Slashdot Mirror
nmap Maintainer Warns He Doesn't Control nmap SourceForge Mirror
vivaoporto writes: Gordon Lyon (better known as Fyodor, author of nmap and maintainer of the internet security resource sites insecure.org, nmap.org, seclists.org, and sectools.org) warns on the nmap development mailing list that he does not control the SourceForge nmap project.
According to him the old Nmap project page (located at http://sourceforge.net/projects/nmap/, screenshot) was changed to a blank page and its contents were moved to a new page (http://sourceforge.net/projects/nmap.mirror/, screenshot) which is controlled by sf-editor1 and sf-editor3, in a pattern mirroring the much discussed takeover of the GIMP-Win page discussed last week on Ars Technica, IT World and eventually this week on Slashdot.
On Monday, Sourceforge promised to stop "presenting third party offers for unmaintained SourceForge projects," and to their credit Fyodor states, "So far they seem to be providing just the official Nmap files," but reiterates "that you should only download Nmap from our official SSL Nmap site: https://nmap.org/download.html." To browse the projects and mirrors currently controlled by SourceForge, you can look at these account pages: sf-editor1, sf-editor2, and sf-editor3.
According to him the old Nmap project page (located at http://sourceforge.net/projects/nmap/, screenshot) was changed to a blank page and its contents were moved to a new page (http://sourceforge.net/projects/nmap.mirror/, screenshot) which is controlled by sf-editor1 and sf-editor3, in a pattern mirroring the much discussed takeover of the GIMP-Win page discussed last week on Ars Technica, IT World and eventually this week on Slashdot.
On Monday, Sourceforge promised to stop "presenting third party offers for unmaintained SourceForge projects," and to their credit Fyodor states, "So far they seem to be providing just the official Nmap files," but reiterates "that you should only download Nmap from our official SSL Nmap site: https://nmap.org/download.html." To browse the projects and mirrors currently controlled by SourceForge, you can look at these account pages: sf-editor1, sf-editor2, and sf-editor3.
To just refer this matter to law enforcement. They're putting together bundles specifically to shove spyware down people's throats. It's being done in such a way as to make uninformed users think they're the official page. I'm not normally one to say stuff like this, but sourceforge needs to have a visit from FBI and/or FTC over this.
I really admire slashdot editors freely accepting SF stories no matter how damaging they are.
Did you see a single newspiece/editorial on CNET news.com about the junk download.com bundles?
You know, it probably still shows up in a lot of searches.
Sounds like a problem with search engines. They should push sites carrying malware down the rankings, or off the list entirely. Has anyone reported Sourceforge to Google and other malware site list maintainers?
const int one = 65536; (Silvermoon, Texture.cs)
SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
All they have to do is:
1) post a prominent disclaimer along with a link to an officially maintained source, if any.
2) only provide true read-only mirrors or, for truly-abandoned projects or projects with "political squabbles" that make it hard to know the "real, official" maintainter, true historical mirrors in an explicitly frozen state along with a stayement explaining why the code is old.
3) prominently display an invitation to "official maintainers" to reclaim control of the repository or have the mirror deactivated once they prove who they are.
They can go one step further by pro-actively reaching out to currently affected projects and to projects they later identify as "abandoned on Sourceforge but still alive elsewhere."
They also need to apologize to affected developers and maintainers.
Why should they even bother?
1) They can still make money on web-site ads.
2) It will help boost their reputation and that of their corporate overlords, which will eventually translate into revenue.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
How does one permanently remove a project from SourceForge that has been transferred elsewhere so this does not occur?
the growth in cynicism and rebellion has not been without cause
Hi. Thanks for the submission.
In addition to editing your submission for brevity and minor grammatical issues, I edited it for factual accuracy as well. I'll first address your two main points.
1) The rest of the quote from SourceForge was trimmed because it wasn't relevant to the content of the submission. SF has been bundling their "third-party offers" with projects who explicitly opt into it for a long time — it's a known thing, and has been discussed at length. Second, according to Fyodor's own post, they weren't bundling anything with nmap.
2) The rest of the Fyodor quote was trimmed for a similar reason. It makes reference fake download buttons and catching SF "trojaning" nmap. It's fine for Fyodor to editorialize as he pleases, but the first is a separate issue and the second is a non-event, so neither really have a place on this story.
The headline was changed for two reasons: First, Fyodor's account seems to still be under his control, and the nmap project seems to have been cloned/mirrored, so the references to hijacking the account lack clarity. Second, this is not actually new news. When the GIMP story broke, anyone with an interest could see what projects SF had taken over. Nothing actually changed for the project page Fyodor is posting about since the GIMP story broke — thus, the new information is simply that he's complaining about it. (Which is his right, of course.) I went ahead and posted the story for transparency's sake, and I added links at the bottom of the summary to the SF editor accounts, so people could easily see the full list of affected projects.