Slashdot Mirror
SourceForge Responds To nmap Maintainer's Claims
An anonymous reader writes: A few days ago, the maintainer of nmap (an open source network mapping tool) complained that SourceForge had taken over the nmap project page. SourceForge has now responded with a technical analysis of the nmap project history. They said, "We've confirmed conclusively that no changes were made to the project or data, and that all past download delivery by nmap on SourceForge was through our web hosting service where content is project-administered."
They detail the history of services used by the nmap project, and use screenshots from the Internet Archive to show how long the project was empty. SourceForge said, "The last update date in 2013 relates to the migration of the nmap project (along with all other projects on the site) from SourceForge's sfx code base to the new Apache Allura-based code base. This migration was an automated operation conducted for all projects, and this platform change did not augment data in the Project Web service or File Release System. We therefore conclude that no content has been removed from the nmap project page." They also confirmed that nmap downloads were never bundled with ads: "Infosec professionals do not generally wish to install secondary offers." Note: SourceForge and Slashdot share a corporate overlord.
They detail the history of services used by the nmap project, and use screenshots from the Internet Archive to show how long the project was empty. SourceForge said, "The last update date in 2013 relates to the migration of the nmap project (along with all other projects on the site) from SourceForge's sfx code base to the new Apache Allura-based code base. This migration was an automated operation conducted for all projects, and this platform change did not augment data in the Project Web service or File Release System. We therefore conclude that no content has been removed from the nmap project page." They also confirmed that nmap downloads were never bundled with ads: "Infosec professionals do not generally wish to install secondary offers." Note: SourceForge and Slashdot share a corporate overlord.
"Infosec professionals do not generally wish to install secondary offers."
WTF? Nobody with a clue wants to install "secondary offers". Otherwise we'd seek that crap out and install it ourselves, dumbasses...
Quo usque tandem abutere, Nimbus, patientia nostra?
Here's your problem, SourceForge. You've abused your trust with the community. Why should the community trust you? Even the evidence you provide requires the community to trust you haven't been doing nefarious things to ensure the evidence looks good later on when you need it. Sure, it's far fetched.
And 15 years ago, I would have said it's far fetched that SourceForge would include malware with their downloads. Today? We're a stepping stone away.
How can SourceForge fix this? I don't know. I simply don't get myself into this sort of situation in the first place, so I don't have to weasel my way out of them.
Must be nice for Sourceforge. Controlling the message via slashdot. Listen, no one wants malware. You can shine it up and call it "a secondary offer" but it's still junk. I hope as time goes on more people realize what a virusden that site is and more people rely on github
"We" haven't come to anything. You're not part of any major projects and have no say in any of this. You're just a worthless spectator.
You can't. As in the case of GIMP, they took control from the guy who owned the actual dev account for the project, took new binaries from the official GIMP site, put their malware in and called it a day.
Shut down if you like, watch as they reopen a "mirror" of your project.
Just shut every fucking site you've purchased down already. I can't imagine you guys EVER regaining whatever credibility you might have thought you had. Your websites are bleeding to death while you're picking their pockets for every last penny you can find.
You've "won". It's over. Shut them all down.
I'm sure "SlashdotMedia" will improve on all the wonders that Dice Holdings blessed us all with
+1 for this, and a strong caution about using someone else's server to host your stuff. One day, Github might well end up doing the same thing (yeah, I know it seems unthinkable now, but SF looked pretty cool and was never going to do something like this just a few years ago too).
PS. This post noticed that you have a virus on your PC. Please download AwesomeSuperWhizzoCrap and run it to fix the problem.
That's what I'm doing.
Hope to have my SF projects migrated after the weekend.
My actively developed projects are already on GitHub.
But just because a project isn't active doesn't mean it's dead; it just means there has been no need (or requests) for changes.
Luckily none are big enough to be near the top of SF's "loot-&-pillage" list.
But even then, this seems to me to be the last dying breaths of SourceForge.
I don't expect them to exist in any recognizable form this time next year.
Slashdot social media options: AIM, ICQ, Yahoo, Jabber and Mobile Text. Why no MySpace?
This is the crux of the issue.
When SF takes over a page and replaces an installer from the project with an SF program; it's deceptive and fraudulent.
If that SF program is a modified binary, a modified installer, or even a "download helper" or a wrapper around the original installer which prompts for crapware; SF is misrepresenting the download as coming from the project rather than SF unless stated clearly otherwise.
When a user downloads this fraudulent download, they blame the crapware on the project authors and not SF. This isn't simply a theory - the feedback on many projects includes numerous negative reviews due to this crapware which they falsely attribute to the project creators. This negatively impacts the projects and their reputations with their users. Real financial harm could be done if fewer donations are made due to the harmed reputations - or support contracts not renewed due to suspicions.
I believe SF's recent assertion that they will no longer do this is, at least in part, because they know this sort of activity will not stand up in a court of law and it is detrimental not only the projects they've vandalized, but to themselves in showing their poor character and lack of trustworthiness in choosing to implement such a scheme to begin with. Stopping the harmful practice does not undo the harm already done, so it would be nice to see some legal recourse to inspire fear in those who would dare to do this sort of thing in the future.
Even when an author approves such nefarious wrappers and crapware through an agreement, SF is using deceptive practices towards users by not clearly distinguishing their regular binary downloads from crapware downloads. The same green "download" button appears in either case, but with crapware there is sometimes a small print of "installer enabled" and an "i" in a circle one can hover over which will display that there may be crapware in the installer. In filezilla's case, it warns of an ad-supported installer.
http://sourceforge.net/project...
IMHO, there should be clear distinctions between binaries offered by (or approved by) the project author and those offered or modified by SF as well as clear indications of when one is downloading a "download helper" or advertisement supported downloader or installer.