SourceForge Tightens Security With Malware Scans (fossforce.com)

← Back to Stories (view on slashdot.org)

SourceForge Tightens Security With Malware Scans (fossforce.com)

Posted by whipslash on Tuesday May 17, 2016 @09:10AM from the building-trust dept.

Christine Hall at FOSS Force reports: It appears as if the new owners at SourceForge are serious about fixing the mistakes made by the sites previous owners. FOSS Force has just learned that as of today, the software repository used by many free and open source projects is scanning all hosted projects for malware. Projects that don't make the grade will be noticeably flagged with a red warning badge located beside the project's download button. According to a notice posted on the SourceForge website this afternoon, the scans look for "adware, viruses, and any unwanted applications that may be intentionally or inadvertently included in the software package." Account holders with projects flagged as containing malware will be notified by SourceForge. In today's announcement, SourceForge said that a thousand or so of the sites most popular projects [representing 84% of all SourceForge traffic] have so far been scanned, with scans continuing to eventually include "every last project, even dating back years." As the site hosts somewhere around 500,000 projects, this first scanning is expected to take several weeks. The company also says that beginning immediately, all new projects will be scanned during the uploading process. This latest move is in keeping with promises made to the community when the new owners, SourceForge Media, took control of SourceForge and Slashdot on January 28, 2016.

84 comments

Min score:

Reason:

Sort:

Certainly can't hurt by mhkohne · 2016-05-17 09:21 · Score: 4

Nicely done guys. Sourceforge had definitely gone down the toilet in my eyes. We'll see how it pans out going forward, but this can't hurt.

--
A thousand pounds of wood moving at 300 feet per minute. Don't get in the way.
1. Re:Certainly can't hurt by ITRambo · 2016-05-17 09:39 · Score: 3
  
  It takes time to repair a "handyman special" that's been abused and in need of serious repair. They're doing a good job so far.
2. Re:Certainly can't hurt by Anonymous Coward · 2016-05-17 09:42 · Score: 1
  
  Here here! Nice to see the changes happening at Sourceforge.
3. Re: Certainly can't hurt by whipslash · 2016-05-17 12:56 · Score: 1
  
  Traffic and comments are actually up vs the same period last year
4. Re: Certainly can't hurt by nullchar · 2016-05-17 13:05 · Score: 2
  
  I don't have real data, but anecdotally this "feels" accurate to me. (Very long-time /. reader so I've seen the ups and downs.)
  I would say total story comment counts were quite low from autumn 2015 through winter 2016 but have risen this spring.
  Easy to compare "today" (meaning each day) to prior years using the old side-bar widget that showed past high-comment stories on the same day. Recent years are dramatically lower than past years, but the trend appears to be going back up.
  Perhaps some researchers could get a dump of stories with comment counts, then chart them? (It should be possible to scrape if someone had the time.) Easy to see seasonality like northern hemisphere summer vacations for students.
5. Re: Certainly can't hurt by Anonymous Coward · 2016-05-17 17:35 · Score: 0
  
  Which acquisition? The Dice Holding one that killed S/F and /.? Or the latest that may salvage something of the old sites.
6. Re:Certainly can't hurt by Anonymous Coward · 2016-05-17 23:43 · Score: 0
  
  Trains kind of left the station in some ways. Why choose sourceforge when you can host the code on github, and use a combination of Travis and AppVeyor to get automated downloadable binaries upon every new commit? Makes zero sense to use sourceforge these days everything about it is less useful.
7. Re: Certainly can't hurt by AmiMoJo · 2016-05-18 00:40 · Score: 1
  
  I've been thinking about what I'd like from a Github like service. Maybe we can share some ideas for Sourceforge to consider.
  Apart from the obvious one (lower prices), maybe integration with other version control systems that aren't Git. A better system for releasing binaries and tagged versions. Better tools and easier access for non-programmers who want to contribute documentation. Imagine if we could get Wikipedia levels of participation for open source documentation.
  
  --
  const int one = 65536; (Silvermoon, Texture.cs)
  SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
8. Re:Certainly can't hurt by Shoten · 2016-05-18 01:39 · Score: 2
  
  I can't believe they weren't doing this to begin with; it seems incredibly irresponsible to host a software repository in this day and age but not make sure that you're not distributing malware in the process.
  Another way that SourceForge Media is fixing broken things...way to go!
  
  --
  
  For your security, this post has been encrypted with ROT-13, twice.
9. Re:Certainly can't hurt by LesFerg · 2016-05-18 08:24 · Score: 1
  
  It takes time to repair a "handyman special" that's been abused and in need of serious repair. They're doing a good job so far.
  A good job? I was disappointed to see a large central ad on their downloads page, just last week, featuring the title "Start your download now" followed by a large green download button.
  While somebody familiar with their downloads page will recognize what that is, a less experienced person trying to download my app could make a serious mistake there. I thought somebody said they were going to clean up that kind of crap?
  
  --
  If I had a DeLorean... I would probably only drive it from time to time.
Do not trust Sourceforge by Anonymous Coward · 2016-05-17 09:25 · Score: 0

Followed a link off slashdot to sourceforges "top downloads" and it was riddled with so much malware I had to use a backup and reinstall. Since they I block all advertising from slashdot and EVERYTHING from sourceforge.
BLACK LISTED
1. Re:Do not trust Sourceforge by whipslash · 2016-05-17 09:29 · Score: 2
  
  When was this?
2. Re:Do not trust Sourceforge by Anonymous Coward · 2016-05-17 10:18 · Score: 0
  
  Early winter of this year 2016. The Aureus/vuze link. Was loaded with malware when I went to install and couldn't stop it in time. Had to reinstall from a backup.
3. Re:Do not trust Sourceforge by whipslash · 2016-05-17 10:26 · Score: 4, Informative
  
  Sorry about that. We only purchased SourceForge on January 28th and started making improvements after that.
4. Re:Do not trust Sourceforge by BlackPignouf · 2016-05-17 10:33 · Score: 1
  
  To be fair, Azureus was great but Vuze is a piece of malware shit.
  It might not even be related to Sourceforge.
Great. Now all it needs is a build system. by Anonymous Coward · 2016-05-17 09:27 · Score: 0

This is a great step to keep people from bundling stuff in their installers. However, I can't help but think that what SF or some FLOSS hub needs is a build system built right in for releases. That would help prevent many problems (like Windows balking at unsigned installers and the like) and help restore trust in the final product. It would also set them apart from the competitors and make the software easier to use on Windows, the majority of the market. Finally, accountability could be set up by having the certificates trace back to the project name (see filezilla installed by a cert not for SF.net/p/filezilla then you know there is trouble).
I hope FileZilla rots in hell by Anonymous Coward · 2016-05-17 09:30 · Score: 0

and Botg can go suck rotten eggs for eternity. https://forum.filezilla-project.org/viewtopic.php?f=1&t=36762
I've moved to WinSCP and never looked back.
Slashdot was sold? by 110010001000 · 2016-05-17 09:34 · Score: 1

I must have missed something. Someone bought slashdot? For how much?
1. Re:Slashdot was sold? by Anonymous Coward · 2016-05-17 09:35 · Score: 0
  
  Whipslash (look a little further up the page, he's really involved with the site) bought it. https://slashdot.org/~whipslash
2. Re:Slashdot was sold? by whipslash · 2016-05-17 09:37 · Score: 4, Informative
  
  Yes we purchased Slashdot and SourceForge in late January: https://meta.slashdot.org/stor... ... Terms of the deal unfortunately do not allow me to disclose for how much
3. Re:Slashdot was sold? by Anonymous Coward · 2016-05-17 09:52 · Score: 0
  
  tree fiddy
4. Re:Slashdot was sold? by MightyMartian · 2016-05-17 10:37 · Score: 1
  
  For enough that you have to shove advertising down on our throats again. I have to say I'm totally thrilled with what Kelly said... Not sure who Kelly is, but it must be important.
  
  --
  The world's burning. Moped Jesus spotted on I50. Details at 11.
5. Re:Slashdot was sold? by 110010001000 · 2016-05-17 11:07 · Score: 3
  
  Congrats! The site does seem a bit better lately.
6. Re:Slashdot was sold? by whipslash · 2016-05-17 11:09 · Score: 2
  
  Thanks. We're doing our best.
7. Re:Slashdot was sold? by Anonymous Coward · 2016-05-17 11:58 · Score: 0
  
  Terms of the deal unfortunately do not allow me to disclose for how much
  See that button, "Post as Anonymous Coward"...? ;)
8. Re:Slashdot was sold? by Anonymous Coward · 2016-05-17 15:03 · Score: 1
  
  Something that would be trivial to implement and only sourceforge.jp has (or had) is MD5 and SHA256 sums of the binaries.
  Very often SF mirrors don't use HTTPS and usually I download the same executable from within 3 different networks in different countries to make sure nothing has been tampered with in transit.
9. Re:Slashdot was sold? by AmiMoJo · 2016-05-18 01:13 · Score: 2
  
  Thanks, your efforts are really appreciated.
  
  --
  const int one = 65536; (Silvermoon, Texture.cs)
  SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
10. Re:Slashdot was sold? by b1ng0 · 2016-05-18 03:19 · Score: 1, Offtopic
  
  Sale price was $2.8M
11. Re:Slashdot was sold? by laurencetux · 2016-05-18 04:04 · Score: 1
  
  there are most likely tripwires setup so that if the amount leaks EVERYBODY that knows the number loses money.
12. Re:Slashdot was sold? by whipslash · 2016-05-18 16:43 · Score: 1
  
  Thanks for commenting twice about this. We included our own post in the description, but many people prefer seeing a third party source report on this as well rather than just directly posting our own announcements.
Good to see positive changes by chr1st1anSoldier · 2016-05-17 09:38 · Score: 2

I'm glad to see the positive changes made by SF. I've always hoped they would come back around for the better. Maybe, with some luck, freshmeat.net can come back too.
1. Re:Good to see positive changes by ChristophWeber · 2016-05-17 10:24 · Score: 1
  
  Maybe, with some luck, freshmeat.net can come back too.
  Don't hold your breath on freshmeat.net. We removed its name from slashdotmedia.com's header this morning.
2. Re:Good to see positive changes by chr1st1anSoldier · 2016-05-17 10:39 · Score: 1
  
  Dang, I really liked that site too. Used to be _the_ place to go look if you wanted to find some software. Then they added themes and all that on there, it was great. It's a shame that freshmeat has faded away into obscurity. :(
What about SF's own crap? by tlhIngan · 2016-05-17 09:39 · Score: 2

A lot of people abandoned SourceForge because they started bundling crap with all the installers. Does their scanner catch those as well, or are they going to blame the project owners for what SF did to their binaries?
1. Re:What about SF's own crap? by whipslash · 2016-05-17 09:39 · Score: 5, Informative
  
  We got rid of those bundled installers shortly after purchasing SourceForge: https://news.slashdot.org/stor...
2. Re: What about SF's own crap? by Anonymous Coward · 2016-05-17 09:50 · Score: 1
  
  awesome :)
3. Re:What about SF's own crap? by Anonymous Coward · 2016-05-17 09:56 · Score: 0
  
  SF looks like shit by today's standards. Not sure if they still have the dancing jingling animated "download" button ads, but I have put the site on permanent blacklist for good.
4. Re:What about SF's own crap? by whipslash · 2016-05-17 09:58 · Score: 1
  
  Ads with "Download" buttons in them have been eliminated from the site.
5. Re:What about SF's own crap? by Anonymous Coward · 2016-05-17 12:34 · Score: 0
  
  There are still adds with black buttons with green arrows on them. They have text saying things like "Try it now!". These could be easily confused with download buttons.
  The situation is far better than before, but there is still room for improvement.
6. Re:What about SF's own crap? by LesFerg · 2016-05-18 08:30 · Score: 1
  
  A lot of people abandoned SourceForge because they started bundling crap with all the installers.
  No they did not. It was never done to all installers. Can't you even get your facts straight? The revenue related advertising and co-install bundling option was offered to project owners as an option. It was never forced on them. Sometime later on a bad decision was made to repackage projects which looked like they had been abandoned, but even that bad decision affected a relatively small number of projects, not all projects. Admittedly it was a bastardly thing to do to a previously trusted application tho.
  
  --
  If I had a DeLorean... I would probably only drive it from time to time.
7. Re:What about SF's own crap? by LesFerg · 2016-05-18 08:32 · Score: 1
  
  Ads with "Download" buttons in them have been eliminated from the site.
  No they have not. I saw a large "Start your download now" ad, with large green download button, top center of the download page just last week. I was very disappointed.
  
  --
  If I had a DeLorean... I would probably only drive it from time to time.
8. Re:What about SF's own crap? by whipslash · 2016-05-18 08:44 · Score: 1
  
  Some slip through programmatic advertising channels, but they are typically removed as soon as they are caught and then that advertiser is banned from the site. We will have a self-serve reporting option attached to each ad very soon so that they are reported and removed ASAP. The vast majority of them are gone.
Re:Great. Now all it needs is a build system. by h2oliu · 2016-05-17 09:40 · Score: 1

The problem with a signed build system, is what happens when malware is developed within Sourceforge? Upload the software, build it. Generate signed malware for installation. Sure Filezilla might have a l. But then what about the cert for SF.net/calculator?

--
Ok, I give up, why you?
Rolling back the tide will be hard by Anonymous Coward · 2016-05-17 10:01 · Score: 0

Last time I came across it, Slashdot was still flagged by uBlock Origin. With github providing an arguably more modern experience, it seems that bringing users back would be a tall order.
Applause required, but by wbr1 · 2016-05-17 10:09 · Score: 2

What is up with not being able to disable ads on /.? If you are removing this feature, announce it. Don't just break it.

--
Silence is a state of mime.
1. Re:Applause required, but by dstyle5 · 2016-05-17 10:37 · Score: 1
  
  Although I did not have this option enabled, a comment on its demise would be appropriate. I can't find it anymore either.
2. Re:Applause required, but by EmeraldBot · 2016-05-17 17:59 · Score: 1
  
  What is up with not being able to disable ads on /.? If you are removing this feature, announce it. Don't just break it.
  Interesting. The last several weeks it wasn't working for me, but it started to do so again about maybe a week ago. It appears to be broken for some users then, and work for others, although pretty arbitrairly...
  
  --
  "Set a man a fire, he'll be warm for the rest of the night. Set a man afire, he'll be warm for the rest of his life."
3. Re:Applause required, but by Anonymous Coward · 2016-05-18 03:04 · Score: 0
  
  I travel the world (wide web) with JavaScript disabled. I'm okay with traditional jpeg and text adverts, but mass deep packet inspection slows down my American Internet enough already, I don't want to wait for rubbish to get scanned just to browse content.
4. Re:Applause required, but by Anonymous Coward · 2016-05-18 04:37 · Score: 0
  
  Disable javascript or run adblock. I had been doing that for years, but I've recently started using a separate browser that allows ads just for slashdot. I do copy the external links to another browser when I want to view them.
Filezilla by Anonymous Coward · 2016-05-17 10:19 · Score: 0

FileZilla from the old SourceForge got me a couple times with it's bundled software which caused me to abandon SF after rebuilding affected machines -- while I'm happy the corrections that SF is making, it looks like the maintainer of FileZilla isn't ready to give up bundled software (mouse over the 64 bit Windows FileZilla download link on the official site)
Can someone please take over or branch this open source software?
1. Re:Filezilla by whipslash · 2016-05-17 10:21 · Score: 1
  
  Yes he stopped linking to SourceForge Filezilla project page from his own site after we told him he cannot bundle software with the project anymore.
2. Re:Filezilla by oddware · 2016-05-17 11:40 · Score: 1
  
  weird, any more info on this? just checked the download links on the filezilla home page [https://filezilla-project.org/] and everything was pointing to source forge.
  
  Have been using it for years, hope they are not going down the tubes.
  Does anyone have any suggestions for a linux based alternative to filezilla?
3. Re:Filezilla by whipslash · 2016-05-17 11:51 · Score: 1
  
  It may depend on what OS you're using right now. On this Mac I am seeing no link to SourceForge here: https://filezilla-project.org/... . I've checked on Windows as well but not Linux. You can always download it from SourceForge as we do not allow FileZilla to bundle anymore: https://sourceforge.net/projec...
4. Re:Filezilla by oddware · 2016-05-17 14:57 · Score: 2
  
  I was wondering if it because i am on linux, weird it would replace the download links for windows installers on the "additional download options" just because i am on linux.....unless they think i intend to run it via wine and the "value add" software is not compatible.
  Thanks for the info, great to see you are trying to turn source forge around.
5. Re:Filezilla by oddware · 2016-05-17 15:01 · Score: 2
  
  Just messed with the user agent string, now i see it....sneaky.
6. Re: Filezilla by Anonymous Coward · 2016-05-17 15:58 · Score: 0
  
  He said "a Linux alternative to Filezilla"... That's funny!
7. Re:Filezilla by CronoCloud · 2016-05-18 00:16 · Score: 1
  
  You should be able to pull a "clean" version from your distro repos. That's how it works with Fedora.
About freakin' time by h8sg8s · 2016-05-17 10:29 · Score: 1

Ever wonder how so many backdoors and virus vectors (not to mention zero day exploits) got propagated into OSS code? Wonder whose scanning code they're using? =8-0

--
Organization? You must be joking..
1. Re:About freakin' time by whipslash · 2016-05-17 10:30 · Score: 4, Informative
  
  Scans are done by Bitdefender and ESET
2. Re:About freakin' time by Anonymous Coward · 2016-05-17 21:47 · Score: 0
  
  Scans are not done by LMD? https://www.rfxn.com/projects/linux-malware-detect/?
This is GitHub within 10 years by Anonymous Coward · 2016-05-17 10:47 · Score: 0, Interesting

Nobody is planning for it because they think hip startups are immune to this kind of thing, but believe it -- GitHub will slowly go down the SourceForge path as well. They're already wedged firmly into the software ecosystem to the point that some people can't even build their own software without live access to GitHub. Once their position is fully consolidated they're going to monetize the shit out of you just like SF did, and you'll most likely bend over and take it.
Learn from history, or repeat it.
Example? by freeze128 · 2016-05-17 10:49 · Score: 1

Does anyone have an example of a Sourceforge project that has malware in it, so we can see the warning notice first-hand?
1. Re:Example? by whipslash · 2016-05-17 11:06 · Score: 1
  
  All current live projects have rectified any issues with malware due to us notifying them except for this Demo Project we created: https://sourceforge.net/projec... . Here is an older version of PDF Creator that shows the warning: https://sourceforge.net/projec... (automatic downloading disabled and notice about possible malware). Keep in mind this is an older version of their project and their current project here is fine: https://sourceforge.net/projec...
2. Re: Example? by Anonymous Coward · 2016-05-17 15:59 · Score: 0
  
  Umm, and what of other projects that weren't so much "live" but just dormant? Weren't many of those mostly targeted with the infected installers??
3. Re: Example? by whipslash · 2016-05-17 16:11 · Score: 1
  
  Any bundled installers that were added by the previous SourceForge ownership were removed months ago
Proprietary script by tepples · 2016-05-17 11:25 · Score: 0

I wonder whether the use of proprietary client-side script is a "serious repair" under consideration. Reliance on proprietary client-side script gives SourceForge an F rating among free software project hosts that FSF reviewed, the same as that of GitHub.
Comment removed by account_deleted · 2016-05-17 13:41 · Score: 2

Comment removed based on user account deletion
Sigh... by malxau · 2016-05-17 13:46 · Score: 1

A decade ago, I wrote a socks server and posted it to Sourceforge. It does exactly what it says it will do, and it was so good and convenient that malware authors found it to be a useful payload to drop on machines to get a backdoor into them. So then virus scanners flagged it as malware, and sourceforge trusts those, and then they deleted the current version of the binary. Now that page has big scary warnings about software that plainly does what it says with all the source there to prove it (see it for yourself - https://sourceforge.net/projec... ).
I know these guys are trying to win back trust, but trust is hard. Trusting heuristic based scanners is optimistic. Making allegations about software and its authors on the basis of a heuristic can be downright offensive.
(Along similar lines, chocolatey is now flagging my directory enumerator because one out of 57 virus scanners heuristically thought crawling a disk is suspicious - https://www.virustotal.com/en/... .)
1. Re:Sigh... by whipslash · 2016-05-17 14:07 · Score: 1
  
  That is not our malware warning on your project, that is the browser warning.
2. Re:Sigh... by Anonymous Coward · 2016-05-17 15:37 · Score: 0
  
  That is a shame. False positives always suck, this example points out that a mechanism must be in place to rectify this. I'd contact whipslash directly through a PM here... along with any other thoughts you might have to make the process better. You seem the type that would have could input and feedback.
  I must say I've been impressed with our new overloard's efforts and interactivity. I can't say that about any other time this has happened, but maybe the bar was set a little low lol.
3. Re:Sigh... by whipslash · 2016-05-17 15:56 · Score: 1
  
  I will take a look at what's going on here
4. Re:Sigh... by Anonymous Coward · 2016-05-17 20:32 · Score: 0
  
  The 'WARNING! Malware Detected Download at your own risk' badge is definitely your malware warning, not a browser warning.
5. Re:Sigh... by Anonymous Coward · 2016-05-18 03:38 · Score: 0
  
  Firefox 46.0.1 here on Windows 7. The only warning I see is the browser's one. After ignoring the warning, I don't get any warning from SF.
6. Re:Sigh... by Anonymous Coward · 2016-05-18 14:18 · Score: 0
  
  I don't see any warnings on the linked page whatsoever.
Re:Great. Now all it needs is a build system. by Anonymous Coward · 2016-05-17 13:47 · Score: 0

It's no more of a problem than any other build system. Plus, you can get code-signing private keys now, either legitimately or stolen. The benefits would be the ability to trace the software to a specific open source project and, unlike most other code signing CAs, the incentive for such certificates to be policed.
SSL on project-web please by Anonymous Coward · 2016-05-17 20:45 · Score: 0

I hope you can enable SSL/TLS on project-web soon. Probably by using SSL-SNI and allowing us to upload our certs. We need to guarantee that the served site(with download links) is the real deal and not a compromised one.
Comment removed by account_deleted · 2016-05-18 05:09 · Score: 1

Comment removed based on user account deletion
PDF Creator still probably in violation by Kobun · 2016-05-24 05:31 · Score: 1

So I just got a failure that makes me think that the problem isn't gone. To test out the new measures against Malware, I tried downloading PDFCreator. This is off the SourceForge pages, never visiting the project homepage to receive their malware riddled installer. The SourceForge link is a web-installer, so the thing that SourceForge can scan has no Malware embedded in it. But the .exe that the installer downloads does.

Is there a process for notifying about bad actors? Will repeat offenders be permanently banned?