Slashdot Mirror

← Back to Stories (view on slashdot.org)

SourceForge Tightens Security With Malware Scans (fossforce.com)

Posted by whipslash on from the building-trust dept.

Christine Hall at FOSS Force reports: It appears as if the new owners at SourceForge are serious about fixing the mistakes made by the sites previous owners. FOSS Force has just learned that as of today, the software repository used by many free and open source projects is scanning all hosted projects for malware. Projects that don't make the grade will be noticeably flagged with a red warning badge located beside the project's download button. According to a notice posted on the SourceForge website this afternoon, the scans look for "adware, viruses, and any unwanted applications that may be intentionally or inadvertently included in the software package." Account holders with projects flagged as containing malware will be notified by SourceForge. In today's announcement, SourceForge said that a thousand or so of the sites most popular projects [representing 84% of all SourceForge traffic] have so far been scanned, with scans continuing to eventually include "every last project, even dating back years." As the site hosts somewhere around 500,000 projects, this first scanning is expected to take several weeks. The company also says that beginning immediately, all new projects will be scanned during the uploading process. This latest move is in keeping with promises made to the community when the new owners, SourceForge Media, took control of SourceForge and Slashdot on January 28, 2016.

52 of 84 comments (clear)

  1. Certainly can't hurt by mhkohne · · Score: 4

    Nicely done guys. Sourceforge had definitely gone down the toilet in my eyes. We'll see how it pans out going forward, but this can't hurt.

    --
    A thousand pounds of wood moving at 300 feet per minute. Don't get in the way.
    1. Re:Certainly can't hurt by ITRambo · · Score: 3

      It takes time to repair a "handyman special" that's been abused and in need of serious repair. They're doing a good job so far.

    2. Re:Certainly can't hurt by Anonymous Coward · · Score: 1

      Here here! Nice to see the changes happening at Sourceforge.

    3. Re: Certainly can't hurt by whipslash · · Score: 1

      Traffic and comments are actually up vs the same period last year

    4. Re: Certainly can't hurt by nullchar · · Score: 2

      I don't have real data, but anecdotally this "feels" accurate to me. (Very long-time /. reader so I've seen the ups and downs.)

      I would say total story comment counts were quite low from autumn 2015 through winter 2016 but have risen this spring.

      Easy to compare "today" (meaning each day) to prior years using the old side-bar widget that showed past high-comment stories on the same day. Recent years are dramatically lower than past years, but the trend appears to be going back up.

      Perhaps some researchers could get a dump of stories with comment counts, then chart them? (It should be possible to scrape if someone had the time.) Easy to see seasonality like northern hemisphere summer vacations for students.

    5. Re: Certainly can't hurt by AmiMoJo · · Score: 1

      I've been thinking about what I'd like from a Github like service. Maybe we can share some ideas for Sourceforge to consider.

      Apart from the obvious one (lower prices), maybe integration with other version control systems that aren't Git. A better system for releasing binaries and tagged versions. Better tools and easier access for non-programmers who want to contribute documentation. Imagine if we could get Wikipedia levels of participation for open source documentation.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    6. Re:Certainly can't hurt by Shoten · · Score: 2

      I can't believe they weren't doing this to begin with; it seems incredibly irresponsible to host a software repository in this day and age but not make sure that you're not distributing malware in the process.

      Another way that SourceForge Media is fixing broken things...way to go!

      --

      For your security, this post has been encrypted with ROT-13, twice.
    7. Re:Certainly can't hurt by LesFerg · · Score: 1

      It takes time to repair a "handyman special" that's been abused and in need of serious repair. They're doing a good job so far.

      A good job? I was disappointed to see a large central ad on their downloads page, just last week, featuring the title "Start your download now" followed by a large green download button.

      While somebody familiar with their downloads page will recognize what that is, a less experienced person trying to download my app could make a serious mistake there. I thought somebody said they were going to clean up that kind of crap?

      --
      If I had a DeLorean... I would probably only drive it from time to time.
  2. Re:Do not trust Sourceforge by whipslash · · Score: 2

    When was this?

  3. Slashdot was sold? by 110010001000 · · Score: 1

    I must have missed something. Someone bought slashdot? For how much?

    1. Re:Slashdot was sold? by whipslash · · Score: 4, Informative

      Yes we purchased Slashdot and SourceForge in late January: https://meta.slashdot.org/stor... ... Terms of the deal unfortunately do not allow me to disclose for how much

    2. Re:Slashdot was sold? by MightyMartian · · Score: 1

      For enough that you have to shove advertising down on our throats again. I have to say I'm totally thrilled with what Kelly said... Not sure who Kelly is, but it must be important.

      --
      The world's burning. Moped Jesus spotted on I50. Details at 11.
    3. Re:Slashdot was sold? by 110010001000 · · Score: 3

      Congrats! The site does seem a bit better lately.

    4. Re:Slashdot was sold? by whipslash · · Score: 2

      Thanks. We're doing our best.

    5. Re:Slashdot was sold? by Anonymous Coward · · Score: 1

      Something that would be trivial to implement and only sourceforge.jp has (or had) is MD5 and SHA256 sums of the binaries.

      Very often SF mirrors don't use HTTPS and usually I download the same executable from within 3 different networks in different countries to make sure nothing has been tampered with in transit.

    6. Re:Slashdot was sold? by AmiMoJo · · Score: 2

      Thanks, your efforts are really appreciated.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    7. Re:Slashdot was sold? by b1ng0 · · Score: 1, Offtopic

      Sale price was $2.8M

    8. Re:Slashdot was sold? by laurencetux · · Score: 1

      there are most likely tripwires setup so that if the amount leaks EVERYBODY that knows the number loses money.

    9. Re:Slashdot was sold? by whipslash · · Score: 1

      Thanks for commenting twice about this. We included our own post in the description, but many people prefer seeing a third party source report on this as well rather than just directly posting our own announcements.

  4. Good to see positive changes by chr1st1anSoldier · · Score: 2

    I'm glad to see the positive changes made by SF. I've always hoped they would come back around for the better. Maybe, with some luck, freshmeat.net can come back too.

    1. Re:Good to see positive changes by ChristophWeber · · Score: 1

      Maybe, with some luck, freshmeat.net can come back too.

      Don't hold your breath on freshmeat.net. We removed its name from slashdotmedia.com's header this morning.

    2. Re:Good to see positive changes by chr1st1anSoldier · · Score: 1

      Dang, I really liked that site too. Used to be _the_ place to go look if you wanted to find some software. Then they added themes and all that on there, it was great. It's a shame that freshmeat has faded away into obscurity. :(

  5. What about SF's own crap? by tlhIngan · · Score: 2

    A lot of people abandoned SourceForge because they started bundling crap with all the installers. Does their scanner catch those as well, or are they going to blame the project owners for what SF did to their binaries?

    1. Re:What about SF's own crap? by whipslash · · Score: 5, Informative

      We got rid of those bundled installers shortly after purchasing SourceForge: https://news.slashdot.org/stor...

    2. Re: What about SF's own crap? by Anonymous Coward · · Score: 1

      awesome :)

    3. Re:What about SF's own crap? by whipslash · · Score: 1

      Ads with "Download" buttons in them have been eliminated from the site.

    4. Re:What about SF's own crap? by LesFerg · · Score: 1

      A lot of people abandoned SourceForge because they started bundling crap with all the installers.

      No they did not. It was never done to all installers. Can't you even get your facts straight? The revenue related advertising and co-install bundling option was offered to project owners as an option. It was never forced on them. Sometime later on a bad decision was made to repackage projects which looked like they had been abandoned, but even that bad decision affected a relatively small number of projects, not all projects. Admittedly it was a bastardly thing to do to a previously trusted application tho.

      --
      If I had a DeLorean... I would probably only drive it from time to time.
    5. Re:What about SF's own crap? by LesFerg · · Score: 1

      Ads with "Download" buttons in them have been eliminated from the site.

      No they have not. I saw a large "Start your download now" ad, with large green download button, top center of the download page just last week. I was very disappointed.

      --
      If I had a DeLorean... I would probably only drive it from time to time.
    6. Re:What about SF's own crap? by whipslash · · Score: 1

      Some slip through programmatic advertising channels, but they are typically removed as soon as they are caught and then that advertiser is banned from the site. We will have a self-serve reporting option attached to each ad very soon so that they are reported and removed ASAP. The vast majority of them are gone.

  6. Re:Great. Now all it needs is a build system. by h2oliu · · Score: 1

    The problem with a signed build system, is what happens when malware is developed within Sourceforge? Upload the software, build it. Generate signed malware for installation. Sure Filezilla might have a l. But then what about the cert for SF.net/calculator?

    --
    Ok, I give up, why you?
  7. Applause required, but by wbr1 · · Score: 2

    What is up with not being able to disable ads on /.? If you are removing this feature, announce it. Don't just break it.

    --
    Silence is a state of mime.
    1. Re:Applause required, but by dstyle5 · · Score: 1

      Although I did not have this option enabled, a comment on its demise would be appropriate. I can't find it anymore either.

    2. Re:Applause required, but by EmeraldBot · · Score: 1

      What is up with not being able to disable ads on /.? If you are removing this feature, announce it. Don't just break it.

      Interesting. The last several weeks it wasn't working for me, but it started to do so again about maybe a week ago. It appears to be broken for some users then, and work for others, although pretty arbitrairly...

      --
      "Set a man a fire, he'll be warm for the rest of the night. Set a man afire, he'll be warm for the rest of his life."
  8. Re:Filezilla by whipslash · · Score: 1

    Yes he stopped linking to SourceForge Filezilla project page from his own site after we told him he cannot bundle software with the project anymore.

  9. Re:Do not trust Sourceforge by whipslash · · Score: 4, Informative

    Sorry about that. We only purchased SourceForge on January 28th and started making improvements after that.

  10. About freakin' time by h8sg8s · · Score: 1

    Ever wonder how so many backdoors and virus vectors (not to mention zero day exploits) got propagated into OSS code? Wonder whose scanning code they're using? =8-0

    --
    Organization? You must be joking..
    1. Re:About freakin' time by whipslash · · Score: 4, Informative

      Scans are done by Bitdefender and ESET

  11. Re:Do not trust Sourceforge by BlackPignouf · · Score: 1

    To be fair, Azureus was great but Vuze is a piece of malware shit.
    It might not even be related to Sourceforge.

  12. Example? by freeze128 · · Score: 1

    Does anyone have an example of a Sourceforge project that has malware in it, so we can see the warning notice first-hand?

    1. Re:Example? by whipslash · · Score: 1

      All current live projects have rectified any issues with malware due to us notifying them except for this Demo Project we created: https://sourceforge.net/projec... . Here is an older version of PDF Creator that shows the warning: https://sourceforge.net/projec... (automatic downloading disabled and notice about possible malware). Keep in mind this is an older version of their project and their current project here is fine: https://sourceforge.net/projec...

    2. Re: Example? by whipslash · · Score: 1

      Any bundled installers that were added by the previous SourceForge ownership were removed months ago

  13. Re:Filezilla by oddware · · Score: 1

    weird, any more info on this? just checked the download links on the filezilla home page [https://filezilla-project.org/] and everything was pointing to source forge.

    Have been using it for years, hope they are not going down the tubes.
    Does anyone have any suggestions for a linux based alternative to filezilla?

  14. Re:Filezilla by whipslash · · Score: 1

    It may depend on what OS you're using right now. On this Mac I am seeing no link to SourceForge here: https://filezilla-project.org/... . I've checked on Windows as well but not Linux. You can always download it from SourceForge as we do not allow FileZilla to bundle anymore: https://sourceforge.net/projec...

  15. Comment removed by account_deleted · · Score: 2

    Comment removed based on user account deletion

  16. Sigh... by malxau · · Score: 1

    A decade ago, I wrote a socks server and posted it to Sourceforge. It does exactly what it says it will do, and it was so good and convenient that malware authors found it to be a useful payload to drop on machines to get a backdoor into them. So then virus scanners flagged it as malware, and sourceforge trusts those, and then they deleted the current version of the binary. Now that page has big scary warnings about software that plainly does what it says with all the source there to prove it (see it for yourself - https://sourceforge.net/projec... ).

    I know these guys are trying to win back trust, but trust is hard. Trusting heuristic based scanners is optimistic. Making allegations about software and its authors on the basis of a heuristic can be downright offensive.

    (Along similar lines, chocolatey is now flagging my directory enumerator because one out of 57 virus scanners heuristically thought crawling a disk is suspicious - https://www.virustotal.com/en/... .)

    1. Re:Sigh... by whipslash · · Score: 1

      That is not our malware warning on your project, that is the browser warning.

    2. Re:Sigh... by whipslash · · Score: 1

      I will take a look at what's going on here

  17. Re:Filezilla by oddware · · Score: 2

    I was wondering if it because i am on linux, weird it would replace the download links for windows installers on the "additional download options" just because i am on linux.....unless they think i intend to run it via wine and the "value add" software is not compatible.
    Thanks for the info, great to see you are trying to turn source forge around.

  18. Re:Filezilla by oddware · · Score: 2

    Just messed with the user agent string, now i see it....sneaky.

  19. Re:Filezilla by CronoCloud · · Score: 1

    You should be able to pull a "clean" version from your distro repos. That's how it works with Fedora.

  20. Comment removed by account_deleted · · Score: 1

    Comment removed based on user account deletion

  21. PDF Creator still probably in violation by Kobun · · Score: 1

    So I just got a failure that makes me think that the problem isn't gone. To test out the new measures against Malware, I tried downloading PDFCreator. This is off the SourceForge pages, never visiting the project homepage to receive their malware riddled installer. The SourceForge link is a web-installer, so the thing that SourceForge can scan has no Malware embedded in it. But the .exe that the installer downloads does.

    Is there a process for notifying about bad actors? Will repeat offenders be permanently banned?