SourceForge Responds To nmap Maintainer's Claims

An anonymous reader writes: A few days ago, the maintainer of nmap (an open source network mapping tool) complained that SourceForge had taken over the nmap project page. SourceForge has now responded with a technical analysis of the nmap project history. They said, "We've confirmed conclusively that no changes were made to the project or data, and that all past download delivery by nmap on SourceForge was through our web hosting service where content is project-administered."

They detail the history of services used by the nmap project, and use screenshots from the Internet Archive to show how long the project was empty. SourceForge said, "The last update date in 2013 relates to the migration of the nmap project (along with all other projects on the site) from SourceForge's sfx code base to the new Apache Allura-based code base. This migration was an automated operation conducted for all projects, and this platform change did not augment data in the Project Web service or File Release System. We therefore conclude that no content has been removed from the nmap project page." They also confirmed that nmap downloads were never bundled with ads: "Infosec professionals do not generally wish to install secondary offers." Note: SourceForge and Slashdot share a corporate overlord.

Nice phrasing dice

There's no apologizing for the malware spewing shitfest that SF has become. Do the right thing and close the site.

How long until you guys face trademark lawsuits from the ors and foundations that don't want to be associated with your site?

Because that's the next step. I'm surprised it's not happened already.

Re:Nice phrasing dice

[WCMI92]

Sourceforge might as well be The SCO Group now with what it's done with it's reputation. And I don't see how bundling spyware with GPL'ed code isn't a GPL violation.

I know I'll never download anything there again.

Obvious solution

[gatkinso]

Migrate to github. Shut down SF repo.

Re:Obvious solution

You can't. As in the case of GIMP, they took control from the guy who owned the actual dev account for the project, took new binaries from the official GIMP site, put their malware in and called it a day.

Shut down if you like, watch as they reopen a "mirror" of your project.

Re:Obvious solution

[coofercat]

+1 for this, and a strong caution about using someone else's server to host your stuff. One day, Github might well end up doing the same thing (yeah, I know it seems unthinkable now, but SF looked pretty cool and was never going to do something like this just a few years ago too).

PS. This post noticed that you have a virus on your PC. Please download AwesomeSuperWhizzoCrap and run it to fix the problem.

Re:Obvious solution

[mwvdlee]

That's what I'm doing.

Hope to have my SF projects migrated after the weekend.
My actively developed projects are already on GitHub.

But just because a project isn't active doesn't mean it's dead; it just means there has been no need (or requests) for changes.

Luckily none are big enough to be near the top of SF's "loot-&-pillage" list.
But even then, this seems to me to be the last dying breaths of SourceForge.
I don't expect them to exist in any recognizable form this time next year.

Re:Obvious solution

[plopez]

Welcome to the cloud.

Re:Obvious solution

[david_thornley]

They can reuse code all they want, within the confines of the license, but they can't do the same with trademarks. I think we need to think harder about them.

Public Relations Arm

Must be nice for SourceForge to have their own Public Relations arm now via slashdot. Just post the story you want, say "Nah - It's fine trust us" and then boost it to the front page of /.

I'll await my downvotes

dafuq?

[Penguinisto]

"Infosec professionals do not generally wish to install secondary offers."

WTF? Nobody with a clue wants to install "secondary offers". Otherwise we'd seek that crap out and install it ourselves, dumbasses...

Re:dafuq?

[dunkindave]

"Infosec professionals do not generally wish to install secondary offers."

WTF? Nobody with a clue wants to install "secondary offers".

That's the point. Infosec professionals normally have a clue, and the general population in general does not. Desire isn't the problem, understanding the situation is.

No Trust

Here's your problem, SourceForge. You've abused your trust with the community. Why should the community trust you? Even the evidence you provide requires the community to trust you haven't been doing nefarious things to ensure the evidence looks good later on when you need it. Sure, it's far fetched.

And 15 years ago, I would have said it's far fetched that SourceForge would include malware with their downloads. Today? We're a stepping stone away.

How can SourceForge fix this? I don't know. I simply don't get myself into this sort of situation in the first place, so I don't have to weasel my way out of them.

Re:No Trust

[emho24]

Attempting to download software from SF is such a disgusting process, it's similar to negotiating with a car salesman. You will be taken advantage of at every opportunity, and if you don't have your guard up at all times you will be hurt. I'm forever done with SF. I nearly exclusively use Chrome as my browser of choice so 2 browser plugins make sure I never visit that site again. "Personal Blocklist (by Google)" will makes sure that no SF results get returned in a Google search, and "Block site" will make sure that I cant navigate there by manually typing in a url.

Changes

[BradleyUffner]

We've confirmed conclusively that no changes were made to the project or data

other than the parts we changed.

Re: Changes

[Scotsman,+True]

I heard it's twice as bad as 4chan

Re:Changes

[KGIII]

The problem I have, and I suspect I am not alone but I have not read any comments about this, is that they can say these things but I simply can not trust them. I was installing an application that I had seen linked from a comment in here. I do not need to shame them. That application installed what was basically a wrapper and I had selected to install a YouTube viewing agent. During the install, and I watch carefully, they downloaded the application separately as it is not a part of the main application. This downloaded application was from SourceForge. I had to scan my machine with my regular AV, I then had to scan it with MBAM - to be sure, and then I went through the registry and the application's folder to look for anything suspicious. Fortunately, there was nothing that was detected or that I could detect. Maybe it is time for me to move to Linux all the time (I use a few distros very often, only the desktops are used for Windows and those are often dual-boot.) and just use Windows in VM? I do not need Windows but I prefer it in many areas.

Controlling the message

[buk110]

Must be nice for Sourceforge. Controlling the message via slashdot. Listen, no one wants malware. You can shine it up and call it "a secondary offer" but it's still junk. I hope as time goes on more people realize what a virusden that site is and more people rely on github

Re:Controlling the message

[sentientbeing]

Can I have your ID

Re:Slashdot is Bullshit

"We" haven't come to anything. You're not part of any major projects and have no say in any of this. You're just a worthless spectator.

Re:Slashdot is Bullshit

Khyber, does that mean you're leaving Slashdot?

Sourceforge eats good software and shits it.

[Needs2BeSaid]

They ruined Filezilla
They pissed of GIMP.org
.... now nmap.

Re: Sourceforge eats good software and shits it.

Not defending SF here, but they didn't ruin Filezilla- the creator of Filezilla did. He chose to bundle the SF filezilla download with crapware and is adamantly FOR it and claims it is useful and people like it.

Re:Slashdot is Bullshit

[msobkow]

Who is this ranting, cross-posting idiot with a "mission"? Why should anyone give a damn about them posting the same drivel over and over to every comment branch on this thread?

That's it- I'm out

[eigenstates]

No more DHI Group anything, ever.

You want to bitch about it- call these people- don't even bother posting here:

http://www.dhigroupinc.com/investors/corporate-governance/default.aspx

Dice is rape

[Megaweapon]

Just shut every fucking site you've purchased down already. I can't imagine you guys EVER regaining whatever credibility you might have thought you had. Your websites are bleeding to death while you're picking their pockets for every last penny you can find.

You've "won". It's over. Shut them all down.

Re:Alternatives

[eigenstates]

Try looking for good subs on Reddit. If you get rid of the defaults and just use your own, it can be a pretty good place.

What about the others?

[0100010001010011]

Some other projects SourceForge has taken:

• Evolution
• Firefox
• MySQL
• PostgreSQL
• openvz
• Apache HTTP Server
• Apache Hadoop
• SQLite
• SWRare Iron
• Thunderbird
• The R Project
• NetBeans IDE

Those authors haven't gotten up in arms yet but they could (Especially with Firefox's defense of its logo/name for anyone not them)

Your comment has too few characters per line (currently 11.7).

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Integer nec odio. Praesent libero. Sed cursus ante dapibus diam. Sed nisi. Nulla quis sem at nibh elementum imperdiet. Duis sagittis ipsum. Praesent mauris. Fusce nec tellus sed augue semper porta. Mauris massa. Vestibulum lacinia arcu eget nulla. Class aptent taciti sociosqu ad litora torquent per conubia nostra, per inceptos himenaeos.

And?

[gstoddart]

"Infosec professionals do not generally wish to install secondary offers."

Honestly, who the fuck does?

I get the sense they didn't do this because they knew Infosec professionals would pillory them, but they're more than willing to embed shit in everything else.

Too little, too late there Sourceforge.

In defense of SourceForge

[davidleelambert]

The "nmap" project really is just a "placeholder". The FRS part is completely empty. If Fyodor doesn't want to put the current release there because of staleness concerns, fine, but it would be polite to at least put a "README.txt" there with a link to the real distribution-site and an explanation of why he chooses not to host the files on SourceForge.

And I'm not happy about all the recent changes (dropping OpenID authentication, for example), but other changes in the last year or so have been positive, SF is still a reasonable place to host a project, and it's good to not have all eggs in the one basket of GitHub. The field of core-technology-agnostic open-source hosting is shrinking, note last week's termination of CodeHaus and the in-process termination of Google Code (which offers a migrate-to-GitHub service, but also provides a link to SF's migrate-from-Google-Code service).

Re:In defense of SourceForge

[JohnFen]

SF is still a reasonable place to host a project

SourceForge hasn't been a reasonable place to host a project for years now, and it hasn't been getting any better. I wouldn't touch SF with a ten foot pole, either to host my projects or to download other projects.

Which is a shame. I remember when SF was great.

If they're to be believed...

[aardvarkjoe]

If Sourceforge is to be believed -- that all they did was create a mirror, without touching the owner's page -- then that's not in itself a bad thing to do. Providing mirrors of open-source software would be perfectly acceptable for another organization.

But this isn't another organization, this is Sourceforge. They've already demonstrated that they have no qualms about using their "mirrors" to distribute malware by misrepresenting the content of the downloads. Therefore, they have no credibility to be running a mirror, and nobody should trust anything that comes from their download pages.

Re:Wait a mainute, did I read that correctly?

[davidleelambert]

Fyodor's original message to the "Nmap Development" list includes the following claim:

The old Nmap project page is now blank:

http://sourceforge.net/projects/nmap/

It's true that if you go to the "files" tab you won't see any files. However, the SF blog posting says that Fyodor never put anything in the File Release System, so "now blank" is literally accurate but misleading. It implies that SF deleted something, which they didn't.

You can't, and that's the problem

[bradley13]

That's the problem: you can't shut down a SourceForge project. If you try - if your project is popular enough - they will "provide a service to the community" by mirroring your new project page. With ads. And malware.

They've found a way to abuse open source. Precisely because it is open source, they can create a mirror. The only thing that will stop them is publicity - like this has been receiving. I assume that most techies stopped going to SF a year or two ago, when they started with the malware wrappers. Anyone who wasn't put off by that, will surely now be put off.

I would actually prefer that people not all go to GitHub - it's already getting too big and too influential. Bigness seems to inevitably lead to evilness, sooner or later. It would be better to spread hosting around on many different services. We then just need a couple of central directories that say where a particular project's homepage is. If a directory turns evil, that's easier to replace than a whole hosting service.

Soylent News Looks pretty good

[FreeUser]

As a result of this, I've been looking for a slashdot alternative, since I expect Dice to wreck this site as well in the not to terribly distant future. Sad, because I've been here for years.

Anyway, Soylent News looks promising:

https://soylentnews.org/ ... anyone have any other suggestions? Kiro5hin looked good at one time, but went full-bore political.

Re:Soylent News Looks pretty good

[0100010001010011]

There are some problems with Reddit that I would like to see addressed in Slashdot's successor.

1) Long posts aren't really valued. It's post as fast as you can, as much as you can. Anything longer than a paragraph and people won't read it or want a tl;dr:

2) I liked having taxonomy in voting. +5 funny should be different than +5 informative. Maybe not as many as Slashdot has but

3) Posts limited to -2 to +5. No band-wagoning 1000 points.

4) You couldn't vote and comment on the same thread. Points were also handed out at random. I would take the full 15(?) days to use all my points to make sure I allocated them 'best'.

There are also some things that Reddit does right.

Markdown. It's a lower cost of entry. Not everyone knows HTML these days, I know it's 'news for nerds' but Markdown is much easier and faster to type.

Logging Out

[l0ungeb0y]

I know that people posting "I'm done here" is usually a sign over short term anger -- but I am feeling utterly compelled to abandon this site. After the years of general decline and now these actions by Dice Network I really don't see any other option.

Seeing the abuse of SourceForge by Dice was cause for concern
Seeing that they were actively denying the acceptance of stories reporting this was distasteful
Seeing the earlier Slashdot "story" that essentially put words in the complaining code maintainers mouth while downplaying everything was alarming
Being fed this one sided propaganda piece by Dice/Sourceforge/Slashdot is simply taking things too far.

Fact of the matter is people put their trust into SourceForge to host their code repos -- SourceForge decided to no longer act as a trusted partner and started hijacking popular software to repackage it with adware for their own profit -- profits not share with the creators or maintainers of the software nor done with their consent.

Such behavior is exploitative to those who have labored to create those OSS Projects and SourceForge's actions not only damage their relationship with the Developers of those projects, but is an affront to the entire OSS Community world wide.

Due to the actions of Sourceforge and The Dice Network's use of Slashdot as a propaganda tool to first quash all discussion of their actions then disseminating these ridiculously slanted "stories", has caused Slashdot to lose all credibility. I now see Slashdot as a news source to be on the level I view FOX News and will for now on hold them in the same regard

*logging out*

Re:Alternatives

[0100010001010011]

It's worse. Their CEO is married to a guy that ran a ponzi scheme. They try to shoehorn SJW into everything. Some of us just want a place to talk the merits of tech.

Re:Slashdot is Bullshit

[Ramze]

This is the crux of the issue.

When SF takes over a page and replaces an installer from the project with an SF program; it's deceptive and fraudulent.

If that SF program is a modified binary, a modified installer, or even a "download helper" or a wrapper around the original installer which prompts for crapware; SF is misrepresenting the download as coming from the project rather than SF unless stated clearly otherwise.

When a user downloads this fraudulent download, they blame the crapware on the project authors and not SF. This isn't simply a theory - the feedback on many projects includes numerous negative reviews due to this crapware which they falsely attribute to the project creators. This negatively impacts the projects and their reputations with their users. Real financial harm could be done if fewer donations are made due to the harmed reputations - or support contracts not renewed due to suspicions.

I believe SF's recent assertion that they will no longer do this is, at least in part, because they know this sort of activity will not stand up in a court of law and it is detrimental not only the projects they've vandalized, but to themselves in showing their poor character and lack of trustworthiness in choosing to implement such a scheme to begin with. Stopping the harmful practice does not undo the harm already done, so it would be nice to see some legal recourse to inspire fear in those who would dare to do this sort of thing in the future.

Even when an author approves such nefarious wrappers and crapware through an agreement, SF is using deceptive practices towards users by not clearly distinguishing their regular binary downloads from crapware downloads. The same green "download" button appears in either case, but with crapware there is sometimes a small print of "installer enabled" and an "i" in a circle one can hover over which will display that there may be crapware in the installer. In filezilla's case, it warns of an ad-supported installer.

http://sourceforge.net/project...

IMHO, there should be clear distinctions between binaries offered by (or approved by) the project author and those offered or modified by SF as well as clear indications of when one is downloading a "download helper" or advertisement supported downloader or installer.

Can't copyright be used against this?

[foreverdisillusioned]

If you copyright your project's name and logo, shouldn't you be able to demand that it be re-branded? See: Icecat/Ice Weasel, CentOS, etc. The code stays open source, but SF would have to rename it and give it a different icon and that should hopefully alert anyone who has half a clue.