Slashdot Mirror

← Back to Stories (view on slashdot.org)

SourceForge Tightens Security With Malware Scans (fossforce.com)

Posted by whipslash on from the building-trust dept.

Christine Hall at FOSS Force reports: It appears as if the new owners at SourceForge are serious about fixing the mistakes made by the sites previous owners. FOSS Force has just learned that as of today, the software repository used by many free and open source projects is scanning all hosted projects for malware. Projects that don't make the grade will be noticeably flagged with a red warning badge located beside the project's download button. According to a notice posted on the SourceForge website this afternoon, the scans look for "adware, viruses, and any unwanted applications that may be intentionally or inadvertently included in the software package." Account holders with projects flagged as containing malware will be notified by SourceForge. In today's announcement, SourceForge said that a thousand or so of the sites most popular projects [representing 84% of all SourceForge traffic] have so far been scanned, with scans continuing to eventually include "every last project, even dating back years." As the site hosts somewhere around 500,000 projects, this first scanning is expected to take several weeks. The company also says that beginning immediately, all new projects will be scanned during the uploading process. This latest move is in keeping with promises made to the community when the new owners, SourceForge Media, took control of SourceForge and Slashdot on January 28, 2016.

18 of 84 comments (clear)

  1. Certainly can't hurt by mhkohne · · Score: 4

    Nicely done guys. Sourceforge had definitely gone down the toilet in my eyes. We'll see how it pans out going forward, but this can't hurt.

    --
    A thousand pounds of wood moving at 300 feet per minute. Don't get in the way.
    1. Re:Certainly can't hurt by ITRambo · · Score: 3

      It takes time to repair a "handyman special" that's been abused and in need of serious repair. They're doing a good job so far.

    2. Re: Certainly can't hurt by nullchar · · Score: 2

      I don't have real data, but anecdotally this "feels" accurate to me. (Very long-time /. reader so I've seen the ups and downs.)

      I would say total story comment counts were quite low from autumn 2015 through winter 2016 but have risen this spring.

      Easy to compare "today" (meaning each day) to prior years using the old side-bar widget that showed past high-comment stories on the same day. Recent years are dramatically lower than past years, but the trend appears to be going back up.

      Perhaps some researchers could get a dump of stories with comment counts, then chart them? (It should be possible to scrape if someone had the time.) Easy to see seasonality like northern hemisphere summer vacations for students.

    3. Re:Certainly can't hurt by Shoten · · Score: 2

      I can't believe they weren't doing this to begin with; it seems incredibly irresponsible to host a software repository in this day and age but not make sure that you're not distributing malware in the process.

      Another way that SourceForge Media is fixing broken things...way to go!

      --

      For your security, this post has been encrypted with ROT-13, twice.
  2. Re:Do not trust Sourceforge by whipslash · · Score: 2

    When was this?

  3. Re:Slashdot was sold? by whipslash · · Score: 4, Informative

    Yes we purchased Slashdot and SourceForge in late January: https://meta.slashdot.org/stor... ... Terms of the deal unfortunately do not allow me to disclose for how much

  4. Good to see positive changes by chr1st1anSoldier · · Score: 2

    I'm glad to see the positive changes made by SF. I've always hoped they would come back around for the better. Maybe, with some luck, freshmeat.net can come back too.

  5. What about SF's own crap? by tlhIngan · · Score: 2

    A lot of people abandoned SourceForge because they started bundling crap with all the installers. Does their scanner catch those as well, or are they going to blame the project owners for what SF did to their binaries?

    1. Re:What about SF's own crap? by whipslash · · Score: 5, Informative

      We got rid of those bundled installers shortly after purchasing SourceForge: https://news.slashdot.org/stor...

  6. Applause required, but by wbr1 · · Score: 2

    What is up with not being able to disable ads on /.? If you are removing this feature, announce it. Don't just break it.

    --
    Silence is a state of mime.
  7. Re:Do not trust Sourceforge by whipslash · · Score: 4, Informative

    Sorry about that. We only purchased SourceForge on January 28th and started making improvements after that.

  8. Re:About freakin' time by whipslash · · Score: 4, Informative

    Scans are done by Bitdefender and ESET

  9. Re:Slashdot was sold? by 110010001000 · · Score: 3

    Congrats! The site does seem a bit better lately.

  10. Re:Slashdot was sold? by whipslash · · Score: 2

    Thanks. We're doing our best.

  11. Comment removed by account_deleted · · Score: 2

    Comment removed based on user account deletion

  12. Re:Filezilla by oddware · · Score: 2

    I was wondering if it because i am on linux, weird it would replace the download links for windows installers on the "additional download options" just because i am on linux.....unless they think i intend to run it via wine and the "value add" software is not compatible.
    Thanks for the info, great to see you are trying to turn source forge around.

  13. Re:Filezilla by oddware · · Score: 2

    Just messed with the user agent string, now i see it....sneaky.

  14. Re:Slashdot was sold? by AmiMoJo · · Score: 2

    Thanks, your efforts are really appreciated.

    --
    const int one = 65536; (Silvermoon, Texture.cs)
    SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC