Slashdot Mirror
nmap Maintainer Warns He Doesn't Control nmap SourceForge Mirror
vivaoporto writes: Gordon Lyon (better known as Fyodor, author of nmap and maintainer of the internet security resource sites insecure.org, nmap.org, seclists.org, and sectools.org) warns on the nmap development mailing list that he does not control the SourceForge nmap project.
According to him the old Nmap project page (located at http://sourceforge.net/projects/nmap/, screenshot) was changed to a blank page and its contents were moved to a new page (http://sourceforge.net/projects/nmap.mirror/, screenshot) which is controlled by sf-editor1 and sf-editor3, in a pattern mirroring the much discussed takeover of the GIMP-Win page discussed last week on Ars Technica, IT World and eventually this week on Slashdot.
On Monday, Sourceforge promised to stop "presenting third party offers for unmaintained SourceForge projects," and to their credit Fyodor states, "So far they seem to be providing just the official Nmap files," but reiterates "that you should only download Nmap from our official SSL Nmap site: https://nmap.org/download.html." To browse the projects and mirrors currently controlled by SourceForge, you can look at these account pages: sf-editor1, sf-editor2, and sf-editor3.
According to him the old Nmap project page (located at http://sourceforge.net/projects/nmap/, screenshot) was changed to a blank page and its contents were moved to a new page (http://sourceforge.net/projects/nmap.mirror/, screenshot) which is controlled by sf-editor1 and sf-editor3, in a pattern mirroring the much discussed takeover of the GIMP-Win page discussed last week on Ars Technica, IT World and eventually this week on Slashdot.
On Monday, Sourceforge promised to stop "presenting third party offers for unmaintained SourceForge projects," and to their credit Fyodor states, "So far they seem to be providing just the official Nmap files," but reiterates "that you should only download Nmap from our official SSL Nmap site: https://nmap.org/download.html." To browse the projects and mirrors currently controlled by SourceForge, you can look at these account pages: sf-editor1, sf-editor2, and sf-editor3.
To just refer this matter to law enforcement. They're putting together bundles specifically to shove spyware down people's throats. It's being done in such a way as to make uninformed users think they're the official page. I'm not normally one to say stuff like this, but sourceforge needs to have a visit from FBI and/or FTC over this.
I really admire slashdot editors freely accepting SF stories no matter how damaging they are.
Did you see a single newspiece/editorial on CNET news.com about the junk download.com bundles?
All they have to do is:
1) post a prominent disclaimer along with a link to an officially maintained source, if any.
2) only provide true read-only mirrors or, for truly-abandoned projects or projects with "political squabbles" that make it hard to know the "real, official" maintainter, true historical mirrors in an explicitly frozen state along with a stayement explaining why the code is old.
3) prominently display an invitation to "official maintainers" to reclaim control of the repository or have the mirror deactivated once they prove who they are.
They can go one step further by pro-actively reaching out to currently affected projects and to projects they later identify as "abandoned on Sourceforge but still alive elsewhere."
They also need to apologize to affected developers and maintainers.
Why should they even bother?
1) They can still make money on web-site ads.
2) It will help boost their reputation and that of their corporate overlords, which will eventually translate into revenue.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.