, LaTeX.. editing. Keep the -2 to +5 moderation system because it limits band-wagoning and group think. Now that everyone can have an opinion it shows. I used to revel in the days that little 19 year old me was bestowed with 5 points to vote with (and tried to ration them accordingly).

Design a proper responsive layout (It was not Beta) and keep it about tech

I'm looking for a good place to discuss stuff that is relevant to me like Slashdot used to be. Reddit is good for certain things. Long drawn out posts with actual information isn't one of them. Everyone wants a tl;dr:.

[And this message took longer to type than one in Markdown because HTML is pretty slow now that I use markdown for everything, blog and all. Not that I don't know but ** is easier, ~~~~, ]

Re:Seems to Be a Pattern of Behavior

[bill_mcgonigle]

If anyone is bored and looking for a place to lure my 30s year old self. Redo slashdot, allow markdown, bbedit, html, LaTeX.. editing.

If this is where your interests are, Soylent has forked an re-opened Slash, so people can contribute to it. There's been tremendous cleanup/ and some refactoring, to make Slash a more sane/maintainable project.

They're very picky on submissions, though, so the variety and community aspects aren't what Slashdot is.

Re:Seems to Be a Pattern of Behavior

[ideonexus]

The adware bundling is also happening with Filezilla now too. I recently downloaded the FTP program to my computer at work and it set off a bunch of virus alerts with our system engineers. It was very embarrassing, but the engineers said they fell for it too.

The worst part is that there is no opt-out option in the installation process. By downloading the version of the package with the adware, you are agreeing to install the viruses. I eventually found a clean install of Filezilla on Sourceforge, but it's not obvious.

Google needs to flag Sourceforge as a malware site for these shenanigans.

Re:Seems to Be a Pattern of Behavior

[pop+ebp]

For the record, the FileZilla developers actually opted-in to this, several years ago, in some kind of revenue-sharing program with Sourceforge.

What is new is that SF now does it with "abandoned" projects without the owners' consent too.

Re:So?

[pop+ebp]

This is news because Sourceforge used to be trustworthy.
It used to be a respected site where open-source developers could host their binaries without fear of someone tampering with it.

Re:Douch move for sure on SF

[NotDrWho]

Hard to believe that Sourceforge was once a fairly reputable place to download software from. Seems like a millions years ago now.

Re:For future reference

And they won't run a story critical of Dice until they persuade the corporate overlords that it's too late to stop it.

Re:So?

[Megane]

GPL covers the rights to use and distribute code. I was not aware that it also included the right to use of trademarks. (Assuming GIMP was even properly trademarked.) See also "Iceweasel".

My experiences with SourceForge

[jdeisenberg]

1) I recommended an open source screencast recorder for Windows to a co-worker. She downloaded it from SourceForge, it loaded adware on her system and made her system pretty much unusable. It cost her quite a bit to have her system restored (she wanted to have it done professionally to make sure it was done right). The next time I recommended some other open source software, her response was "No, I don't want to go to that time and expense again. I don't trust anything Open Source any more." Thanks, SourceForge!

2) I call bullshit on SourceForge's assertion that their adware only comes with projects that aren't actively maintained. There have been a lot of complaints about FileZilla downloads (see, for example, https://forum.filezilla-projec...), and it is definitely a very active project.