Slashdot Mirror

← Back to Stories (view on slashdot.org)

nmap Maintainer Warns He Doesn't Control nmap SourceForge Mirror

Posted by Soulskill on from the shorter-weekend dept.

vivaoporto writes: Gordon Lyon (better known as Fyodor, author of nmap and maintainer of the internet security resource sites insecure.org, nmap.org, seclists.org, and sectools.org) warns on the nmap development mailing list that he does not control the SourceForge nmap project.

According to him the old Nmap project page (located at http://sourceforge.net/projects/nmap/, screenshot) was changed to a blank page and its contents were moved to a new page (http://sourceforge.net/projects/nmap.mirror/, screenshot) which is controlled by sf-editor1 and sf-editor3, in a pattern mirroring the much discussed takeover of the GIMP-Win page discussed last week on Ars Technica, IT World and eventually this week on Slashdot.

On Monday, Sourceforge promised to stop "presenting third party offers for unmaintained SourceForge projects," and to their credit Fyodor states, "So far they seem to be providing just the official Nmap files," but reiterates "that you should only download Nmap from our official SSL Nmap site: https://nmap.org/download.html." To browse the projects and mirrors currently controlled by SourceForge, you can look at these account pages: sf-editor1, sf-editor2, and sf-editor3.

10 of 145 comments (clear)

  1. Confusion with names and roles in his announcement by Simon+Budig · · Score: 4, Informative

    Hi all.

    Just a quick service announcement since Fyodor erred with regard of the role of Michael Schuhmacher.

    Michael is *not* the CEO of Sourceforge. He is Office Wrangler for the GIMP project and very much on the other side of the dispute...

    Bye,
                  Simon

  2. Re:slashdot is still slashdot by Anonymous Coward · · Score: 2, Informative

    The cat is out of the bag since the Gimp story finally appeared.

    They did, however, suppress that story for several days, until Slashdot started becoming associated with the whole fiasco too.

  3. Changes from the original submission by vivaoporto · · Score: 5, Informative
    The edits made by Slashdot editors on my original submission (that can be read here) are very telling. Fyodor isn't warning that he doesn't control Sourceforge nmap mirror, he is accusing them of hijacking his Sourceforge nmap account, removing the content and creating a mirror that he doesn't control.

    The original title was "Sourceforge Hijacks the Nmap Sourceforge Account" and it was the same title Fyodor used on its post to the maillist. Losing the original Sourceforge original nmap account (created by nmap developers themselves) is not the same news as him not controlling "nmap SourceForge Mirror". The same expression was also changed in the submission body.

    Two other important parts from the the original submission removed by the editor:

    1. The statement by SourceForge themselves that (emphasis mine):

    At this time, we present third party offers only with a few projects where it is explicitly approved by the project developer, or if the project is already bundling third party offers.

    2. The reference by Fyodor that even if Sourceforge still isn't bundling anything on nmap, the page is designed to mislead the users with fake download buttons:

    "So far they seem to be providing just the official Nmap files (as long as you don't click on the fake download buttons) (...)

    Below I repost the original submission so you can compare:

    Sourceforge Hijacks the Nmap Sourceforge Account

    Gordon Lyon (better known as Fyodor, author of nmap and maintainer of the internet security resource sites insecure.org, nmap.org, seclists.org, and sectools.org) warns on the nmap development mailing list that the Sourceforge Nmap account was hijacked from him.

    According to him the old Nmap project page (located at http://sourceforge.net/project..., screenshot) was changed to a blank page and its contents were moved to a new page (http://sourceforge.net/projects/nmap.mirror/, screenshot) which controlled by sf-editor1 and sf-editor3, in pattern mirroring the much discussed the takeover of GIMP-Win page discussed last week on Ars Technica, IT World and eventually this week Slashdot.

    That happens after Sourceforge promises to stop "presenting third party offers for unmaintained SourceForge projects. At this time, we present third party offers only with a few projects where it is explicitly approved by the project developer, or if the project is already bundling third party offers."

    To their credit Fyodor states that "So far they seem to be providing just the official Nmap files (as long as you don't click on the fake download buttons) and we haven't caught them trojaning Nmap the way they did with GIMP" but reiterates "that you should only download Nmap from our official SSL Nmap site: https://nmap.org/download.html"

    1. Re:Changes from the original submission by gatzke · · Score: 4, Informative

      And the stupid video stuff. Looks like we can't turn that garbage off either. Thanks /. !!

    2. Re:Changes from the original submission by vivaoporto · · Score: 4, Informative
      Hi, and thanks for taking the time to address those points, altought they were not the main points. They were merely "other important parts (...) removed", the main point being that "Fyodor isn't warning that he doesn't control Sourceforge nmap mirror" but "is accusing them of hijacking his Sourceforge nmap account".

      Concerning to the main point:

      1. The original title stated that he lost control of "Nmap Sourceforge Account" and not his own
      and it was very clear that by having the project page erased outside his control meant that he lost control of it.

      2. The submission was not about SourceForge (as they were, as you say, pretty much similar to the what was discussed in the previous story) but about the reaction of a prominent figure of the IT world. By editing it for factual accuracy the point of the submission was lost (as what was kept after the edit was not Fyodor's reaction anymore).

      I don't agree that those other two points were satisfactorily addressed either and here is for what reason.

      1. The entire quote was copied verbatim from the update made by T on the SourceForge and GIMP article. Assuming it was relevant enough to be included there by the Slashdot staff itself I don't see why it is not relevant to be included in a similar article referring to the same subject.

      2. The rest of Fyodor quote served to illustrate his opinion that, despite not bundling the installation files with "easy to decline third party offers" (to borrow an eufemism sometimes used by the industry, referred by Fyodor as "trojaned"), it is still risky to download nmap from SourceForge mirror. There are very confusing download buttons on that page that link to those same kind of third party offers instead of to the unmodified installer (referred as "fake download buttons").

      it is very misleading to have a submission accepted, altered for factual accuracy but to kept as if it were submitted as is by the original submiter:

      vivaoporto writes:

      an edited version of what vivaoporto wrote, without any indication of what was changed, who changed and why.

      It would be better to either accept the submission as is (with the minor gramatical mistakes corrected) with a "Note of the Editor (NE)" appended or to reject the submission as factually incorrect.

  4. Re:It's about time... by Anonymous Coward · · Score: 2, Informative

    Oh jesus christ...

    Not only has this been gone over every fucking time this story gets posted, but any one with half a brain who has ever actually *read* the GPL knows it isn't a fucking GPL violation. The license SPECIFICALLY says you can bundle closed source stuff with downloads of GPL software. IT FUCKING CALLS OUT AGGREGATION OF PROGRAMS AS A SPECIFIC EXEMPTION.

    . . . In addition, mere aggregation of another work not based on the Program with the Program (or with a work based on the Program) on a volume of a storage or distribution medium does not bring the other work under the scope of this License.

    Fucking christ, you people are morons.

  5. Re:Fuck Sourceforge by Anonymous Coward · · Score: 4, Informative

    Changeable from preferences if I am not mistaken.

  6. Re:slashdot is still slashdot by vivaoporto · · Score: 4, Informative

    No, it's not. See the difference between the original submission and how it was changed below.

    To summarize, it was changed from "Fyodor accuses Sourceforge of hijacking nmap account" to "Fyodor warns that he doesn't control Sourceforge nmap mirror", among other things.

  7. Re:Fuck Sourceforge by 0100010001010011 · · Score: 5, Informative

    Some well known projects they've taken:

    Your comment has too few characters per line (currently 11.7).

    Lorem ipsum dolor sit amet, consectetur adipiscing elit. Integer nec odio. Praesent libero. Sed cursus ante dapibus diam. Sed nisi. Nulla quis sem at nibh elementum imperdiet. Duis sagittis ipsum. Praesent mauris. Fusce nec tellus sed augue semper porta. Mauris massa. Vestibulum lacinia arcu eget nulla. Class aptent taciti sociosqu ad litora torquent per conubia nostra, per inceptos himenaeos.

  8. Re:Project Removal? by davidleelambert · · Score: 5, Informative

    You can't. In particular,

    • "Has the project released files? If not, we will honor the removal request."
    • "Projects which have moved to another hosting provider are typically retained at SourceForge.net (though you can make a note on the project web site and project summary page directing users to the new home) for sake of retaining materials of historical value."
    • "Projects that are moving to closed source do not qualify for removal."
    --
    note: I have at least one, possibly two other, Slashdot accounts because OpenID creds can't be merged with an older acco